FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum Development » Bug Reports » security check for install.php seems to have no effect
Show: Today's Messages :: Unread Messages :: Show Polls :: Message Navigator
| Subscribe to topic | Bookmark topic 
Switch to threaded view of this topic Create a new topic Submit Reply
security check for install.php seems to have no effect [message #158820] Tue, 31 March 2009 10:58 Go to next message
JanRei is currently offline  JanRei   
Messages: 361
Registered: October 2005
Location: Germany
Karma: 0
Senior Member
Contributing Core Developer
Translator
add to buddy list
ignore all messages by this user
I noticed that index.php, pdf.php and rdf.php have a security check for install.php:

<?php
if (!$FORUM_TITLE && @file_exists($WWW_ROOT_DISK.'install.php')) {
    
fud_use('errmsg.inc');
        exit(
__fud_e_install_script_present_error);
}
?>


However, since the last version of FUDforum there is a default forum title so that the check doesn't seem to have an effect.
Re: security check for install.php seems to have no effect [message #158821 is a reply to message #158820] Tue, 31 March 2009 14:17 Go to previous messageGo to next message
naudefj is currently offline  naudefj   South Africa
Messages: 3624
Registered: December 2004
Karma: 17
Senior Member
Administrator
Core Developer
remove from buddy list
ignore all messages by this user
Good catch! Now, how do we fix it? Do we even need to? How about us removing them altogether (saving a couple of CPU cycles in the critical path) and then add a check to the first page of the Admin Control Panel?

Best regards.

Frank
Re: security check for install.php seems to have no effect [message #158835 is a reply to message #158820] Thu, 02 April 2009 16:18 Go to previous messageGo to next message
JanRei is currently offline  JanRei   
Messages: 361
Registered: October 2005
Location: Germany
Karma: 0
Senior Member
Contributing Core Developer
Translator
add to buddy list
ignore all messages by this user
I don't know exactly. The easiest fix would probably be to simply remove the !$FORUM_TITLE from the condition. Advantage of this approach is that the warning is quite intrusive so you can be pretty sure that it is noticed.

On the other hand, users who install FUDforum will have to go to the Admin Control Panel at some point. Thus a warning there should be sufficient actually provided it is clear enough.
Re: security check for install.php seems to have no effect [message #158838 is a reply to message #158835] Fri, 03 April 2009 02:02 Go to previous messageGo to next message
naudefj is currently offline  naudefj   South Africa
Messages: 3624
Registered: December 2004
Karma: 17
Senior Member
Administrator
Core Developer
remove from buddy list
ignore all messages by this user
If there is no objection I would like to move the check to the Admin Control Panel (ACP). Doing a file check every time someone visits a site is expensive and a waste of resources. On entering the ACP one should get a intro/status overview page where we can show a warning and other handy overview info.
Re: security check for install.php seems to have no effect [message #158839 is a reply to message #158820] Fri, 03 April 2009 05:52 Go to previous messageGo to next message
JanRei is currently offline  JanRei   
Messages: 361
Registered: October 2005
Location: Germany
Karma: 0
Senior Member
Contributing Core Developer
Translator
add to buddy list
ignore all messages by this user
Well, I have no objections.
Re: security check for install.php seems to have no effect [message #158841 is a reply to message #158839] Fri, 03 April 2009 10:58 Go to previous messageGo to next message
naudefj is currently offline  naudefj   South Africa
Messages: 3624
Registered: December 2004
Karma: 17
Senior Member
Administrator
Core Developer
remove from buddy list
ignore all messages by this user
Done. See "Introduce Forum Dashboard and move install.php checks from mainstream code" at http://cvs.prohost.org/c/index.cgi/FUDforum/chngview?cn=11907

Re: security check for install.php seems to have no effect [message #158845 is a reply to message #158820] Fri, 03 April 2009 17:13 Go to previous messageGo to next message
JanRei is currently offline  JanRei   
Messages: 361
Registered: October 2005
Location: Germany
Karma: 0
Senior Member
Contributing Core Developer
Translator
add to buddy list
ignore all messages by this user
I would like to suggest some changes and have made correspondig patches (see attached archive):
- redirect user to Dashboard after install
- remove the notice "You will not be able to login until you do." from install script as it is obsolete now

While I was at it I also made the following changes:
- fix validation issues on the Dashboard and the Plugin Manager
- fix typos on the System Info page
- change logic of the checks for install.php and upgrade.php
- fix possible PHP notice "Undefined index: sql" in SQL Manager

[Updated on: Fri, 03 April 2009 17:36]

Report message to a moderator

Re: security check for install.php seems to have no effect [message #158847 is a reply to message #158845] Sat, 04 April 2009 04:24 Go to previous message
naudefj is currently offline  naudefj   South Africa
Messages: 3624
Registered: December 2004
Karma: 17
Senior Member
Administrator
Core Developer
remove from buddy list
ignore all messages by this user
Your patches were committed. For details, see http://cvs.prohost.org/c/index.cgi/FUDforum/chngview?cn=11908

Thank you very much - keep them coming!

Best regards.

Frank
Quick Reply
Formatting Tools:   
  Switch to threaded view of this topic Create a new topic
Previous Topic: german i18n - new user registration
Next Topic: PHP Notice on "Bookmarks" tab
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Tue Oct 17 20:27:59 EDT 2017

Total time taken to generate the page: 0.00730 seconds