Upgrade: Create index.html in all course directories to hinder listin…

…g in misconfigured servers Fixes GitHub issue #39 partially - thanks to @emaragkos for reporting the problem #39 --HG-- branch : 3.11
gunet · May 24, 2021 · fc96d52 · fc96d52
1 parent 3051ada
commit fc96d52
Show file tree

Hide file tree

Showing 5 changed files with 47 additions and 5 deletions.
diff --git a/lang/el/messages.inc.php b/lang/el/messages.inc.php
@@ -3817,6 +3817,7 @@
     χρησιμοποιεί η πλατφόρμα (είτε συμπτωματικά, είτε αν πρόκειται για υπάρχουσα
     εγκατάσταση του Open eClass). Πριν προχωρήσετε, επιβεβαιώστε ότι δεν υπάρχει
     πρόβλημα ή επιστρέψτε στο προηγούμενο βήμα και εισαγάγετε άλλο όνομα βάσης.';
+$langAddingDirectoryIndex = 'Προσθήκη αρχείων index.html στους υποκαταλόγους μαθημάτων';
 
 /* * *****************************************************************
  * course_tools.php

diff --git a/lang/en/messages.inc.php b/lang/en/messages.inc.php
@@ -5392,3 +5392,4 @@
 $langUsersOverMaximum = 'The final count (%d) exceeds the maximum number of group members (%d).';
 $langUsersAddedToGroup = 'The users were added to the group.';
 $langClear = 'Clear';
+$langAddingDirectoryIndex = 'Adding index files to course subdirectories';
diff --git a/modules/create_course/functions.php b/modules/create_course/functions.php
@@ -97,13 +97,17 @@ function create_course_dirs($code) {
 
     $base = "courses/$code";
     umask(0);
-    foreach (array($base, "$base/image", "$base/document", "$base/dropbox",
-                   "$base/page", "$base/work", "$base/group", "$base/temp",
-                   "$base/scormPackages", "video/$code") as $dir) {
-       if (!make_dir($dir)) {
+    $dirs = [$base, "$base/image", "$base/document", "$base/dropbox",
+        "$base/page", "$base/work", "$base/group", "$base/temp",
+        "$base/scormPackages", "video/$code"];
+    foreach ($dirs as $dir) {
+        if (!make_dir($dir)) {
             Session::Messages(sprintf($langDirectoryCreateError, $dir));
             return false;
-       }
+        }
+        if ($dir != $base) {
+            touch("$dir/index.html");
+        }
     }
     return true;
 }

diff --git a/upgrade/functions.php b/upgrade/functions.php
@@ -886,3 +886,35 @@ function refreshHierarchyProcedures() {
                                 END IF;
                             END");
 }
+
+
+/**
+ * @brief Create directory indexes to hinder directory traversal in misconfigured servers
+ */
+function addDirectoryIndexFiles() {
+    $dirs = ['courses/archive', 'courses/document', 'courses/garbage', 'courses/mathimg', 'courses/mydocs', 'courses/theme_data', 'courses/tmpUnzipping'];
+
+    foreach ($dirs as $dir) {
+        addDirectoryIndexFilesHelper($dir);
+    }
+    Database::get()->queryFunc('SELECT code FROM course ORDER BY id',
+        function ($course) {
+            $code = $course->code;
+            addDirectoryIndexFilesHelper("courses/$code/document");
+            addDirectoryIndexFilesHelper("courses/$code/dropbox");
+            addDirectoryIndexFilesHelper("courses/$code/group");
+            addDirectoryIndexFilesHelper("courses/$code/image");
+            addDirectoryIndexFilesHelper("courses/$code/page");
+            addDirectoryIndexFilesHelper("courses/$code/scormPackages");
+            addDirectoryIndexFilesHelper("courses/$code/temp");
+            addDirectoryIndexFilesHelper("courses/$code/work");
+            addDirectoryIndexFilesHelper("courses/$code/work/admin_files");
+            addDirectoryIndexFilesHelper("video/$code");
+        });
+}
+
+function addDirectoryIndexFilesHelper($dir) {
+    if (is_dir($dir) and !(file_exists("$dir/index.php") or file_exists("$dir/index.html"))) {
+        touch("$dir/index.html");
+    }
+}
diff --git a/upgrade/upgrade.php b/upgrade/upgrade.php
@@ -2050,6 +2050,10 @@ function ($item) use (&$unit_map, &$current_id) {
     // create appropriate indices
     create_indexes();
 
+    // create directory indexes to hinder directory traversal in misconfigured servers
+    updateInfo(-1, sprintf($langAddingDirectoryIndex, '3.11'));
+    addDirectoryIndexFiles();
+
     // Import new themes
     importThemes();
     if (!get_config('theme_options_id')) {