/[smecontribs]/rpms/smeserver-mod_dav/contribs10/smeserver-mod_dav-1.1-bz10347-bz4564-bz5337.patch
ViewVC logotype

Contents of /rpms/smeserver-mod_dav/contribs10/smeserver-mod_dav-1.1-bz10347-bz4564-bz5337.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.2 - (show annotations) (download)
Tue Mar 2 17:13:16 2021 UTC (3 years, 8 months ago) by jpp
Branch: MAIN
CVS Tags: smeserver-mod_dav-1_1-5_el7_sme
Changes since 1.1: +0 -12 lines
* Mon Mar 01 2021 Jean-Philipe Pialasse <tests@pialasse.com> 1.1-5.sme
- fix security issues [SME: 11077]
  where user could access ibay he was not member of group
- improve ibay dav template  [SME 4564]
  force ssl, secure php file, disable cgi and php
  when DAV enabled on ibay, and respect rmeote access settings
- descriptive login box [SME: 5337]

* Sun Feb 28 2021 Jean-Philipe Pialasse <tests@pialasse.com> 1.1-4.sme
- add createlinks and add -update event [SME: 11070]

1 diff -Nur smeserver-mod_dav-1.1.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/95Addmod_dav2ibays smeserver-mod_dav-1.1/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/95Addmod_dav2ibays
2 --- smeserver-mod_dav-1.1.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/95Addmod_dav2ibays 2021-02-28 22:41:40.846000000 -0500
3 +++ smeserver-mod_dav-1.1/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/95Addmod_dav2ibays 2021-03-02 11:57:52.069000000 -0500
4 @@ -1,71 +1,92 @@
5 {
6 use esmith::AccountsDB;
7 + use esmith::DAV;
8 my $adb = esmith::AccountsDB->open_ro();
9 $OUT = "";
10 foreach my $ibay ($adb->ibays)
11 {
12 my %properties = $ibay->props;
13 my $key = $ibay->key;
14 + my $dynamicContent = $properties{'CgiBin'} || "disabled";
15 + my $secureEXEC = $properties{'ModDAVsecureEXEC'} || 'enabled';
16 + my $access = $properties{'PublicAccess'} || 'none';
17 + $OUT .= "\n # ibay $key disabled for httpd so no DAV access\n" if $access eq 'none';
18 + next if $access eq 'none';
19 + # true if have to be password accessible from somewhere.
20 + my $satisfy = ($access eq 'global-pw-remote')? 'any': 'all';
21 if ($properties{'ModDav'})
22 {
23 if ($properties{'ModDav'} eq 'enabled')
24 {
25 + my $ReadRequire = esmith::DAV::getRequireUser("read", $key );
26 + my $WriteRequire = esmith::DAV::getRequireUser("write", $key);
27 + my $ReadAllow = esmith::DAV::getAllow("read", $key, $localAccess );
28 + my $WriteAllow = esmith::DAV::getAllow("write", $key, $localAccess );
29 +
30 $OUT .= "\n<Directory /home/e-smith/files/ibays/$key/html>\n\n";
31 $OUT .= " # Enable DAV access for this directory tree\n";
32 $OUT .= " DAV On\n\n";
33 + #we will not seriously let you type your password over the network without encryption
34 + $OUT .= " SSLRequireSSL\n\n";
35 +
36 + if ($dynamicContent eq 'enabled' && $secureEXEC eq 'enabled')
37 + {
38 + # we do not want PHP or CGI to be runt there for security reason
39 + $OUT .= " <FilesMatch \\.php\$>\n";
40 + $OUT .= " #disabling php\n";
41 + $OUT .= " SetHandler !\n"; # could use also SetHandler none
42 + $OUT .= " deny from all\n" if ( $properties{'ModDAVhidephp'} || 'enabled' ) eq 'enabled';
43 + $OUT .= " </FilesMatch>\n";
44 + $OUT .= " Options -ExecCGI\n";
45 + $OUT .= " RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo\n";
46 + $OUT .= " php_flag engine off\n" if ((exists $php{status} and $php{status} eq "enabled") and $phpModule eq "enabled") ;# can not use this one when php module not in use
47 + }
48 +
49 + $OUT .= " FileETag ".$properties{'ModDav-FileETag'}."\n\n" if ($properties{'ModDav-FileETag'});
50
51 - if ($properties{'ModDav-FileETag'})
52 - {
53 - $OUT .= " FileETag ".$properties{'ModDav-FileETag'}."\n\n";
54 - }
55 $OUT .= " AllowOverride None\n";
56 $OUT .= " Options +Indexes \n\n";
57 $OUT .= " # Allow fancy indexing by columns and download by clicking icon\n";
58 $OUT .= " IndexOptions FancyIndexing IconsAreLinks\n\n";
59 - if ($properties{'Group'})
60 - {
61 - $OUT .= " AuthName \"$key\"\n";
62 - $OUT .= " AuthBasicProvider external\n";
63 - $OUT .= " AuthType Basic\n";
64 - $OUT .= " AuthExternal pwauth\n\n";
65 - # Save groupname and find it in the group list
66 - $iBayGroup = $properties{'Group'};
67 - foreach my $group ($adb->groups)
68 - {
69 - my %groupprops = $group->props;
70 - my $grpkey = $group->key;
71 - if ($grpkey eq $iBayGroup)
72 - {
73 - # we have the group that owns the DAV iBay
74 - # If there are members of the group validate on them,
75 - # otherwise on the ibayname
76 - if ($groupprops{'Members'})
77 - {
78 - # need to break user list on commas then output each one...
79 - my @values = split(',',$groupprops{'Members'});
80 - $OUT .= " # Replace ibay name with any valid group member to validate\n";
81 - $OUT .= " Require user ";
82 - foreach my $val (@values) {
83 - $OUT .= $val . " ";
84 - }
85 - $OUT .= "\n\n";
86 - }
87 - else
88 - {
89 - # No group members so use ibay name for validation
90 - $OUT .= " # use ibay name to validate\n";
91 - $OUT .= " Require user " . $key . "\n\n";
92 - }
93 - }
94 - }
95 - }
96 - # Ensure only valid users get to do stuff...
97 - $OUT .= " <Limit GET PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>\n\n";
98 - $OUT .= " Allow from all\n";
99 - $OUT .= " Require valid-user\n\n";
100 - $OUT .= " </Limit>\n\n";
101 +
102 + # bug with httpd-2.4 fixed in httpd-2.5 only see https://bz.apache.org/bugzilla/show_bug.cgi?id=54914 PROPFIND will fail
103 + $OUT .= " #because of bug https://bz.apache.org/bugzilla/show_bug.cgi?id=54914 in httpd 2.4 DirectoryIndex disabled is needed for webdav to work\n";
104 + $OUT .= " DirectoryIndex disabled\n\n" unless ( ($properties{'DavNoDirectoryIndex'}||"enabled" ) eq "disabled");
105 + $OUT .= " #DirectoryIndex disabled : DavNoDirectoryIndex has been defined to force DirectoryIndex \n\n" if ( ($properties{'DavNoDirectoryIndex'}||"enabled" ) eq "disabled");
106 +
107 + $OUT .= " order deny,allow\n";
108 + $OUT .= " deny from all\n";
109 + $OUT .= " " . $ReadAllow . "\n";
110 + $OUT .= " AuthName \"$properties{'Name'}\"\n";
111 + $OUT .= " AuthBasicProvider external\n";
112 + $OUT .= " AuthType Basic\n";
113 + $OUT .= " AuthExternal pwauth\n";
114 + $OUT .= " " . $ReadRequire . "\n";
115 + $OUT .= " Satisfy $satisfy\n\n";
116 +
117 + # Ensure only valid users get to do stuff... update 2021/02:
118 + # GET, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK
119 + # some suggest : AllowMethods HEAD GET POST CONNECT PUT DELETE OPTIONS PROPFIND PROPPATCH MKCOL MKCALENDAR COPY MOVE LOCK UNLOCK TRACE
120 + # TRACE is not supposed to be limited by this directive, should use TraceEnable
121 + # LimitExcept is suggested over Limit in order to catch all non standard methods
122 + # however we put our limit to the whole folder with the Require user .... above, so the whole block under seems useless
123 + # unless we reduce it to one user, or are fool to enlarge to Require valid-user
124 +# $OUT .= " <Limit GET PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>\n\n";
125 +# $OUT .= " Allow from all\n";
126 +# $OUT .= " Require user $userlist\n\n";
127 +# $OUT .= " </Limit>\n\n";
128 +
129 + $OUT .= " <LimitExcept GET POST PROPFIND OPTIONS CONNECT>\n";
130 + $OUT .= " " . $WriteRequire . "\n";
131 + $OUT .= " Satisfy All\n";
132 + $OUT .= " ". $WriteAllow ."\n";
133 + $OUT .= " </LimitExcept>\n\n";
134 $OUT .= "</Directory>\n";
135 }
136 }
137 + else
138 + {
139 + $OUT .= "\n # DAV disabled for ibay $key\n";
140 + }
141 }
142 }
143 diff -Nur smeserver-mod_dav-1.1.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/21IbayWebDav smeserver-mod_dav-1.1/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/21IbayWebDav
144 --- smeserver-mod_dav-1.1.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/21IbayWebDav 1969-12-31 19:00:00.000000000 -0500
145 +++ smeserver-mod_dav-1.1/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/21IbayWebDav 2021-03-02 11:57:55.866000000 -0500
146 @@ -0,0 +1,34 @@
147 +{
148 +# this fragment is to force SSL redirection for webdav activated account in case it is not already enabled
149 +# could be removed if core fragment 20IbaysContent introduce forced ssl for DAV
150 + use esmith::AccountsDB;
151 + my $adb = esmith::AccountsDB->open_ro();
152 + $OUT = "";
153 + foreach my $ibay ($adb->ibays)
154 + {
155 + my %properties = $ibay->props;
156 + my $key = $ibay->key;
157 + my $dynamicContent = $properties{'CgiBin'} || "disabled";
158 + my $secureEXEC = $properties{'ModDAVsecureEXEC'} || 'enabled';
159 + my $access = $properties{'PublicAccess'} || 'none';
160 + $OUT .= "\n # ibay $key disabled for httpd so no DAV access\n" if $access eq 'none';
161 + next if $access eq 'none';
162 + # true if have to be password accessible from somewhere.
163 + my $ispassibay = $access =~ /-pw/;
164 + my $satisfy = ($access eq 'global-pw-remote')? 'any': 'all';
165 + if ($properties{'ModDav'})
166 + {
167 + if ($properties{'ModDav'} eq 'enabled')
168 + {
169 + # we force SSL redirection in case DAV is enabled
170 + if (( $port ne $httpsPort ) && (($ibay->prop('SSL') || 'disabled') ne 'enabled'))
171 + {
172 + my $portspec = ($httpsPort eq 443) ? "" : ":$httpsPort";
173 + $OUT .= " RewriteEngine on\n";
174 + $OUT .= " RewriteRule ^/$key(/.*|\$) https://%{HTTP_HOST}${portspec}/$key\$1 \[L,R\]\n";
175 + }
176 + }
177 + }
178 + }
179 +}
180 +
181 diff -Nur smeserver-mod_dav-1.1.old/root/usr/share/perl5/vendor_perl/esmith/DAV.pm smeserver-mod_dav-1.1/root/usr/share/perl5/vendor_perl/esmith/DAV.pm
182 --- smeserver-mod_dav-1.1.old/root/usr/share/perl5/vendor_perl/esmith/DAV.pm 1969-12-31 19:00:00.000000000 -0500
183 +++ smeserver-mod_dav-1.1/root/usr/share/perl5/vendor_perl/esmith/DAV.pm 2021-03-02 12:07:13.442000000 -0500
184 @@ -0,0 +1,118 @@
185 +
186 +package esmith::DAV;
187 +
188 +use strict;
189 +use warnings;
190 +use esmith::AccountsDB;
191 +my $adb = esmith::AccountsDB->open_ro();
192 +
193 +use vars qw( $AUTOLOAD @ISA );
194 +
195 + sub getRequireUser {
196 + my ($mode, $key) = @_;
197 + my $ibay = $adb->get($key) or return "Require user admin";
198 + my %properties = $ibay->props or return "Require user admin";
199 + my $iBayGroup = $properties{'Group'} || 'admin';
200 + my $accessMode = $properties{'UserAccess'} || 'wr-admin-rd-group';
201 + my $access = $properties{'PublicAccess'} || 'none';
202 + my $ispassibay = $access =~ /-pw/;
203 + my $Anonymous = $properties{'ModDavAnonymousRead'} || "enabled";
204 + my $MEMBERS = getMembers( $key, $iBayGroup);
205 + my $REQUIRE = "";
206 + if ($mode eq "read")
207 + {
208 + if ($accessMode eq "wr-group-rd-everyone")
209 + {
210 + if ( $Anonymous eq "enabled" )
211 + {
212 + $REQUIRE = "# Allowing unauthenticated read access";
213 + }
214 + else
215 + {
216 + my $EVERYONE = join(' ' , ( (map { $_->key } $adb->users) , qw (admin) )); #shared user members
217 + #$REQUIRE = "#wr-group-rd-everyone : members of shared\n";
218 + $REQUIRE .= "Require user " . $EVERYONE;
219 + }
220 + }
221 + else
222 + {
223 + $REQUIRE = "Require user " . $MEMBERS;
224 + if ($accessMode eq "wr-admin-rd-group")
225 + {
226 + # add "admin" to the read group to avoid read/write auth conflicts
227 + $REQUIRE .= " admin";
228 + }
229 + }
230 + if ($ispassibay)
231 + {
232 + #we have local-pw or global-pw or global-pw-remote
233 + $REQUIRE = ( $REQUIRE =~ /Require user / ) ? "$REQUIRE $key" : "Require user $key";
234 + $REQUIRE .= " $MEMBERS" if ( $access =~ /remote/ );
235 + }
236 + }
237 + else
238 + {
239 + if ($accessMode eq "wr-admin-rd-group")
240 + {
241 + $REQUIRE = "Require user admin";
242 + }
243 + else
244 + {
245 + $REQUIRE = "Require user " . $MEMBERS;
246 + }
247 + }
248 + return $REQUIRE;
249 + }
250 +
251 + sub getAllow {
252 + my ($mode, $key, $localAccess ) = @_;
253 + $localAccess = (defined $localAccess ) ? $localAccess : "127.0.0.1";
254 + my $ibay = $adb->get($key) or return "allow from 127.0.0.1";
255 + my %properties = $ibay->props or return "allow from 127.0.0.1";
256 + my $Public = $properties{'PublicAccess'} || 'none';
257 +
258 + my $allow = "allow from 127.0.0.1";
259 + if ($Public eq 'none')
260 + {
261 + $allow = "# allow from set to NONE";
262 + }
263 + elsif ($Public =~ /(local|remote)/ )
264 + {
265 + $allow = "allow from " . $localAccess;
266 + }
267 + elsif ($Public =~ /global/)
268 + {
269 + $allow = "allow from all";
270 + }
271 + return $allow;
272 + }
273 +
274 + sub getMembers {
275 + my ($key, $iBayGroup) = @_;
276 + my $MEMBERS = $key;
277 + foreach my $group ( ($adb->groups, $adb->get('admin'), $adb->get('shared') ) )
278 + {
279 + my %groupprops = $group->props;
280 + my $grpkey = $group->key;
281 + if ($grpkey eq $iBayGroup)
282 + {
283 + # we have the group that owns the DAV iBay
284 + # If there are members of the group validate on them,
285 + # otherwise on the ibayname
286 + my $GroupMembers = $groupprops{'Members'} || undef;
287 + $GroupMembers = "admin" if ( $grpkey eq "admin" );
288 + $GroupMembers = join(' ' , ( (map { $_->key } $adb->users) , qw (admin) )) if ( $grpkey eq "shared" ) ;
289 +
290 + if ($GroupMembers)
291 + {
292 + # need to break user list on commas then output each one...
293 + my @values = split(',',$GroupMembers);
294 + $MEMBERS = "" unless (!@values) ;
295 + foreach my $val (@values) {
296 + $MEMBERS .= $val . " ";
297 + }
298 + }
299 + }
300 + }
301 + return $MEMBERS;
302 + }

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed