FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum Development » Bug Reports » security check for install.php seems to have no effect
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
security check for install.php seems to have no effect [message #158820] Tue, 31 March 2009 14:58 Go to next message
JanRei is currently offline  JanRei   
Messages: 361
Registered: October 2005
Location: Germany
Karma: 0
Senior Member
Contributing Core Developer
Translator
I noticed that index.php, pdf.php and rdf.php have a security check for install.php:

<?php
if (!$FORUM_TITLE && @file_exists($WWW_ROOT_DISK.'install.php')) {
    
fud_use('errmsg.inc');
        exit(
__fud_e_install_script_present_error);
}
?>


However, since the last version of FUDforum there is a default forum title so that the check doesn't seem to have an effect.
Re: security check for install.php seems to have no effect [message #158821 is a reply to message #158820] Tue, 31 March 2009 18:17 Go to previous messageGo to next message
naudefj is currently offline  naudefj   South Africa
Messages: 3771
Registered: December 2004
Karma: 28
Senior Member
Administrator
Core Developer
Good catch! Now, how do we fix it? Do we even need to? How about us removing them altogether (saving a couple of CPU cycles in the critical path) and then add a check to the first page of the Admin Control Panel?

Best regards.

Frank
Re: security check for install.php seems to have no effect [message #158835 is a reply to message #158820] Thu, 02 April 2009 20:18 Go to previous messageGo to next message
JanRei is currently offline  JanRei   
Messages: 361
Registered: October 2005
Location: Germany
Karma: 0
Senior Member
Contributing Core Developer
Translator
I don't know exactly. The easiest fix would probably be to simply remove the !$FORUM_TITLE from the condition. Advantage of this approach is that the warning is quite intrusive so you can be pretty sure that it is noticed.

On the other hand, users who install FUDforum will have to go to the Admin Control Panel at some point. Thus a warning there should be sufficient actually provided it is clear enough.
Re: security check for install.php seems to have no effect [message #158838 is a reply to message #158835] Fri, 03 April 2009 06:02 Go to previous messageGo to next message
naudefj is currently offline  naudefj   South Africa
Messages: 3771
Registered: December 2004
Karma: 28
Senior Member
Administrator
Core Developer
If there is no objection I would like to move the check to the Admin Control Panel (ACP). Doing a file check every time someone visits a site is expensive and a waste of resources. On entering the ACP one should get a intro/status overview page where we can show a warning and other handy overview info.
Re: security check for install.php seems to have no effect [message #158839 is a reply to message #158820] Fri, 03 April 2009 09:52 Go to previous messageGo to next message
JanRei is currently offline  JanRei   
Messages: 361
Registered: October 2005
Location: Germany
Karma: 0
Senior Member
Contributing Core Developer
Translator
Well, I have no objections.
Re: security check for install.php seems to have no effect [message #158841 is a reply to message #158839] Fri, 03 April 2009 14:58 Go to previous messageGo to next message
naudefj is currently offline  naudefj   South Africa
Messages: 3771
Registered: December 2004
Karma: 28
Senior Member
Administrator
Core Developer
Done. See "Introduce Forum Dashboard and move install.php checks from mainstream code" at http://cvs.prohost.org/c/index.cgi/FUDforum/chngview?cn=11907

Re: security check for install.php seems to have no effect [message #158845 is a reply to message #158820] Fri, 03 April 2009 21:13 Go to previous messageGo to next message
JanRei is currently offline  JanRei   
Messages: 361
Registered: October 2005
Location: Germany
Karma: 0
Senior Member
Contributing Core Developer
Translator
I would like to suggest some changes and have made correspondig patches (see attached archive):
- redirect user to Dashboard after install
- remove the notice "You will not be able to login until you do." from install script as it is obsolete now

While I was at it I also made the following changes:
- fix validation issues on the Dashboard and the Plugin Manager
- fix typos on the System Info page
- change logic of the checks for install.php and upgrade.php
- fix possible PHP notice "Undefined index: sql" in SQL Manager

[Updated on: Fri, 03 April 2009 21:36]

Report message to a moderator

Re: security check for install.php seems to have no effect [message #158847 is a reply to message #158845] Sat, 04 April 2009 08:24 Go to previous message
naudefj is currently offline  naudefj   South Africa
Messages: 3771
Registered: December 2004
Karma: 28
Senior Member
Administrator
Core Developer
Your patches were committed. For details, see http://cvs.prohost.org/c/index.cgi/FUDforum/chngview?cn=11908

Thank you very much - keep them coming!

Best regards.

Frank
  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: german i18n - new user registration
Next Topic: PHP Notice on "Bookmarks" tab
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Wed Nov 27 06:37:36 GMT 2024

Total time taken to generate the page: 0.03344 seconds