From fc96d5284e5721ddf038a56340a852d7b9045d16 Mon Sep 17 00:00:00 2001
From: Alexandros Diamantidis <adia@noc.uoa.gr>
Date: Mon, 24 May 2021 17:32:34 +0300
Subject: [PATCH] Upgrade: Create index.html in all course directories to
 hinder listing in misconfigured servers

Fixes GitHub issue #39 partially - thanks to @emaragkos for reporting the problem
https://github.com/gunet/openeclass/issues/39

--HG--
branch : 3.11
---
 lang/el/messages.inc.php            |  1 +
 lang/en/messages.inc.php            |  1 +
 modules/create_course/functions.php | 14 ++++++++-----
 upgrade/functions.php               | 32 +++++++++++++++++++++++++++++
 upgrade/upgrade.php                 |  4 ++++
 5 files changed, 47 insertions(+), 5 deletions(-)

diff --git a/lang/el/messages.inc.php b/lang/el/messages.inc.php
index a60e4dac25..179069ac12 100644
--- a/lang/el/messages.inc.php
+++ b/lang/el/messages.inc.php
@@ -3817,6 +3817,7 @@
     χρησιμοποιεί η πλατφόρμα (είτε συμπτωματικά, είτε αν πρόκειται για υπάρχουσα
     εγκατάσταση του Open eClass). Πριν προχωρήσετε, επιβεβαιώστε ότι δεν υπάρχει
     πρόβλημα ή επιστρέψτε στο προηγούμενο βήμα και εισαγάγετε άλλο όνομα βάσης.';
+$langAddingDirectoryIndex = 'Προσθήκη αρχείων index.html στους υποκαταλόγους μαθημάτων';
 
 /* * *****************************************************************
  * course_tools.php
diff --git a/lang/en/messages.inc.php b/lang/en/messages.inc.php
index 74e109f168..cecff62f57 100644
--- a/lang/en/messages.inc.php
+++ b/lang/en/messages.inc.php
@@ -5392,3 +5392,4 @@
 $langUsersOverMaximum = 'The final count (%d) exceeds the maximum number of group members (%d).';
 $langUsersAddedToGroup = 'The users were added to the group.';
 $langClear = 'Clear';
+$langAddingDirectoryIndex = 'Adding index files to course subdirectories';
diff --git a/modules/create_course/functions.php b/modules/create_course/functions.php
index 7ae1b790ab..a01a5c8346 100644
--- a/modules/create_course/functions.php
+++ b/modules/create_course/functions.php
@@ -97,13 +97,17 @@ function create_course_dirs($code) {
 
     $base = "courses/$code";
     umask(0);
-    foreach (array($base, "$base/image", "$base/document", "$base/dropbox",
-                   "$base/page", "$base/work", "$base/group", "$base/temp",
-                   "$base/scormPackages", "video/$code") as $dir) {
-       if (!make_dir($dir)) {
+    $dirs = [$base, "$base/image", "$base/document", "$base/dropbox",
+        "$base/page", "$base/work", "$base/group", "$base/temp",
+        "$base/scormPackages", "video/$code"];
+    foreach ($dirs as $dir) {
+        if (!make_dir($dir)) {
             Session::Messages(sprintf($langDirectoryCreateError, $dir));
             return false;
-       }
+        }
+        if ($dir != $base) {
+            touch("$dir/index.html");
+        }
     }
     return true;
 }
diff --git a/upgrade/functions.php b/upgrade/functions.php
index f972b44852..6eaeab34dd 100644
--- a/upgrade/functions.php
+++ b/upgrade/functions.php
@@ -886,3 +886,35 @@ function refreshHierarchyProcedures() {
                                 END IF;
                             END");
 }
+
+
+/**
+ * @brief Create directory indexes to hinder directory traversal in misconfigured servers
+ */
+function addDirectoryIndexFiles() {
+    $dirs = ['courses/archive', 'courses/document', 'courses/garbage', 'courses/mathimg', 'courses/mydocs', 'courses/theme_data', 'courses/tmpUnzipping'];
+
+    foreach ($dirs as $dir) {
+        addDirectoryIndexFilesHelper($dir);
+    }
+    Database::get()->queryFunc('SELECT code FROM course ORDER BY id',
+        function ($course) {
+            $code = $course->code;
+            addDirectoryIndexFilesHelper("courses/$code/document");
+            addDirectoryIndexFilesHelper("courses/$code/dropbox");
+            addDirectoryIndexFilesHelper("courses/$code/group");
+            addDirectoryIndexFilesHelper("courses/$code/image");
+            addDirectoryIndexFilesHelper("courses/$code/page");
+            addDirectoryIndexFilesHelper("courses/$code/scormPackages");
+            addDirectoryIndexFilesHelper("courses/$code/temp");
+            addDirectoryIndexFilesHelper("courses/$code/work");
+            addDirectoryIndexFilesHelper("courses/$code/work/admin_files");
+            addDirectoryIndexFilesHelper("video/$code");
+        });
+}
+
+function addDirectoryIndexFilesHelper($dir) {
+    if (is_dir($dir) and !(file_exists("$dir/index.php") or file_exists("$dir/index.html"))) {
+        touch("$dir/index.html");
+    }
+}
diff --git a/upgrade/upgrade.php b/upgrade/upgrade.php
index d8c548fa3a..d9cb4d91e2 100644
--- a/upgrade/upgrade.php
+++ b/upgrade/upgrade.php
@@ -2050,6 +2050,10 @@ function ($item) use (&$unit_map, &$current_id) {
     // create appropriate indices
     create_indexes();
 
+    // create directory indexes to hinder directory traversal in misconfigured servers
+    updateInfo(-1, sprintf($langAddingDirectoryIndex, '3.11'));
+    addDirectoryIndexFiles();
+
     // Import new themes
     importThemes();
     if (!get_config('theme_options_id')) {