# HG changeset patch # User Dan # Date 1207828736 14400 # Node ID 7803c9db3506b466f02ca0ffa9199de306ba5cc3 # Parent 43535769970b9668b8eacc49d58d7147f12ed350 Implemented security logging for plugin management diff -r 43535769970b -r 7803c9db3506 includes/plugins.php --- a/includes/plugins.php Wed Apr 09 22:45:51 2008 -0400 +++ b/includes/plugins.php Thu Apr 10 07:58:56 2008 -0400 @@ -451,6 +451,16 @@ } } + // log action + $time = time(); + $ip_db = $db->escape($_SERVER['REMOTE_ADDR']); + $username_db = $db->escape($session->username); + $file_db = $db->escape($filename); + $q = $db->sql_query('INSERT INTO '.table_prefix."logs(log_type, action, time_id, edit_summary, author, page_text) VALUES\n" + . " ('security', 'plugin_install', $time, '$ip_db', '$username_db', '$file_db');"); + if ( !$q ) + $db->_die(); + // register plugin $version_db = $db->escape($dataset['version']); $filename_db = $db->escape($filename); @@ -555,6 +565,16 @@ } } + // log action + $time = time(); + $ip_db = $db->escape($_SERVER['REMOTE_ADDR']); + $username_db = $db->escape($session->username); + $file_db = $db->escape($filename); + $q = $db->sql_query('INSERT INTO '.table_prefix."logs(log_type, action, time_id, edit_summary, author, page_text) VALUES\n" + . " ('security', 'plugin_uninstall', $time, '$ip_db', '$username_db', '$file_db');"); + if ( !$q ) + $db->_die(); + // deregister plugin $q = $db->sql_query('DELETE FROM ' . table_prefix . "plugins WHERE plugin_id = {$dataset['plugin id']};"); if ( !$q ) @@ -766,6 +786,16 @@ } } + // log action + $time = time(); + $ip_db = $db->escape($_SERVER['REMOTE_ADDR']); + $username_db = $db->escape($session->username); + $file_db = $db->escape($filename); + $q = $db->sql_query('INSERT INTO '.table_prefix."logs(log_type, action, time_id, edit_summary, author, page_text) VALUES\n" + . " ('security', 'plugin_upgrade', $time, '$ip_db', '$username_db', '$file_db');"); + if ( !$q ) + $db->_die(); + // update version number $version = $db->escape($dataset['version']); $q = $db->sql_query('UPDATE ' . table_prefix . "plugins SET plugin_version = '$version' WHERE plugin_id = {$dataset['plugin id']};"); diff -r 43535769970b -r 7803c9db3506 language/english/admin.json --- a/language/english/admin.json Wed Apr 09 22:45:51 2008 -0400 +++ b/language/english/admin.json Thu Apr 10 07:58:56 2008 -0400 @@ -874,6 +874,9 @@ entry_magick_path: 'Changed path to ImageMagick executable', entry_plugin_disable: 'Disabled plugin: %plugin%', entry_plugin_enable: 'Enabled plugin: %plugin%', + entry_plugin_install: 'Installed plugin: %plugin%', + entry_plugin_uninstall: 'Uninstalled plugin: %plugin%', + entry_plugin_upgrade: 'Upgraded plugin: %plugin%', entry_seclog_unauth: 'Unauthorized attempt to call security log fetcher', entry_u_from_admin: 'User %username% demoted from Administrators group', entry_u_from_mod: 'User %username% demoted from Moderators group', diff -r 43535769970b -r 7803c9db3506 plugins/admin/PluginManager.php --- a/plugins/admin/PluginManager.php Wed Apr 09 22:45:51 2008 -0400 +++ b/plugins/admin/PluginManager.php Thu Apr 10 07:58:56 2008 -0400 @@ -215,6 +215,18 @@ ); break; } + + // log action + $time = time(); + $ip_db = $db->escape($_SERVER['REMOTE_ADDR']); + $username_db = $db->escape($session->username); + $file_db = $db->escape($request['plugin']); + // request['mode'] is TRUSTED - the case statement will only process if it is one of {enable,disable}. + $q = $db->sql_query('INSERT INTO '.table_prefix."logs(log_type, action, time_id, edit_summary, author, page_text) VALUES\n" + . " ('security', 'plugin_{$request['mode']}', $time, '$ip_db', '$username_db', '$file_db');"); + if ( !$q ) + $db->_die(); + // perform update $q = $db->sql_query('UPDATE ' . table_prefix . "plugins SET plugin_flags = $flags_col WHERE plugin_id = {$dataset['plugin id']};"); if ( !$q ) diff -r 43535769970b -r 7803c9db3506 plugins/admin/SecurityLog.php --- a/plugins/admin/SecurityLog.php Wed Apr 09 22:45:51 2008 -0400 +++ b/plugins/admin/SecurityLog.php Thu Apr 10 07:58:56 2008 -0400 @@ -164,6 +164,9 @@ case "magick_path" : $return .= $lang->get('acpsl_entry_magick_path') ; break; case "plugin_disable" : $return .= $lang->get('acpsl_entry_plugin_disable' , array('plugin' => $r['page_text'])); break; case "plugin_enable" : $return .= $lang->get('acpsl_entry_plugin_enable' , array('plugin' => $r['page_text'])); break; + case "plugin_install" : $return .= $lang->get('acpsl_entry_plugin_install' , array('plugin' => $r['page_text'])); break; + case "plugin_uninstall": $return .= $lang->get('acpsl_entry_plugin_uninstall' , array('plugin' => $r['page_text'])); break; + case "plugin_upgrade" : $return .= $lang->get('acpsl_entry_plugin_upgrade' , array('plugin' => $r['page_text'])); break; case "seclog_unauth" : $return .= $lang->get('acpsl_entry_seclog_unauth') ; break; case "u_from_admin" : $return .= $lang->get('acpsl_entry_u_from_admin' , array('username' => $r['page_text'])); break; case "u_from_mod" : $return .= $lang->get('acpsl_entry_u_from_mod' , array('username' => $r['page_text'])); break;