From 77897d4efad074d9434a97a67052bc788c315dee Mon Sep 17 00:00:00 2001 From: cash Date: Sun, 15 May 2011 19:38:49 +0000 Subject: Refs #3453 an implementation of creating the data directory. This capability is turned off due to security concerns. git-svn-id: http://code.elgg.org/elgg/trunk@9088 36083f99-b078-4883-b0ff-0f9b5a30f544 --- install/ElggInstaller.php | 85 +++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 79 insertions(+), 6 deletions(-) (limited to 'install/ElggInstaller.php') diff --git a/install/ElggInstaller.php b/install/ElggInstaller.php index 6b8b8d747..1a8edf1ae 100644 --- a/install/ElggInstaller.php +++ b/install/ElggInstaller.php @@ -2,7 +2,27 @@ /** * Elgg Installer. - * Controller for installing Elgg. + * Controller for installing Elgg. Supports both web-based on CLI installation. + * + * This controller steps the user through the install process. The method for + * each step handles both the GET and POST requests. There is no XSS/CSRF protection + * on the POST processing since the installer is only run once by the administrator. + * + * The installation process can be resumed by hitting the first page. The installer + * will try to figure out where to pick up again. + * + * All the logic for the installation process is in this class, but it depends on + * the core libraries. To do this, we selectively load a subset of the core libraries + * for the first few steps and then load the entire engine once the database and + * site settings are configured. In addition, this controller does its own session + * handling until the database is setup. + * + * There is an aborted attempt in the code at creating the data directory for + * users as a subdirectory of Elgg's root. The idea was to protect this directory + * through a .htaccess file. The problem is that a malicious user can upload a + * .htaccess of his own that overrides the protection for his user directory. The + * best solution is server level configuration that turns off AllowOverride for the + * data directory. See ticket #3453 for discussion on this. * * @package Elgg.Core * @subpackage Installer @@ -32,6 +52,9 @@ class ElggInstaller { * Constructor bootstraps the Elgg engine */ public function __construct() { + // load ElggRewriteTester as we depend on it + require_once(dirname(__FILE__) . "/ElggRewriteTester.php"); + $this->isAction = $_SERVER['REQUEST_METHOD'] === 'POST'; $this->bootstrapConfig(); @@ -140,7 +163,6 @@ class ElggInstaller { $params['password1'] = $params['password2'] = $params['password']; if ($createHtaccess) { - require_once(dirname(__FILE__) . "/ElggRewriteTester.php"); $rewriteTester = new ElggRewriteTester(); if (!$rewriteTester->createHtaccess($CONFIG->path)) { throw new InstallationException(elgg_echo('install:error:htaccess')); @@ -355,7 +377,6 @@ class ElggInstaller { protected function settings($submissionVars) { global $CONFIG; - $languages = get_installed_translations(); $formVars = array( 'sitename' => array( 'type' => 'text', @@ -389,8 +410,19 @@ class ElggInstaller { ), ); + // if Apache, we give user option of having Elgg create data directory + //if (ElggRewriteTester::guessWebServer() == 'apache') { + // $formVars['dataroot']['type'] = 'combo'; + // $CONFIG->translations['en']['install:settings:help:dataroot'] = + // $CONFIG->translations['en']['install:settings:help:dataroot:apache']; + //} + if ($this->isAction) { do { + //if (!$this->createDataDirectory($submissionVars, $formVars)) { + // break; + //} + if (!$this->validateSettingsVars($submissionVars, $formVars)) { break; } @@ -709,6 +741,11 @@ class ElggInstaller { session_name('Elgg'); session_start(); elgg_unregister_event_handler('boot', 'system', 'session_init'); + } else if ($stepIndex == ($settingsIndex + 1)) { + // now using Elgg session handling so need to pass forward the system messages + session_name('Elgg'); + session_start(); + $messages = $_SESSION['msg']; } if ($stepIndex > $dbIndex) { @@ -751,6 +788,11 @@ class ElggInstaller { elgg_trigger_event('boot', 'system'); elgg_trigger_event('init', 'system'); + + // @hack finish the process of pushing system messages into new session + if ($stepIndex == ($settingsIndex + 1)) { + $_SESSION['msg'] = $messages; + } } } @@ -1025,8 +1067,6 @@ class ElggInstaller { protected function checkRewriteRules(&$report) { global $CONFIG; - require_once(dirname(__FILE__) . "/ElggRewriteTester.php"); - $tester = new ElggRewriteTester(); $url = elgg_get_site_url() . "rewrite.php"; $report['rewrite'] = array($tester->run($url, $CONFIG->path)); @@ -1220,6 +1260,39 @@ class ElggInstaller { * Site settings support methods */ + /** + * Create the data directory if requested + * + * @param array $submissionVars Submitted vars + * @param array $formVars Variables in the form + * @return bool + */ + protected function createDataDirectory(&$submissionVars, $formVars) { + // did the user have option of Elgg creating the data directory + if ($formVars['dataroot']['type'] != 'combo') { + return TRUE; + } + + // did the user select the option + if ($submissionVars['dataroot'] != 'dataroot-checkbox') { + return TRUE; + } + + $dir = sanitise_filepath($submissionVars['path']) . 'data'; + if (file_exists($dir) || mkdir($dir, 0700)) { + $submissionVars['dataroot'] = $dir; + if (!file_exists("$dir/.htaccess")) { + $htaccess = "Order Deny,Allow\nDeny from All\n"; + if (!file_put_contents("$dir/.htaccess", $htaccess)) { + return FALSE; + } + } + return TRUE; + } + + return FALSE; + } + /** * Validate the site settings form variables * @@ -1239,7 +1312,7 @@ class ElggInstaller { } } - // check that data root is writable + // check that data root exists if (!file_exists($submissionVars['dataroot'])) { $msg = elgg_echo('install:error:datadirectoryexists', array($submissionVars['dataroot'])); register_error($msg); -- cgit v1.2.3