fix: address code review — Apache 2.4 htaccess, browseDir traversal, SQL cast
Joomla: Extension CI / Tests (PHP 8.2) (pull_request) Has been cancelled
Joomla: Extension CI / Tests (PHP 8.3) (pull_request) Has been cancelled
Joomla: Extension CI / PHPStan Analysis (pull_request) Has been cancelled
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
Generic: Repo Health / Scripts governance (pull_request) Has been cancelled
Generic: Repo Health / Repository health (pull_request) Has been cancelled
Generic: Repo Health / Report Issues (pull_request) Has been cancelled
Universal: PR Check / Branch Policy (pull_request) Has been cancelled
Generic: Repo Health / Site Health (pull_request) Has been cancelled
Generic: Repo Health / Access control (pull_request) Has been cancelled
Joomla: Extension CI / Release Readiness Check (pull_request) Has been cancelled
Joomla: Extension CI / Lint & Validate (pull_request) Has been cancelled
Universal: Secret Scanning / Gitleaks Secret Scan (pull_request) Has been cancelled
Universal: PR Check / Validate PR (pull_request) Has been cancelled
Branch Cleanup / Delete merged branch (pull_request) Has been cancelled
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || 'development' }}) (pull_request_target) Has been cancelled
Universal: Build & Release / Build & Release Pipeline (pull_request) Has been cancelled
Universal: Build & Release / Promote to RC (pull_request) Has been cancelled
Generic: Repo Health / Site Health (push) Has been cancelled
Generic: Repo Health / Access control (push) Has been cancelled
Universal: Auto Version Bump / Version Bump (push) Has been cancelled
Generic: Repo Health / Scripts governance (push) Has been cancelled
Generic: Repo Health / Repository health (push) Has been cancelled
Generic: Repo Health / Report Issues (push) Has been cancelled
Joomla: Extension CI / Tests (PHP 8.2) (pull_request) Has been cancelled
Joomla: Extension CI / Tests (PHP 8.3) (pull_request) Has been cancelled
Joomla: Extension CI / PHPStan Analysis (pull_request) Has been cancelled
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
Generic: Repo Health / Scripts governance (pull_request) Has been cancelled
Generic: Repo Health / Repository health (pull_request) Has been cancelled
Generic: Repo Health / Report Issues (pull_request) Has been cancelled
Universal: PR Check / Branch Policy (pull_request) Has been cancelled
Generic: Repo Health / Site Health (pull_request) Has been cancelled
Generic: Repo Health / Access control (pull_request) Has been cancelled
Joomla: Extension CI / Release Readiness Check (pull_request) Has been cancelled
Joomla: Extension CI / Lint & Validate (pull_request) Has been cancelled
Universal: Secret Scanning / Gitleaks Secret Scan (pull_request) Has been cancelled
Universal: PR Check / Validate PR (pull_request) Has been cancelled
Branch Cleanup / Delete merged branch (pull_request) Has been cancelled
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || 'development' }}) (pull_request_target) Has been cancelled
Universal: Build & Release / Build & Release Pipeline (pull_request) Has been cancelled
Universal: Build & Release / Promote to RC (pull_request) Has been cancelled
Generic: Repo Health / Site Health (push) Has been cancelled
Generic: Repo Health / Access control (push) Has been cancelled
Universal: Auto Version Bump / Version Bump (push) Has been cancelled
Generic: Repo Health / Scripts governance (push) Has been cancelled
Generic: Repo Health / Repository health (push) Has been cancelled
Generic: Repo Health / Report Issues (push) Has been cancelled
- Update .htaccess content to support both Apache 2.4 (Require all denied) and Apache 2.2 (Order deny,allow) in all four locations - Guard browseDir parent navigation to prevent escaping allowed boundaries - Add explicit (int) cast on viewLog SQL query for defense-in-depth
This commit is contained in:
Jonathan Miller
@@ -136,10 +136,21 @@ class AjaxController extends BaseController
|
||||
|
||||
$parent = dirname($path);
|
||||
|
||||
// Ensure parent is still within allowed boundaries
|
||||
$parentAllowed = false;
|
||||
|
||||
if ($parent !== $path) {
|
||||
if ($jRoot !== false && strpos($parent, $jRoot) === 0) {
|
||||
$parentAllowed = true;
|
||||
} elseif ($homeDir !== '' && strpos($parent, $homeDir) === 0) {
|
||||
$parentAllowed = true;
|
||||
}
|
||||
}
|
||||
|
||||
$response = [
|
||||
'error' => false,
|
||||
'current' => $path,
|
||||
'parent' => ($parent !== $path) ? $parent : null,
|
||||
'parent' => $parentAllowed ? $parent : null,
|
||||
'dirs' => $dirs,
|
||||
];
|
||||
|
||||
@@ -174,7 +185,7 @@ class AjaxController extends BaseController
|
||||
$query = $db->getQuery(true)
|
||||
->select($db->quoteName(['absolute_path', 'log']))
|
||||
->from($db->quoteName('#__mokojoombackup_records'))
|
||||
->where($db->quoteName('id') . ' = ' . $id);
|
||||
->where($db->quoteName('id') . ' = ' . (int) $id);
|
||||
$db->setQuery($query);
|
||||
$record = $db->loadObject();
|
||||
|
||||
|
||||
@@ -530,7 +530,7 @@ class BackupEngine
|
||||
$htaccess = $dir . '/.htaccess';
|
||||
|
||||
if (!is_file($htaccess)) {
|
||||
if (@file_put_contents($htaccess, "Order deny,allow\nDeny from all\n") === false) {
|
||||
if (@file_put_contents($htaccess, "# Apache 2.4+\n<IfModule mod_authz_core.c>\n Require all denied\n</IfModule>\n# Apache 2.2\n<IfModule !mod_authz_core.c>\n Order deny,allow\n Deny from all\n</IfModule>\n") === false) {
|
||||
error_log('MokoJoomBackup: Could not create .htaccess in backup directory: ' . $dir);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -572,7 +572,7 @@ class SteppedBackupEngine
|
||||
$htaccess = $dir . '/.htaccess';
|
||||
|
||||
if (!is_file($htaccess)) {
|
||||
if (@file_put_contents($htaccess, "Order deny,allow\nDeny from all\n") === false) {
|
||||
if (@file_put_contents($htaccess, "# Apache 2.4+\n<IfModule mod_authz_core.c>\n Require all denied\n</IfModule>\n# Apache 2.2\n<IfModule !mod_authz_core.c>\n Order deny,allow\n Deny from all\n</IfModule>\n") === false) {
|
||||
error_log('MokoJoomBackup: Could not create .htaccess in backup directory: ' . $dir);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -65,7 +65,7 @@ class ProfileTable extends Table
|
||||
$htaccess = $resolved . '/.htaccess';
|
||||
|
||||
if (!is_file($htaccess)) {
|
||||
if (@file_put_contents($htaccess, "Order deny,allow\nDeny from all\n") === false) {
|
||||
if (@file_put_contents($htaccess, "# Apache 2.4+\n<IfModule mod_authz_core.c>\n Require all denied\n</IfModule>\n# Apache 2.2\n<IfModule !mod_authz_core.c>\n Order deny,allow\n Deny from all\n</IfModule>\n") === false) {
|
||||
error_log('MokoJoomBackup: Could not create .htaccess in: ' . $resolved);
|
||||
}
|
||||
}
|
||||
|
||||
+1
-1
@@ -198,7 +198,7 @@ class Pkg_MokoJoomBackupInstallerScript
|
||||
mkdir($backupDir, 0755, true);
|
||||
|
||||
// Protect backup directory with .htaccess
|
||||
file_put_contents($backupDir . '/.htaccess', "Order deny,allow\nDeny from all\n");
|
||||
file_put_contents($backupDir . '/.htaccess', "# Apache 2.4+\n<IfModule mod_authz_core.c>\n Require all denied\n</IfModule>\n# Apache 2.2\n<IfModule !mod_authz_core.c>\n Order deny,allow\n Deny from all\n</IfModule>\n");
|
||||
file_put_contents($backupDir . '/index.html', '<!DOCTYPE html><title></title>');
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user