/[smecontribs]/rpms/smeserver-mod_dav/contribs10/smeserver-mod_dav-1.1-bz10347-bz4564-bz5337.patch
ViewVC logotype

Annotation of /rpms/smeserver-mod_dav/contribs10/smeserver-mod_dav-1.1-bz10347-bz4564-bz5337.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.2 - (hide annotations) (download)
Tue Mar 2 17:13:16 2021 UTC (3 years, 8 months ago) by jpp
Branch: MAIN
CVS Tags: smeserver-mod_dav-1_1-5_el7_sme
Changes since 1.1: +0 -12 lines
* Mon Mar 01 2021 Jean-Philipe Pialasse <tests@pialasse.com> 1.1-5.sme
- fix security issues [SME: 11077]
  where user could access ibay he was not member of group
- improve ibay dav template  [SME 4564]
  force ssl, secure php file, disable cgi and php
  when DAV enabled on ibay, and respect rmeote access settings
- descriptive login box [SME: 5337]

* Sun Feb 28 2021 Jean-Philipe Pialasse <tests@pialasse.com> 1.1-4.sme
- add createlinks and add -update event [SME: 11070]

1 jpp 1.1 diff -Nur smeserver-mod_dav-1.1.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/95Addmod_dav2ibays smeserver-mod_dav-1.1/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/95Addmod_dav2ibays
2     --- smeserver-mod_dav-1.1.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/95Addmod_dav2ibays 2021-02-28 22:41:40.846000000 -0500
3     +++ smeserver-mod_dav-1.1/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/95Addmod_dav2ibays 2021-03-02 11:57:52.069000000 -0500
4     @@ -1,71 +1,92 @@
5     {
6     use esmith::AccountsDB;
7     + use esmith::DAV;
8     my $adb = esmith::AccountsDB->open_ro();
9     $OUT = "";
10     foreach my $ibay ($adb->ibays)
11     {
12     my %properties = $ibay->props;
13     my $key = $ibay->key;
14     + my $dynamicContent = $properties{'CgiBin'} || "disabled";
15     + my $secureEXEC = $properties{'ModDAVsecureEXEC'} || 'enabled';
16     + my $access = $properties{'PublicAccess'} || 'none';
17     + $OUT .= "\n # ibay $key disabled for httpd so no DAV access\n" if $access eq 'none';
18     + next if $access eq 'none';
19     + # true if have to be password accessible from somewhere.
20     + my $satisfy = ($access eq 'global-pw-remote')? 'any': 'all';
21     if ($properties{'ModDav'})
22     {
23     if ($properties{'ModDav'} eq 'enabled')
24     {
25     + my $ReadRequire = esmith::DAV::getRequireUser("read", $key );
26     + my $WriteRequire = esmith::DAV::getRequireUser("write", $key);
27     + my $ReadAllow = esmith::DAV::getAllow("read", $key, $localAccess );
28     + my $WriteAllow = esmith::DAV::getAllow("write", $key, $localAccess );
29     +
30     $OUT .= "\n<Directory /home/e-smith/files/ibays/$key/html>\n\n";
31     $OUT .= " # Enable DAV access for this directory tree\n";
32     $OUT .= " DAV On\n\n";
33     + #we will not seriously let you type your password over the network without encryption
34     + $OUT .= " SSLRequireSSL\n\n";
35     +
36     + if ($dynamicContent eq 'enabled' && $secureEXEC eq 'enabled')
37     + {
38     + # we do not want PHP or CGI to be runt there for security reason
39     + $OUT .= " <FilesMatch \\.php\$>\n";
40     + $OUT .= " #disabling php\n";
41     + $OUT .= " SetHandler !\n"; # could use also SetHandler none
42     + $OUT .= " deny from all\n" if ( $properties{'ModDAVhidephp'} || 'enabled' ) eq 'enabled';
43     + $OUT .= " </FilesMatch>\n";
44     + $OUT .= " Options -ExecCGI\n";
45     + $OUT .= " RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo\n";
46     + $OUT .= " php_flag engine off\n" if ((exists $php{status} and $php{status} eq "enabled") and $phpModule eq "enabled") ;# can not use this one when php module not in use
47     + }
48     +
49     + $OUT .= " FileETag ".$properties{'ModDav-FileETag'}."\n\n" if ($properties{'ModDav-FileETag'});
50    
51     - if ($properties{'ModDav-FileETag'})
52     - {
53     - $OUT .= " FileETag ".$properties{'ModDav-FileETag'}."\n\n";
54     - }
55     $OUT .= " AllowOverride None\n";
56     $OUT .= " Options +Indexes \n\n";
57     $OUT .= " # Allow fancy indexing by columns and download by clicking icon\n";
58     $OUT .= " IndexOptions FancyIndexing IconsAreLinks\n\n";
59     - if ($properties{'Group'})
60     - {
61     - $OUT .= " AuthName \"$key\"\n";
62     - $OUT .= " AuthBasicProvider external\n";
63     - $OUT .= " AuthType Basic\n";
64     - $OUT .= " AuthExternal pwauth\n\n";
65     - # Save groupname and find it in the group list
66     - $iBayGroup = $properties{'Group'};
67     - foreach my $group ($adb->groups)
68     - {
69     - my %groupprops = $group->props;
70     - my $grpkey = $group->key;
71     - if ($grpkey eq $iBayGroup)
72     - {
73     - # we have the group that owns the DAV iBay
74     - # If there are members of the group validate on them,
75     - # otherwise on the ibayname
76     - if ($groupprops{'Members'})
77     - {
78     - # need to break user list on commas then output each one...
79     - my @values = split(',',$groupprops{'Members'});
80     - $OUT .= " # Replace ibay name with any valid group member to validate\n";
81     - $OUT .= " Require user ";
82     - foreach my $val (@values) {
83     - $OUT .= $val . " ";
84     - }
85     - $OUT .= "\n\n";
86     - }
87     - else
88     - {
89     - # No group members so use ibay name for validation
90     - $OUT .= " # use ibay name to validate\n";
91     - $OUT .= " Require user " . $key . "\n\n";
92     - }
93     - }
94     - }
95     - }
96     - # Ensure only valid users get to do stuff...
97     - $OUT .= " <Limit GET PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>\n\n";
98     - $OUT .= " Allow from all\n";
99     - $OUT .= " Require valid-user\n\n";
100     - $OUT .= " </Limit>\n\n";
101     +
102     + # bug with httpd-2.4 fixed in httpd-2.5 only see https://bz.apache.org/bugzilla/show_bug.cgi?id=54914 PROPFIND will fail
103     + $OUT .= " #because of bug https://bz.apache.org/bugzilla/show_bug.cgi?id=54914 in httpd 2.4 DirectoryIndex disabled is needed for webdav to work\n";
104     + $OUT .= " DirectoryIndex disabled\n\n" unless ( ($properties{'DavNoDirectoryIndex'}||"enabled" ) eq "disabled");
105     + $OUT .= " #DirectoryIndex disabled : DavNoDirectoryIndex has been defined to force DirectoryIndex \n\n" if ( ($properties{'DavNoDirectoryIndex'}||"enabled" ) eq "disabled");
106     +
107     + $OUT .= " order deny,allow\n";
108     + $OUT .= " deny from all\n";
109     + $OUT .= " " . $ReadAllow . "\n";
110     + $OUT .= " AuthName \"$properties{'Name'}\"\n";
111     + $OUT .= " AuthBasicProvider external\n";
112     + $OUT .= " AuthType Basic\n";
113     + $OUT .= " AuthExternal pwauth\n";
114     + $OUT .= " " . $ReadRequire . "\n";
115     + $OUT .= " Satisfy $satisfy\n\n";
116     +
117     + # Ensure only valid users get to do stuff... update 2021/02:
118     + # GET, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK
119     + # some suggest : AllowMethods HEAD GET POST CONNECT PUT DELETE OPTIONS PROPFIND PROPPATCH MKCOL MKCALENDAR COPY MOVE LOCK UNLOCK TRACE
120     + # TRACE is not supposed to be limited by this directive, should use TraceEnable
121     + # LimitExcept is suggested over Limit in order to catch all non standard methods
122     + # however we put our limit to the whole folder with the Require user .... above, so the whole block under seems useless
123     + # unless we reduce it to one user, or are fool to enlarge to Require valid-user
124     +# $OUT .= " <Limit GET PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>\n\n";
125     +# $OUT .= " Allow from all\n";
126     +# $OUT .= " Require user $userlist\n\n";
127     +# $OUT .= " </Limit>\n\n";
128     +
129     + $OUT .= " <LimitExcept GET POST PROPFIND OPTIONS CONNECT>\n";
130     + $OUT .= " " . $WriteRequire . "\n";
131     + $OUT .= " Satisfy All\n";
132     + $OUT .= " ". $WriteAllow ."\n";
133     + $OUT .= " </LimitExcept>\n\n";
134     $OUT .= "</Directory>\n";
135     }
136     }
137     + else
138     + {
139     + $OUT .= "\n # DAV disabled for ibay $key\n";
140     + }
141     }
142     }
143     diff -Nur smeserver-mod_dav-1.1.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/21IbayWebDav smeserver-mod_dav-1.1/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/21IbayWebDav
144     --- smeserver-mod_dav-1.1.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/21IbayWebDav 1969-12-31 19:00:00.000000000 -0500
145     +++ smeserver-mod_dav-1.1/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/21IbayWebDav 2021-03-02 11:57:55.866000000 -0500
146     @@ -0,0 +1,34 @@
147     +{
148     +# this fragment is to force SSL redirection for webdav activated account in case it is not already enabled
149     +# could be removed if core fragment 20IbaysContent introduce forced ssl for DAV
150     + use esmith::AccountsDB;
151     + my $adb = esmith::AccountsDB->open_ro();
152     + $OUT = "";
153     + foreach my $ibay ($adb->ibays)
154     + {
155     + my %properties = $ibay->props;
156     + my $key = $ibay->key;
157     + my $dynamicContent = $properties{'CgiBin'} || "disabled";
158     + my $secureEXEC = $properties{'ModDAVsecureEXEC'} || 'enabled';
159     + my $access = $properties{'PublicAccess'} || 'none';
160     + $OUT .= "\n # ibay $key disabled for httpd so no DAV access\n" if $access eq 'none';
161     + next if $access eq 'none';
162     + # true if have to be password accessible from somewhere.
163     + my $ispassibay = $access =~ /-pw/;
164     + my $satisfy = ($access eq 'global-pw-remote')? 'any': 'all';
165     + if ($properties{'ModDav'})
166     + {
167     + if ($properties{'ModDav'} eq 'enabled')
168     + {
169     + # we force SSL redirection in case DAV is enabled
170     + if (( $port ne $httpsPort ) && (($ibay->prop('SSL') || 'disabled') ne 'enabled'))
171     + {
172     + my $portspec = ($httpsPort eq 443) ? "" : ":$httpsPort";
173     + $OUT .= " RewriteEngine on\n";
174     + $OUT .= " RewriteRule ^/$key(/.*|\$) https://%{HTTP_HOST}${portspec}/$key\$1 \[L,R\]\n";
175     + }
176     + }
177     + }
178     + }
179     +}
180     +
181     diff -Nur smeserver-mod_dav-1.1.old/root/usr/share/perl5/vendor_perl/esmith/DAV.pm smeserver-mod_dav-1.1/root/usr/share/perl5/vendor_perl/esmith/DAV.pm
182     --- smeserver-mod_dav-1.1.old/root/usr/share/perl5/vendor_perl/esmith/DAV.pm 1969-12-31 19:00:00.000000000 -0500
183     +++ smeserver-mod_dav-1.1/root/usr/share/perl5/vendor_perl/esmith/DAV.pm 2021-03-02 12:07:13.442000000 -0500
184     @@ -0,0 +1,118 @@
185     +
186     +package esmith::DAV;
187     +
188     +use strict;
189     +use warnings;
190     +use esmith::AccountsDB;
191     +my $adb = esmith::AccountsDB->open_ro();
192     +
193     +use vars qw( $AUTOLOAD @ISA );
194     +
195     + sub getRequireUser {
196     + my ($mode, $key) = @_;
197     + my $ibay = $adb->get($key) or return "Require user admin";
198     + my %properties = $ibay->props or return "Require user admin";
199     + my $iBayGroup = $properties{'Group'} || 'admin';
200     + my $accessMode = $properties{'UserAccess'} || 'wr-admin-rd-group';
201     + my $access = $properties{'PublicAccess'} || 'none';
202     + my $ispassibay = $access =~ /-pw/;
203     + my $Anonymous = $properties{'ModDavAnonymousRead'} || "enabled";
204     + my $MEMBERS = getMembers( $key, $iBayGroup);
205     + my $REQUIRE = "";
206     + if ($mode eq "read")
207     + {
208     + if ($accessMode eq "wr-group-rd-everyone")
209     + {
210     + if ( $Anonymous eq "enabled" )
211     + {
212     + $REQUIRE = "# Allowing unauthenticated read access";
213     + }
214     + else
215     + {
216     + my $EVERYONE = join(' ' , ( (map { $_->key } $adb->users) , qw (admin) )); #shared user members
217     + #$REQUIRE = "#wr-group-rd-everyone : members of shared\n";
218     + $REQUIRE .= "Require user " . $EVERYONE;
219     + }
220     + }
221     + else
222     + {
223     + $REQUIRE = "Require user " . $MEMBERS;
224     + if ($accessMode eq "wr-admin-rd-group")
225     + {
226     + # add "admin" to the read group to avoid read/write auth conflicts
227     + $REQUIRE .= " admin";
228     + }
229     + }
230     + if ($ispassibay)
231     + {
232     + #we have local-pw or global-pw or global-pw-remote
233     + $REQUIRE = ( $REQUIRE =~ /Require user / ) ? "$REQUIRE $key" : "Require user $key";
234     + $REQUIRE .= " $MEMBERS" if ( $access =~ /remote/ );
235     + }
236     + }
237     + else
238     + {
239     + if ($accessMode eq "wr-admin-rd-group")
240     + {
241     + $REQUIRE = "Require user admin";
242     + }
243     + else
244     + {
245     + $REQUIRE = "Require user " . $MEMBERS;
246     + }
247     + }
248     + return $REQUIRE;
249     + }
250     +
251     + sub getAllow {
252     + my ($mode, $key, $localAccess ) = @_;
253     + $localAccess = (defined $localAccess ) ? $localAccess : "127.0.0.1";
254     + my $ibay = $adb->get($key) or return "allow from 127.0.0.1";
255     + my %properties = $ibay->props or return "allow from 127.0.0.1";
256     + my $Public = $properties{'PublicAccess'} || 'none';
257     +
258     + my $allow = "allow from 127.0.0.1";
259     + if ($Public eq 'none')
260     + {
261     + $allow = "# allow from set to NONE";
262     + }
263     + elsif ($Public =~ /(local|remote)/ )
264     + {
265     + $allow = "allow from " . $localAccess;
266     + }
267     + elsif ($Public =~ /global/)
268     + {
269     + $allow = "allow from all";
270     + }
271     + return $allow;
272     + }
273     +
274     + sub getMembers {
275     + my ($key, $iBayGroup) = @_;
276     + my $MEMBERS = $key;
277     + foreach my $group ( ($adb->groups, $adb->get('admin'), $adb->get('shared') ) )
278     + {
279     + my %groupprops = $group->props;
280     + my $grpkey = $group->key;
281     + if ($grpkey eq $iBayGroup)
282     + {
283     + # we have the group that owns the DAV iBay
284     + # If there are members of the group validate on them,
285     + # otherwise on the ibayname
286     + my $GroupMembers = $groupprops{'Members'} || undef;
287     + $GroupMembers = "admin" if ( $grpkey eq "admin" );
288     + $GroupMembers = join(' ' , ( (map { $_->key } $adb->users) , qw (admin) )) if ( $grpkey eq "shared" ) ;
289     +
290     + if ($GroupMembers)
291     + {
292     + # need to break user list on commas then output each one...
293     + my @values = split(',',$GroupMembers);
294     + $MEMBERS = "" unless (!@values) ;
295     + foreach my $val (@values) {
296     + $MEMBERS .= $val . " ";
297     + }
298     + }
299     + }
300     + }
301     + return $MEMBERS;
302     + }

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed