From cfb27dde023e4f4d04fc9de687548501e607d371 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sun, 17 Jan 2010 13:28:24 -0800 Subject: Adjust installers to work with model based validation. --- modules/gallery/helpers/gallery_installer.php | 33 ++++++++++++++++----------- 1 file changed, 20 insertions(+), 13 deletions(-) (limited to 'modules/gallery/helpers/gallery_installer.php') diff --git a/modules/gallery/helpers/gallery_installer.php b/modules/gallery/helpers/gallery_installer.php index 1e0ad28c..aa297236 100644 --- a/modules/gallery/helpers/gallery_installer.php +++ b/modules/gallery/helpers/gallery_installer.php @@ -209,19 +209,26 @@ class gallery_installer { t("Edit"); t("Add"); - $root = ORM::factory("item"); - $root->type = "album"; - $root->title = "Gallery"; - $root->description = ""; - $root->left_ptr = 1; - $root->right_ptr = 2; - $root->parent_id = 0; - $root->level = 1; - $root->thumb_dirty = 1; - $root->resize_dirty = 1; - $root->sort_column = "weight"; - $root->sort_order = "ASC"; - $root->save(); + // Hardcode the first item to sidestep ORM validation rules + $now = time(); + db::build()->insert( + "items", + array("created" => $now, + "description" => "", + "left_ptr" => 1, + "level" => 1, + "parent_id" => 0, + "resize_dirty" => 1, + "right_ptr" => 2, + "sort_column" => "weight", + "sort_order" => "ASC", + "thumb_dirty" => 1, + "title" => "Gallery", + "type" => "album", + "updated" => $now, + "weight" => 1)) + ->execute(); + $root = ORM::factory("item")->where("id", "=", 1)->find(); access::add_item($root); module::set_var("gallery", "active_site_theme", "wind"); -- cgit v1.2.3 From 4b32a71afc7650fe7bdd02ba384c8914f60538f3 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Wed, 27 Jan 2010 22:34:11 -0800 Subject: Convert back to using ORM::factory(..., $id) instead of calling where(). --- modules/comment/models/comment.php | 2 +- modules/comment/tests/Comment_Event_Test.php | 2 +- modules/g2_import/controllers/g2.php | 2 +- modules/g2_import/helpers/g2_import.php | 11 +++++------ modules/gallery/helpers/gallery_installer.php | 2 +- modules/gallery/helpers/item_rest.php | 2 +- modules/gallery/libraries/ORM_MPTT.php | 2 +- modules/gallery/models/item.php | 4 ++-- modules/server_add/controllers/server_add.php | 13 ++++++------- modules/tag/helpers/item_tags_rest.php | 2 +- modules/tag/helpers/tag_item_rest.php | 4 ++-- modules/tag/helpers/tag_items_rest.php | 2 +- modules/tag/helpers/tag_rest.php | 2 +- modules/user/models/group.php | 2 +- modules/user/models/user.php | 2 +- 15 files changed, 26 insertions(+), 28 deletions(-) (limited to 'modules/gallery/helpers/gallery_installer.php') diff --git a/modules/comment/models/comment.php b/modules/comment/models/comment.php index 43c4148f..8be022b5 100644 --- a/modules/comment/models/comment.php +++ b/modules/comment/models/comment.php @@ -108,7 +108,7 @@ class Comment_Model extends ORM { module::event("comment_created", $this); } else { // Updated comment - $original = ORM::factory("comment")->where("id", "=", $this->id)->find(); + $original = ORM::factory("comment", $this->id); $visible_change = $original->state == "published" || $this->state == "published"; parent::save(); module::event("comment_updated", $original, $this); diff --git a/modules/comment/tests/Comment_Event_Test.php b/modules/comment/tests/Comment_Event_Test.php index 27272055..08f55b3f 100644 --- a/modules/comment/tests/Comment_Event_Test.php +++ b/modules/comment/tests/Comment_Event_Test.php @@ -30,6 +30,6 @@ class Comment_Event_Test extends Gallery_Unit_Test_Case { $album->delete(); - $this->assert_false(ORM::factory("comment")->where("id", "=", $comment->id)->find()->loaded()); + $this->assert_false(ORM::factory("comment", $comment->id)->loaded()); } } diff --git a/modules/g2_import/controllers/g2.php b/modules/g2_import/controllers/g2.php index 3e002758..5fd4400c 100644 --- a/modules/g2_import/controllers/g2.php +++ b/modules/g2_import/controllers/g2.php @@ -50,7 +50,7 @@ class G2_Controller extends Admin_Controller { throw new Kohana_404_Exception(); } - $item = ORM::factory("item")->where("id", "=", $g2_map->g3_id)->find(); + $item = ORM::factory("item", $g2_map->g3_id); if (!$item->loaded() || !access::can("view", $item)) { throw new Kohana_404_Exception(); } diff --git a/modules/g2_import/helpers/g2_import.php b/modules/g2_import/helpers/g2_import.php index 74164305..fa95e547 100644 --- a/modules/g2_import/helpers/g2_import.php +++ b/modules/g2_import/helpers/g2_import.php @@ -358,8 +358,7 @@ class g2_import_Core { if ($g2_album->getParentId() == null) { return t("Skipping Gallery 2 root album"); } - $parent_album = - ORM::factory("item")->where("id", "=", self::map($g2_album->getParentId()))->find(); + $parent_album = ORM::factory("item", self::map($g2_album->getParentId())); $album = ORM::factory("item"); $album->type = "album"; @@ -423,8 +422,8 @@ class g2_import_Core { } $item_id = self::map($g2_source->getId()); if ($item_id) { - $item = ORM::factory("item")->where("id", "=", $item_id)->find(); - $g2_album = ORM::factory("item")->where("id", "=", $g3_album_id)->find(); + $item = ORM::factory("item", $item_id); + $g2_album = ORM::factory("item", $g3_album_id); $g2_album->album_cover_item_id = $item->id; $g2_album->thumb_dirty = 1; $g2_album->view_count = g2(GalleryCoreApi::fetchItemViewCount($g2_album_id)); @@ -452,7 +451,7 @@ class g2_import_Core { array("id" => $g2_item_id, "exception" => (string)$e)); } - $parent = ORM::factory("item")->where("id", "=", self::map($g2_item->getParentId()))->find(); + $parent = ORM::factory("item", self::map($g2_item->getParentId())); $g2_type = $g2_item->getEntityType(); $corrupt = 0; @@ -633,7 +632,7 @@ class g2_import_Core { GalleryCoreApi::requireOnce("modules/tags/classes/TagsHelper.class"); $g2_item_id = array_shift($queue); - $g3_item = ORM::factory("item")->where("id", "=", self::map($g2_item_id))->find(); + $g3_item = ORM::factory("item", self::map($g2_item_id)); if (!$g3_item->loaded()) { return; } diff --git a/modules/gallery/helpers/gallery_installer.php b/modules/gallery/helpers/gallery_installer.php index aa297236..bfab4645 100644 --- a/modules/gallery/helpers/gallery_installer.php +++ b/modules/gallery/helpers/gallery_installer.php @@ -228,7 +228,7 @@ class gallery_installer { "updated" => $now, "weight" => 1)) ->execute(); - $root = ORM::factory("item")->where("id", "=", 1)->find(); + $root = ORM::factory("item", 1); access::add_item($root); module::set_var("gallery", "active_site_theme", "wind"); diff --git a/modules/gallery/helpers/item_rest.php b/modules/gallery/helpers/item_rest.php index 2236fbbb..d5ca1456 100644 --- a/modules/gallery/helpers/item_rest.php +++ b/modules/gallery/helpers/item_rest.php @@ -145,7 +145,7 @@ class item_rest_Core { } static function resolve($id) { - $item = ORM::factory("item")->where("id", "=", $id)->find(); + $item = ORM::factory("item", $id); if (!access::can("view", $item)) { throw new Kohana_404_Exception(); } diff --git a/modules/gallery/libraries/ORM_MPTT.php b/modules/gallery/libraries/ORM_MPTT.php index a7bb24ea..83f9b51e 100644 --- a/modules/gallery/libraries/ORM_MPTT.php +++ b/modules/gallery/libraries/ORM_MPTT.php @@ -48,7 +48,7 @@ class ORM_MPTT_Core extends ORM { function save() { if (!$this->loaded()) { $this->lock(); - $parent = ORM::factory("item")->where("id", "=", $this->parent_id)->find(); + $parent = ORM::factory("item", $this->parent_id); try { // Make a hole in the parent for this new item diff --git a/modules/gallery/models/item.php b/modules/gallery/models/item.php index 9706d61f..ae1b6608 100644 --- a/modules/gallery/models/item.php +++ b/modules/gallery/models/item.php @@ -423,7 +423,7 @@ class Item_Model extends ORM_MPTT { // If any significant fields have changed, load up a copy of the original item and // keep it around. - $original = ORM::factory("item")->where("id", "=", $this->id)->find(); + $original = ORM::factory("item", $this->id); if (array_intersect($this->changed, array("parent_id", "name", "slug"))) { $original->_build_relative_caches(); $this->relative_path_cache = null; @@ -787,7 +787,7 @@ class Item_Model extends ORM_MPTT { if ($this->is_movie() || $this->is_photo()) { if ($this->loaded()) { // Existing items can't change their extension - $original = ORM::factory("item")->where("id", "=", $this->id)->find(); + $original = ORM::factory("item", $this->id); $new_ext = pathinfo($this->name, PATHINFO_EXTENSION); $old_ext = pathinfo($original->name, PATHINFO_EXTENSION); if (strcasecmp($new_ext, $old_ext)) { diff --git a/modules/server_add/controllers/server_add.php b/modules/server_add/controllers/server_add.php index 4d6d5dfe..287855b6 100644 --- a/modules/server_add/controllers/server_add.php +++ b/modules/server_add/controllers/server_add.php @@ -24,7 +24,7 @@ class Server_Add_Controller extends Admin_Controller { $files[] = $path; } - $item = ORM::factory("item")->where("id", "=", $id)->find(); + $item = ORM::factory("item", $id); $view = new View("server_add_tree_dialog.html"); $view->item = $item; $view->tree = new View("server_add_tree.html"); @@ -78,7 +78,7 @@ class Server_Add_Controller extends Admin_Controller { */ public function start() { access::verify_csrf(); - $item = ORM::factory("item")->where("id", "=", Input::instance()->get("item_id"))->find(); + $item = ORM::factory("item", Input::instance()->get("item_id")); foreach (Input::instance()->post("paths") as $path) { if (server_add::is_valid_path($path)) { @@ -104,7 +104,7 @@ class Server_Add_Controller extends Admin_Controller { function run($task_id) { access::verify_csrf(); - $task = ORM::factory("task")->where("id", "=", $task_id)->find(); + $task = ORM::factory("task", $task_id); if (!$task->loaded() || $task->owner_id != identity::active_user()->id) { access::forbidden(); } @@ -216,12 +216,11 @@ class Server_Add_Controller extends Admin_Controller { // Look up the parent item for this entry. By now it should exist, but if none was // specified, then this belongs as a child of the current item. - $parent_entry = - ORM::factory("server_add_file")->where("id", "=", $entry->parent_id)->find(); + $parent_entry = ORM::factory("server_add_file", $entry->parent_id); if (!$parent_entry->loaded()) { - $parent = ORM::factory("item")->where("id", "=", $task->get("item_id"))->find(); + $parent = ORM::factory("item", $task->get("item_id")); } else { - $parent = ORM::factory("item")->where("id", "=", $parent_entry->item_id)->find(); + $parent = ORM::factory("item", $parent_entry->item_id); } $name = basename($entry->file); diff --git a/modules/tag/helpers/item_tags_rest.php b/modules/tag/helpers/item_tags_rest.php index ce814f77..43e2cef0 100644 --- a/modules/tag/helpers/item_tags_rest.php +++ b/modules/tag/helpers/item_tags_rest.php @@ -50,7 +50,7 @@ class item_tags_rest_Core { } static function resolve($id) { - $item = ORM::factory("item")->where("id", "=", $id)->find(); + $item = ORM::factory("item", $id); if (!access::can("view", $item)) { throw new Kohana_404_Exception(); } diff --git a/modules/tag/helpers/tag_item_rest.php b/modules/tag/helpers/tag_item_rest.php index cd9bb6fe..60d37437 100644 --- a/modules/tag/helpers/tag_item_rest.php +++ b/modules/tag/helpers/tag_item_rest.php @@ -35,8 +35,8 @@ class tag_item_rest_Core { static function resolve($tuple) { list ($tag_id, $item_id) = split(",", $tuple); - $tag = ORM::factory("tag")->where("id", "=", $tag_id)->find(); - $item = ORM::factory("item")->where("id", "=", $item_id)->find(); + $tag = ORM::factory("tag", $tag_id); + $item = ORM::factory("item", $item_id); if (!$tag->loaded() || !$item->loaded() || !$tag->has($item)) { throw new Kohana_404_Exception(); } diff --git a/modules/tag/helpers/tag_items_rest.php b/modules/tag/helpers/tag_items_rest.php index 369a8d83..ef563ac6 100644 --- a/modules/tag/helpers/tag_items_rest.php +++ b/modules/tag/helpers/tag_items_rest.php @@ -52,7 +52,7 @@ class tag_items_rest_Core { } static function resolve($id) { - return ORM::factory("tag")->where("id", "=", $id)->find(); + return ORM::factory("tag", $id); } static function url($tag) { diff --git a/modules/tag/helpers/tag_rest.php b/modules/tag/helpers/tag_rest.php index 7143daa9..4879cf63 100644 --- a/modules/tag/helpers/tag_rest.php +++ b/modules/tag/helpers/tag_rest.php @@ -77,7 +77,7 @@ class tag_rest_Core { } static function resolve($id) { - $tag = ORM::factory("tag")->where("id", "=", $id)->find(); + $tag = ORM::factory("tag", $id); if (!$tag->loaded()) { throw new Kohana_404_Exception(); } diff --git a/modules/user/models/group.php b/modules/user/models/group.php index 85114ede..851e72e6 100644 --- a/modules/user/models/group.php +++ b/modules/user/models/group.php @@ -55,7 +55,7 @@ class Group_Model extends ORM implements Group_Definition { module::event("group_created", $this); } else { // Updated group - $original = ORM::factory("group")->where("id", "=", $this->id)->find(); + $original = ORM::factory("group", $this->id); parent::save(); module::event("group_updated", $original, $this); } diff --git a/modules/user/models/user.php b/modules/user/models/user.php index 7c97bae7..78c31047 100644 --- a/modules/user/models/user.php +++ b/modules/user/models/user.php @@ -99,7 +99,7 @@ class User_Model extends ORM implements User_Definition { module::event("user_created", $this); } else { // Updated user - $original = ORM::factory("user")->where("id", "=", $this->id)->find(); + $original = ORM::factory("user", $this->id); parent::save(); module::event("user_updated", $original, $this); } -- cgit v1.2.3 From 45cdac973d35de083875ed966ac687b805d60e7f Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Fri, 29 Jan 2010 14:06:36 -0800 Subject: Oops, somebody (me?) forgot to update the gallery module version number in gallery_installer::install() so the install.sql was out of sync. --- installer/install.sql | 2 +- modules/gallery/helpers/gallery_installer.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'modules/gallery/helpers/gallery_installer.php') diff --git a/installer/install.sql b/installer/install.sql index 39637fb3..a5eec229 100644 --- a/installer/install.sql +++ b/installer/install.sql @@ -228,7 +228,7 @@ CREATE TABLE {modules} ( UNIQUE KEY `name` (`name`) ) AUTO_INCREMENT=10 DEFAULT CHARSET=utf8; SET character_set_client = @saved_cs_client; -INSERT INTO {modules} VALUES (1,1,'gallery',21); +INSERT INTO {modules} VALUES (1,1,'gallery',22); INSERT INTO {modules} VALUES (2,1,'user',2); INSERT INTO {modules} VALUES (3,1,'comment',2); INSERT INTO {modules} VALUES (4,1,'organize',1); diff --git a/modules/gallery/helpers/gallery_installer.php b/modules/gallery/helpers/gallery_installer.php index bfab4645..93948045 100644 --- a/modules/gallery/helpers/gallery_installer.php +++ b/modules/gallery/helpers/gallery_installer.php @@ -276,7 +276,7 @@ class gallery_installer { // @todo this string needs to be picked up by l10n_scanner module::set_var("gallery", "credits", "Powered by Gallery %version"); module::set_var("gallery", "simultaneous_upload_limit", 5); - module::set_version("gallery", 21); + module::set_version("gallery", 22); } static function upgrade($version) { -- cgit v1.2.3 From 98bcb95b1065a044909c4c4ff15d93fafc793df7 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Fri, 29 Jan 2010 14:20:34 -0800 Subject: Go through all slugs and make them legal values. Upgrade gallery3 module to version 23 --- modules/gallery/helpers/gallery_installer.php | 23 ++++++++++++++++++++++- modules/gallery/module.info | 2 +- 2 files changed, 23 insertions(+), 2 deletions(-) (limited to 'modules/gallery/helpers/gallery_installer.php') diff --git a/modules/gallery/helpers/gallery_installer.php b/modules/gallery/helpers/gallery_installer.php index 93948045..8227fdc9 100644 --- a/modules/gallery/helpers/gallery_installer.php +++ b/modules/gallery/helpers/gallery_installer.php @@ -450,7 +450,7 @@ class gallery_installer { // Update the graphics rules table so that the maximum height for resizes is 640 not 480. // Fixes ticket #671 - if ( $version == 21) { + if ($version == 21) { $resize_rule = ORM::factory("graphics_rule") ->where("id", "=", "2") ->find(); @@ -463,6 +463,27 @@ class gallery_installer { } module::set_version("gallery", $version = 22); } + + // Update slug values to be legal. We should have done this in the 11->12 upgrader, but I was + // lazy. Mea culpa! + if ($version == 22) { + foreach (db::build() + ->from("items") + ->select("id", "slug") + ->where(new Database_Expression("`slug` REGEXP '[^_A-Za-z0-9-]'"), "=", 1) + ->execute() as $row) { + $new_slug = item::convert_filename_to_slug($row->slug); + if (empty($new_slug)) { + $new_slug = rand(); + } + db::build() + ->update("items") + ->set("slug", $new_slug) + ->where("id", "=", $row->id) + ->execute(); + } + module::set_version("gallery", $version = 23); + } } static function uninstall() { diff --git a/modules/gallery/module.info b/modules/gallery/module.info index 107d9a12..ee169cf1 100644 --- a/modules/gallery/module.info +++ b/modules/gallery/module.info @@ -1,4 +1,4 @@ name = "Gallery 3" description = "Gallery core application" -version = 22 +version = 23 -- cgit v1.2.3 From d4998e37d859e4702407b9a85af6a8ac2fabe686 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Fri, 29 Jan 2010 14:25:57 -0800 Subject: Don't forget to flush the relative_url_cache when updating the slug. --- modules/gallery/helpers/gallery_installer.php | 1 + 1 file changed, 1 insertion(+) (limited to 'modules/gallery/helpers/gallery_installer.php') diff --git a/modules/gallery/helpers/gallery_installer.php b/modules/gallery/helpers/gallery_installer.php index 8227fdc9..d2378d64 100644 --- a/modules/gallery/helpers/gallery_installer.php +++ b/modules/gallery/helpers/gallery_installer.php @@ -479,6 +479,7 @@ class gallery_installer { db::build() ->update("items") ->set("slug", $new_slug) + ->set("relative_url_cache", null) ->where("id", "=", $row->id) ->execute(); } -- cgit v1.2.3 From 2bfcec9620814a6f3d0163a174d7ba90efef369d Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sat, 30 Jan 2010 19:48:57 -0800 Subject: Prevent brute force login attacks by reducing login attempts to 1 per minute after there have been 5 consecutive failed login attempts. Fix for ticket #589. --- modules/gallery/controllers/login.php | 7 ++--- modules/gallery/helpers/auth.php | 45 ++++++++++++++++++++++++++- modules/gallery/helpers/gallery_event.php | 5 +++ modules/gallery/helpers/gallery_installer.php | 22 ++++++++++++- modules/gallery/models/failed_login.php | 20 ++++++++++++ modules/gallery/module.info | 3 +- 6 files changed, 94 insertions(+), 8 deletions(-) create mode 100644 modules/gallery/models/failed_login.php (limited to 'modules/gallery/helpers/gallery_installer.php') diff --git a/modules/gallery/controllers/login.php b/modules/gallery/controllers/login.php index cfe86cfb..1426f0d8 100644 --- a/modules/gallery/controllers/login.php +++ b/modules/gallery/controllers/login.php @@ -62,11 +62,10 @@ class Login_Controller extends Controller { if ($valid) { $user = identity::lookup_user_by_name($form->login->inputs["name"]->value); if (empty($user) || !identity::is_correct_password($user, $form->login->password->value)) { - log::warning( - "user", - t("Failed login for %name", - array("name" => $form->login->inputs["name"]->value))); $form->login->inputs["name"]->add_error("invalid_login", 1); + $name = $form->login->inputs["name"]->value; + log::warning("user", t("Failed login for %name", array("name" => $name))); + module::event("user_login_failed", $name); $valid = false; } } diff --git a/modules/gallery/helpers/auth.php b/modules/gallery/helpers/auth.php index f7d4f7e8..e112f127 100644 --- a/modules/gallery/helpers/auth.php +++ b/modules/gallery/helpers/auth.php @@ -22,7 +22,10 @@ class auth_Core { $form = new Forge($url, "", "post", array("id" => "g-login-form")); $form->set_attr('class', "g-narrow"); $group = $form->group("login")->label(t("Login")); - $group->input("name")->label(t("Username"))->id("g-username")->class(null); + $group->input("name")->label(t("Username"))->id("g-username")->class(null) + ->callback("auth::validate_too_many_failed_logins") + ->error_messages( + "too_many_failed_logins", t("Too many failed login attempts. Try again later")); $group->password("password")->label(t("Password"))->id("g-password")->class(null); $group->inputs["name"]->error_messages("invalid_login", t("Invalid name or password")); $group->submit("")->value(t("Login")); @@ -55,4 +58,44 @@ class auth_Core { array("url" => user_profile::url($user->id), "user_name" => html::clean($user->name)))); } + + /** + * After there have been 5 failed login attempts, any failure leads to getting locked out for a + * minute. + */ + static function validate_too_many_failed_logins($name_input) { + $failed_login = ORM::factory("failed_login") + ->where("name", "=", $name_input->value) + ->find(); + if ($failed_login->loaded() && + $failed_login->count > 5 && + (time() - $failed_login->time < 60)) { + $name_input->add_error("too_many_failed_logins", 1); + } + } + + /** + * Record a failed login for this user + */ + static function record_failed_login($name) { + $failed_login = ORM::factory("failed_login") + ->where("name", "=", $name) + ->find(); + if (!$failed_login->loaded()) { + $failed_login->name = $name; + } + $failed_login->time = time(); + $failed_login->count++; + $failed_login->save(); + } + + /** + * Clear any failed logins for this user + */ + static function record_successful_login($user) { + db::build() + ->delete("failed_logins") + ->where("name", "=", $user->name) + ->execute(); + } } \ No newline at end of file diff --git a/modules/gallery/helpers/gallery_event.php b/modules/gallery/helpers/gallery_event.php index 80452276..6479e2c3 100644 --- a/modules/gallery/helpers/gallery_event.php +++ b/modules/gallery/helpers/gallery_event.php @@ -110,6 +110,11 @@ class gallery_event_Core { graphics::choose_default_toolkit(); module::clear_var("gallery", "choose_default_tookit"); } + auth::record_successful_login($user); + } + + static function user_login_failed($name) { + auth::record_failed_login($name); } static function item_index_data($item, $data) { diff --git a/modules/gallery/helpers/gallery_installer.php b/modules/gallery/helpers/gallery_installer.php index d2378d64..cf701ed4 100644 --- a/modules/gallery/helpers/gallery_installer.php +++ b/modules/gallery/helpers/gallery_installer.php @@ -42,6 +42,14 @@ class gallery_installer { KEY (`tags`)) DEFAULT CHARSET=utf8;"); + $db->query("CREATE TABLE {failed_logins} ( + `id` int(9) NOT NULL auto_increment, + `count` int(9) NOT NULL, + `name` varchar(255) NOT NULL, + `time` int(9) NOT NULL, + PRIMARY KEY (`id`)) + DEFAULT CHARSET=utf8;"); + $db->query("CREATE TABLE {graphics_rules} ( `id` int(9) NOT NULL auto_increment, `active` BOOLEAN default 0, @@ -276,7 +284,7 @@ class gallery_installer { // @todo this string needs to be picked up by l10n_scanner module::set_var("gallery", "credits", "Powered by Gallery %version"); module::set_var("gallery", "simultaneous_upload_limit", 5); - module::set_version("gallery", 22); + module::set_version("gallery", 23); } static function upgrade($version) { @@ -485,6 +493,17 @@ class gallery_installer { } module::set_version("gallery", $version = 23); } + + if ($version = 23) { + $db->query("CREATE TABLE {failed_logins} ( + `id` int(9) NOT NULL auto_increment, + `count` int(9) NOT NULL, + `name` varchar(255) NOT NULL, + `time` int(9) NOT NULL, + PRIMARY KEY (`id`)) + DEFAULT CHARSET=utf8;"); + module::set_version("gallery", $version = 24); + } } static function uninstall() { @@ -493,6 +512,7 @@ class gallery_installer { $db->query("DROP TABLE IF EXISTS {access_intents}"); $db->query("DROP TABLE IF EXISTS {graphics_rules}"); $db->query("DROP TABLE IF EXISTS {incoming_translations}"); + $db->query("DROP TABLE IF EXISTS {failed_logins}"); $db->query("DROP TABLE IF EXISTS {items}"); $db->query("DROP TABLE IF EXISTS {logs}"); $db->query("DROP TABLE IF EXISTS {modules}"); diff --git a/modules/gallery/models/failed_login.php b/modules/gallery/models/failed_login.php new file mode 100644 index 00000000..0b84c295 --- /dev/null +++ b/modules/gallery/models/failed_login.php @@ -0,0 +1,20 @@ + Date: Sat, 30 Jan 2010 21:07:03 -0800 Subject: Lock down web access to var/uploads, var/tmp and var/logs using .htaccess Fixes ticket #587. --- modules/gallery/helpers/gallery_installer.php | 22 ++++++++++++++++++++-- modules/gallery/module.info | 2 +- 2 files changed, 21 insertions(+), 3 deletions(-) (limited to 'modules/gallery/helpers/gallery_installer.php') diff --git a/modules/gallery/helpers/gallery_installer.php b/modules/gallery/helpers/gallery_installer.php index cf701ed4..bffef8e6 100644 --- a/modules/gallery/helpers/gallery_installer.php +++ b/modules/gallery/helpers/gallery_installer.php @@ -204,6 +204,9 @@ class gallery_installer { foreach (array("albums", "logs", "modules", "resizes", "thumbs", "tmp", "uploads") as $dir) { @mkdir(VARPATH . $dir); + if (in_array($dir, array("logs", "tmp", "uploads"))) { + self::_protect_directory(VARPATH . $dir); + } } access::register_permission("view", "View"); @@ -284,7 +287,7 @@ class gallery_installer { // @todo this string needs to be picked up by l10n_scanner module::set_var("gallery", "credits", "Powered by Gallery %version"); module::set_var("gallery", "simultaneous_upload_limit", 5); - module::set_version("gallery", 23); + module::set_version("gallery", 25); } static function upgrade($version) { @@ -494,7 +497,7 @@ class gallery_installer { module::set_version("gallery", $version = 23); } - if ($version = 23) { + if ($version == 23) { $db->query("CREATE TABLE {failed_logins} ( `id` int(9) NOT NULL auto_increment, `count` int(9) NOT NULL, @@ -504,6 +507,13 @@ class gallery_installer { DEFAULT CHARSET=utf8;"); module::set_version("gallery", $version = 24); } + + if ($version == 24) { + foreach (array("logs", "tmp", "uploads") as $dir) { + self::_protect_directory(VARPATH . $dir); + } + module::set_version("gallery", $version = 25); + } } static function uninstall() { @@ -528,4 +538,12 @@ class gallery_installer { system("/bin/rm -rf " . VARPATH . $entry); } } + + static function _protect_directory($dir) { + $fp = @fopen("$dir/.htaccess", "w+"); + fwrite($fp, "DirectoryIndex .htaccess\nSetHandler Gallery_Security_Do_Not_Remove\n" . + "Options None\n\nRewriteEngine off\n\n" . + "Order allow,deny\nDeny from all\n"); + fclose($fp); + } } diff --git a/modules/gallery/module.info b/modules/gallery/module.info index 5d0dd3c5..50a1505f 100644 --- a/modules/gallery/module.info +++ b/modules/gallery/module.info @@ -1,3 +1,3 @@ name = "Gallery 3" description = "Gallery core application" -version = 24 +version = 25 -- cgit v1.2.3