[security] CLI check by $_SERVER[HTTP_HOST]

[fbest]

in website/trunk/api/lib/ transform.php and spider.php is isset($_SERVERHTTP_HOST?) used to determine if CLI is used... This can be tricket by sending an FOOBAR Request which will be interpreted as GET but HTTP_HOST is not set.

my attached patch will fix the problem.

i would also put an htaccess file into lib/ which restricts some using files which aren't public. http://dojotoolkit.org/api/lib/

[fbest]

patch

[fbest]

htaccess could look like this?! are other files as them needet by external access?

<Files ~ "(item|class-tree)\.php" >
        order allow,deny
        allow from all
</Files>
order deny,allow
deny from all
allow from 127.0.0.1

[bill]

I'm not sure if this ticket is about the doc viewer (for ttrenka) or a general website issue for iTorrey.

[Tom Trenka]

Its the doc viewer. I'll take a look.

[bill]

I removed transform.php completely for 1.8 but spider.php is still there.

[bill]

OK, I checked in your fix for spider.php.

[fbest]

same in ./generate.php:17:if (isset($_SERVERHTTP_HOST?)) {

(i cant reopen)

[bill]

@fbest: ​line 17 of lib/generate.php is:

case 'node':

and ​lib.old/generate.php is:

case 'DOMNode':

I don't see any remaining lines using isset() and $_SERVER[HTTP_HOST].

I can add the .htaccess though.

[bill]

.htaccess files added in ​https://github.com/wkeese/api-viewer/commit/1855aa3532214208429a5f934e17afaf054ec323