#14739 closed defect (fixed)
[security] CLI check by $_SERVER[HTTP_HOST]
Reported by: | fbest | Owned by: | bill |
---|---|---|---|
Priority: | undecided | Milestone: | 1.8.1 |
Component: | Doc parser | Version: | 1.7.1 |
Keywords: | Cc: | ||
Blocked By: | Blocking: |
Description
in website/trunk/api/lib/ transform.php and spider.php is isset($_SERVERHTTP_HOST?) used to determine if CLI is used... This can be tricket by sending an FOOBAR Request which will be interpreted as GET but HTTP_HOST is not set.
my attached patch will fix the problem.
i would also put an htaccess file into lib/ which restricts some using files which aren't public. http://dojotoolkit.org/api/lib/
Attachments (1)
Change History (10)
Changed 9 years ago by
comment:1 Changed 9 years ago by
htaccess could look like this?! are other files as them needet by external access?
<Files ~ "(item|class-tree)\.php" > order allow,deny allow from all </Files> order deny,allow deny from all allow from 127.0.0.1
comment:2 Changed 9 years ago by
Owner: | changed from Neil Roberts to Tom Trenka |
---|---|
Status: | new → assigned |
I'm not sure if this ticket is about the doc viewer (for ttrenka) or a general website issue for iTorrey.
comment:4 Changed 9 years ago by
Milestone: | tbd → 1.8.1 |
---|---|
Owner: | changed from Tom Trenka to bill |
I removed transform.php completely for 1.8 but spider.php is still there.
comment:5 Changed 9 years ago by
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
OK, I checked in your fix for spider.php.
comment:6 Changed 9 years ago by
same in ./generate.php:17:if (isset($_SERVERHTTP_HOST?)) {
(i cant reopen)
comment:7 Changed 9 years ago by
Milestone: | 1.8.1 → 1.8.2 |
---|---|
Resolution: | fixed |
Status: | closed → reopened |
comment:8 Changed 9 years ago by
Milestone: | 1.8.2 → 1.8.1 |
---|---|
Resolution: | → fixed |
Status: | reopened → closed |
@fbest: line 17 of lib/generate.php is:
case 'node':
and lib.old/generate.php is:
case 'DOMNode':
I don't see any remaining lines using isset() and $_SERVER[HTTP_HOST].
I can add the .htaccess though.
comment:9 Changed 9 years ago by
.htaccess files added in https://github.com/wkeese/api-viewer/commit/1855aa3532214208429a5f934e17afaf054ec323
patch