diff options
| author | Bharat Mediratta <bharat@menalto.com> | 2010-01-30 21:07:03 -0800 |
|---|---|---|
| committer | Bharat Mediratta <bharat@menalto.com> | 2010-01-30 21:07:03 -0800 |
| commit | c2a7a6a4e7b492c649462c1bb4e60c033819803e (patch) | |
| tree | b72bd7b591f02a2484632bc3e1a7691b1f4fb442 /modules | |
| parent | 79a1365991557d64776110b0a3a99ea42b1a70fe (diff) | |
Lock down web access to var/uploads, var/tmp and var/logs using .htaccess
Fixes ticket #587.
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/gallery/helpers/gallery_installer.php | 22 | ||||
| -rw-r--r-- | modules/gallery/module.info | 2 |
2 files changed, 21 insertions, 3 deletions
diff --git a/modules/gallery/helpers/gallery_installer.php b/modules/gallery/helpers/gallery_installer.php index cf701ed4..bffef8e6 100644 --- a/modules/gallery/helpers/gallery_installer.php +++ b/modules/gallery/helpers/gallery_installer.php @@ -204,6 +204,9 @@ class gallery_installer { foreach (array("albums", "logs", "modules", "resizes", "thumbs", "tmp", "uploads") as $dir) { @mkdir(VARPATH . $dir); + if (in_array($dir, array("logs", "tmp", "uploads"))) { + self::_protect_directory(VARPATH . $dir); + } } access::register_permission("view", "View"); @@ -284,7 +287,7 @@ class gallery_installer { // @todo this string needs to be picked up by l10n_scanner module::set_var("gallery", "credits", "Powered by <a href=\"%url\">Gallery %version</a>"); module::set_var("gallery", "simultaneous_upload_limit", 5); - module::set_version("gallery", 23); + module::set_version("gallery", 25); } static function upgrade($version) { @@ -494,7 +497,7 @@ class gallery_installer { module::set_version("gallery", $version = 23); } - if ($version = 23) { + if ($version == 23) { $db->query("CREATE TABLE {failed_logins} ( `id` int(9) NOT NULL auto_increment, `count` int(9) NOT NULL, @@ -504,6 +507,13 @@ class gallery_installer { DEFAULT CHARSET=utf8;"); module::set_version("gallery", $version = 24); } + + if ($version == 24) { + foreach (array("logs", "tmp", "uploads") as $dir) { + self::_protect_directory(VARPATH . $dir); + } + module::set_version("gallery", $version = 25); + } } static function uninstall() { @@ -528,4 +538,12 @@ class gallery_installer { system("/bin/rm -rf " . VARPATH . $entry); } } + + static function _protect_directory($dir) { + $fp = @fopen("$dir/.htaccess", "w+"); + fwrite($fp, "DirectoryIndex .htaccess\nSetHandler Gallery_Security_Do_Not_Remove\n" . + "Options None\n<IfModule mod_rewrite.c>\nRewriteEngine off\n</IfModule>\n" . + "Order allow,deny\nDeny from all\n"); + fclose($fp); + } } diff --git a/modules/gallery/module.info b/modules/gallery/module.info index 5d0dd3c5..50a1505f 100644 --- a/modules/gallery/module.info +++ b/modules/gallery/module.info @@ -1,3 +1,3 @@ name = "Gallery 3" description = "Gallery core application" -version = 24 +version = 25 |