Finalized permissions on files and directories; adding PHP shutoff button (actual shutoff not implemented)
Binary file images/php-shutoff.png has changed
--- a/includes/clientside/static/ajax.js Tue Jun 19 18:41:10 2007 -0400
+++ b/includes/clientside/static/ajax.js Thu Jun 21 12:00:16 2007 -0400
@@ -569,3 +569,39 @@
window.location = loc;
}
+function ajaxDisableEmbeddedPHP()
+{
+ if ( !confirm('Are you really sure you want to do this? Some pages might not function if this emergency-only feature is activated.') )
+ return false;
+ var $killdiv = $dynano('php_killer');
+ if ( !$killdiv.object )
+ {
+ alert('Can\'t get kill div object');
+ return false;
+ }
+ $killdiv.object.innerHTML = '<img alt="Loading..." src="' + scriptPath + '/images/loading-big.gif" /><br />Making request...';
+ var url = makeUrlNS('Admin', 'Home', 'src=ajax');
+ ajaxPost(url, 'act=kill_php', function() {
+ if ( ajax.readyState == 4 )
+ {
+ if ( ajax.responseText == '1' )
+ {
+ var $killdiv = $dynano('php_killer');
+ //$killdiv.object.innerHTML = '<img alt="Success" src="' + scriptPath + '/images/error.png" /><br />Embedded PHP in pages has been disabled.';
+ $killdiv.object.parentNode.removeChild($killdiv.object);
+ var newdiv = document.createElement('div');
+ // newdiv.style = $killdiv.object.style;
+ newdiv.className = $killdiv.object.className;
+ newdiv.innerHTML = '<img alt="Success" src="' + scriptPath + '/images/error.png" /><br />Embedded PHP in pages has been disabled.';
+ $killdiv.object.parentNode.appendChild(newdiv);
+ $killdiv.object.parentNode.removeChild($killdiv.object);
+ }
+ else
+ {
+ var $killdiv = $dynano('php_killer');
+ $killdiv.object.innerHTML = ajax.responseText;
+ }
+ }
+ });
+}
+
--- a/includes/paths.php Tue Jun 19 18:41:10 2007 -0400
+++ b/includes/paths.php Thu Jun 21 12:00:16 2007 -0400
@@ -44,7 +44,6 @@
);
// ACL types
- // Note: you can set any of these to AUTH_DENY to universally and unconditionally deny access to the selected action.
// These can also be added from within plugins
$session->register_acl_type('read', AUTH_ALLOW, 'Read page(s)');
@@ -71,7 +70,7 @@
$session->register_acl_type('upload_files', AUTH_DISALLOW, 'Upload files', Array('create_page'), 'Article|User|Project|Template|File|Help|System|Category|Special');
$session->register_acl_type('upload_new_version', AUTH_WIKIMODE, 'Upload new versions of files', Array('upload_files'), 'Article|User|Project|Template|File|Help|System|Category|Special');
$session->register_acl_type('create_page', AUTH_WIKIMODE, 'Create pages', Array(), 'Article|User|Project|Template|File|Help|System|Category|Special');
- $session->register_acl_type('php_in_pages', AUTH_DISALLOW, 'Embed PHP code in pages', Array('edit_page'), 'Article|User|Project|Template|File|Help|System|Category');
+ $session->register_acl_type('php_in_pages', AUTH_DISALLOW, 'Embed PHP code in pages', Array('edit_page'), 'Article|User|Project|Template|File|Help|System|Category|Admin');
$session->register_acl_type('edit_acl', AUTH_DISALLOW, 'Edit access control lists', Array('read', 'post_comments', 'edit_comments', 'edit_page', 'view_source', 'mod_comments', 'history_view', 'history_rollback', 'history_rollback_extra', 'protect', 'rename', 'clear_logs', 'vote_delete', 'vote_reset', 'delete_page', 'set_wiki_mode', 'password_set', 'password_reset', 'mod_misc', 'edit_cat', 'even_when_protected', 'upload_files', 'upload_new_version', 'create_page', 'php_in_pages'));
// DO NOT add new admin pages here! Use a plugin to call $paths->addAdminNode();
--- a/install.php Tue Jun 19 18:41:10 2007 -0400
+++ b/install.php Thu Jun 21 12:00:16 2007 -0400
@@ -12,7 +12,7 @@
* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details.
*/
-//@include('config.php');
+@include('config.php');
if( ( defined('ENANO_INSTALLED') || defined('MIDGET_INSTALLED') ) && ((isset($_GET['mode']) && ($_GET['mode']!='finish' && $_GET['mode']!='css')) || !isset($_GET['mode']))) {
$_GET['title'] = 'Enano:WhoCaresWhatThisIs';
require('includes/common.php');
@@ -168,6 +168,61 @@
mysql_close($conn);
die('good');
break;
+ case 'pophelp':
+ $topic = ( isset($_GET['topic']) ) ? $_GET['topic'] : 'invalid';
+ switch($topic)
+ {
+ case 'admin_embed_php':
+ $title = 'Allow administrators to embed PHP';
+ $content = '<p>This option allows you to control whether anything between the standard <?php and ?> tags will be treated as
+ PHP code by Enano. If this option is enabled, and members of the Administrators group use these tags, Enano will
+ execute that code when the page is loaded. There are obvious potential security implications here, which should
+ be carefully considered before enabling this option.</p>
+ <p>If you are the only administrator of this site, or if you have a high level of trust for those will be administering
+ the site with you, you should enable this to allow extreme customization of pages.</p>
+ <p>Leave this option off if you are at all concerned about security – if your account is compromised and PHP embedding
+ is enabled, an attacker can run arbitrary code on your server! Enabling this will also allow administrators to
+ embed Javascript and arbitrary HTML and CSS.</p>
+ <p>If you don\'t have experience coding in PHP, you can safely disable this option. You may change this at any time
+ using the ACL editor by selecting the Administrators group and This Entire Website under the scope selection, or by
+ using the "embedded PHP kill switch" in the administration panel.</p>';
+ break;
+ default:
+ $title = 'Invalid topic';
+ $content = 'Invalid help topic.';
+ break;
+ }
+ echo <<<EOF
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
+<html>
+ <head>
+ <title>Enano installation quick help • {$title}</title>
+ <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
+ <style type="text/css">
+ body {
+ font-family: trebuchet ms, verdana, arial, helvetica, sans-serif;
+ font-size: 9pt;
+ }
+ h2 { border-bottom: 1px solid #90B0D0; margin-bottom: 0; }
+ h3 { font-size: 11pt; font-weight: bold; }
+ li { list-style: url(../images/bullet.gif); }
+ p { margin: 1.0em; }
+ blockquote { background-color: #F4F4F4; border: 1px dotted #406080; margin: 1em; padding: 10px; max-height: 250px; overflow: auto; }
+ a { color: #7090B0; }
+ a:hover { color: #90B0D0; }
+ </style>
+ </head>
+ <body>
+ <h2>{$title}</h2>
+ {$content}
+ <p style="text-align: right;">
+ <a href="#" onclick="window.close(); return false;">Close window</a>
+ </p>
+ </body>
+</html>
+EOF;
+ exit;
+ break;
default:
break;
}
@@ -717,6 +772,21 @@
<tr><td>Administration password:</td><td><input onkeyup="verify();" name="admin_pass" type="password" size="30" /></td><td rowspan="2"><img id="s_password" alt="Good/bad icon" src="images/bad.gif" /></td></tr>
<tr><td>Enter it again to confirm:</td><td><input onkeyup="verify();" name="admin_pass_confirm" type="password" size="30" /></td></tr>
<tr><td>Your e-mail address:</td><td><input onkeyup="verify();" name="admin_email" type="text" size="30" /></td><td><img id="s_email" alt="Good/bad icon" src="images/bad.gif" /></td></tr>
+ <tr>
+ <td>
+ Allow administrative embedding of PHP:<br />
+ <small><span style="color: #D84308">Do not under any circumstances enable this option without reading these
+ <a href="install.php?mode=pophelp&topic=admin_embed_php"
+ onclick="window.open(this.href, 'pophelpwin', 'width=550,height=400,status=no,toolbars=no,toolbar=no,address=no,scroll=yes'); return false;"
+ style="color: #D84308; text-decoration: underline;">important security implications</a>.
+ </span></small>
+ </td>
+ <td>
+ <label><input type="radio" name="admin_embed_php" value="2" checked="checked" /> Disabled</label>
+ <label><input type="radio" name="admin_embed_php" value="4" /> Enabled</label>
+ </td>
+ <td></td>
+ </tr>
<tr><td colspan="3">If your browser supports Javascript, the password you enter here will be encrypted with AES before it is sent to the server.</td></tr>
</table>
<div class="pagenav">
@@ -847,6 +917,7 @@
!isset($_POST['copyright']) ||
!isset($_POST['admin_user']) ||
!isset($_POST['admin_pass']) ||
+ !isset($_POST['admin_embed_php']) || ( isset($_POST['admin_embed_php']) && !in_array($_POST['admin_embed_php'], array('2', '4')) ) ||
!isset($_POST['urlscheme'])
)
{
@@ -931,6 +1002,7 @@
$schema = str_replace('{{REAL_NAME}}', '', $schema);
$schema = str_replace('{{TABLE_PREFIX}}', $_POST['table_prefix'], $schema);
$schema = str_replace('{{VERSION}}', ENANO_VERSION, $schema);
+ $schema = str_replace('{{ADMIN_EMBED_PHP}}', $_POST['admin_embed_php'], $schema);
// Not anymore! :-D
// $schema = str_replace('{{BETA_VERSION}}', ENANO_BETA_VERSION, $schema);
