Project

General

Profile

« Previous | Next » 

Revision 1884

Added by Dietmar over 11 years ago

! from security reasons the new installation has changed
from the old config.php into new setup.ini.php without
using global constants for critical values like username & password and so on.

View differences:

save.php
1 1
<?php
2 2
/**
3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3 4
 *
4
 * @category        backend
5
 * @package         install
6
 * @author          Ryan Djurovich, WebsiteBaker Project
7
 * @copyright       2009-2012, WebsiteBaker Org. e.V.
8
 * @link			http://www.websitebaker2.org/
9
 * @license         http://www.gnu.org/licenses/gpl.html
10
 * @platform        WebsiteBaker 2.8.x
11
 * @requirements    PHP 5.2.2 and higher
12
 * @version      	$Id$
13
 * @filesource		$HeadURL:  $
14
 * @lastmodified    $Date: $
5
 * This program is free software: you can redistribute it and/or modify
6
 * it under the terms of the GNU General Public License as published by
7
 * the Free Software Foundation, either version 3 of the License, or
8
 * (at your option) any later version.
15 9
 *
10
 * This program is distributed in the hope that it will be useful,
11
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13
 * GNU General Public License for more details.
14
 *
15
 * You should have received a copy of the GNU General Public License
16
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
16 17
 */
17 18

  
19
/**
20
 * save.php
21
 * 
22
 * @category     Core
23
 * @package      Core_Environment
24
 * @subpackage   Installer
25
 * @author       Dietmar Wöllbrink <dietmar.woellbrink@websitebaker.org>
26
 * @copyright    Werner v.d.Decken <wkl@isteam.de>
27
 * @license      http://www.gnu.org/licenses/gpl.html   GPL License
28
 * @version      0.0.2
29
 * @revision     $Revision$
30
 * @link         $HeadURL$
31
 * @lastmodified $Date$
32
 * @since        File available since 2012-04-01
33
 * @description  xyz
34
 */
35

  
18 36
$debug = true;
19 37

  
20 38
include(dirname(dirname(__FILE__)).'/framework/globalExceptionHandler.php'); 
21 39
include(dirname(dirname(__FILE__)).'/framework/WbAutoloader.php');
22 40
WbAutoloader::doRegister(array('admin'=>'a', 'modules'=>'m'));
23 41

  
42
/**
43
 * Set constants for system/install values
44
 * @throws RuntimeException
45
 */
46
	function _SetInstallPathConstants() {
47
		if(!defined('DEBUG')){ define('DEBUG', false); } // normaly set in config file
48
		if(!defined('ADMIN_DIRECTORY')){ define('ADMIN_DIRECTORY', 'admin'); }
49
		if(!preg_match('/xx[a-z0-9_][a-z0-9_\-\.]+/i', 'xx'.ADMIN_DIRECTORY)) {
50
			throw new RuntimeException('Invalid admin-directory: ' . ADMIN_DIRECTORY);
51
		}
52
		if(!defined('WB_PATH')){ define('WB_PATH', dirname(dirname(__FILE__))); }
53
		if(!defined('ADMIN_URL')){ define('ADMIN_URL', WB_URL.'/'.ADMIN_DIRECTORY); }
54
		if(!defined('ADMIN_PATH')){ define('ADMIN_PATH', WB_PATH.'/'.ADMIN_DIRECTORY); }
55
		if(!defined('WB_REL')){
56
			$x1 = parse_url(WB_URL);
57
			define('WB_REL', (isset($x1['path']) ? $x1['path'] : ''));
58
		}
59
		define('ADMIN_REL', WB_REL.'/'.ADMIN_DIRECTORY);
60
		if(!defined('DOCUMENT_ROOT')) {
61
			
62
			define('DOCUMENT_ROOT', preg_replace('/'.preg_quote(WB_REL, '/').'$/', '', WB_PATH));
63
		}
64
		define('TMP_PATH', WB_PATH.'/temp');
65
	}
66

  
67
/**
68
 * Read DB settings from configuration file
69
 * @return string
70
 * @throws RuntimeException
71
 * 
72
 */
73
	function _readConfiguration($sRetvalType = 'url') {
74
		// check for valid file request. Becomes more stronger in next version
75
		$x = debug_backtrace();
76
		$bValidRequest = false;
77
		if(sizeof($x) != 0) {
78
			foreach($x as $aStep) {
79
				// define the scripts which can read the configuration
80
				if(preg_match('/(save.php|index.php|config.php|upgrade-script.php)$/si', $aStep['file'])) {
81
					$bValidRequest = true;
82
					break;
83
				}
84
			}
85
		}else {
86
			$bValidRequest = true;
87
		}
88
		if(!$bValidRequest) {
89
			throw new RuntimeException('illegal function request!'); 
90
		}
91
		$aRetval = array();
92
		$sSetupFile = dirname(dirname(__FILE__)).'/setup.ini.php';
93
		if(is_readable($sSetupFile)) {
94
			$aCfg = parse_ini_file($sSetupFile, true);
95
			foreach($aCfg['Constants'] as $key=>$value) {
96
				if($key == 'debug') { $value = filter_var($value, FILTER_VALIDATE_BOOLEAN); }
97
				if(!defined(strtoupper($key))) { define(strtoupper($key), $value); }
98
			}
99
			$db = $aCfg['DataBase'];
100
			$db['type'] = isset($db['type']) ? $db['type'] : 'mysql';
101
			$db['user'] = isset($db['user']) ? $db['user'] : 'foo';
102
			$db['pass'] = isset($db['pass']) ? $db['pass'] : 'bar';
103
			$db['host'] = isset($db['host']) ? $db['host'] : 'localhost';
104
			$db['port'] = isset($db['port']) ? $db['port'] : '3306';
105
			$db['port'] = ($db['port'] != '3306') ? $db['port'] : '';
106
			$db['name'] = isset($db['name']) ? $db['name'] : 'dummy';
107
			$db['charset'] = isset($db['charset']) ? $db['charset'] : 'utf8';
108
			$db['table_prefix'] = (isset($db['table_prefix']) ? $db['table_prefix'] : '');
109
			define('TABLE_PREFIX', $db['table_prefix']);
110
			if($sRetvalType == 'dsn') {
111
				$aRetval[0] = $db['type'].':dbname='.$db['name'].';host='.$db['host'].';'
112
				            . ($db['port'] != '' ? 'port='.(int)$db['port'].';' : '');
113
				$aRetval[1] = array('CHARSET' => $db['charset'], 'TABLE_PREFIX' => $db['table_prefix']);
114
				$aRetval[2] = array( 'user' => $db['user'], 'pass' => $db['pass']);
115
			}else { // $sRetvalType == 'url'
116
				$aRetval[0] = $db['type'].'://'.$db['user'].':'.$db['pass'].'@'
117
				            . $db['host'].($db['port'] != '' ? ':'.$db['port'] : '').'/'.$db['name'];
118
			}
119
			unset($db, $aCfg);
120
			return $aRetval;
121
		}
122
		throw new RuntimeException('unable to read setup.ini.php');
123
	}
124

  
24 125
if (true === $debug) {
25 126
	ini_set('display_errors', 1);
26 127
	error_reporting(E_ALL);
......
142 243
	$wb_url = $_POST['wb_url'];
143 244
}
144 245
// Remove any slashes at the end of the URL
145
if(substr($wb_url, strlen($wb_url)-1, 1) == "/") {
146
	$wb_url = substr($wb_url, 0, strlen($wb_url)-1);
147
}
148
if(substr($wb_url, strlen($wb_url)-1, 1) == "\\") {
149
	$wb_url = substr($wb_url, 0, strlen($wb_url)-1);
150
}
151
if(substr($wb_url, strlen($wb_url)-1, 1) == "/") {
152
	$wb_url = substr($wb_url, 0, strlen($wb_url)-1);
153
}
154
if(substr($wb_url, strlen($wb_url)-1, 1) == "\\") {
155
	$wb_url = substr($wb_url, 0, strlen($wb_url)-1);
156
}
246
$wb_url = rtrim($wb_url,'/\\');
157 247
// Get the default time zone
158 248
if(!isset($_POST['default_timezone']) OR !is_numeric($_POST['default_timezone'])) {
159 249
	set_error('Please select a valid default timezone', 'default_timezone');
......
228 318
	$database_username = $_POST['database_username'];
229 319
}
230 320
// Check if user has entered a database password
231
if(!isset($_POST['database_password'])) {
321
if(!isset($_POST['database_password'])&& ($_POST['database_password']==='') ) {
232 322
	set_error('Please enter a database password', 'database_password');
233 323
} else {
234 324
	$database_password = $_POST['database_password'];
......
281 371
// End admin user details code
282 372

  
283 373
// Try and write settings to config file
284
$config_content = "" .
285
"<?php\n".
286
"\n".
287
"define('DEBUG', false);\n".
288
"define('DB_TYPE', 'mysql');\n".
289
"define('DB_HOST', '$database_host');\n".
290
"define('DB_NAME', '$database_name');\n".
291
"define('DB_USERNAME', '$database_username');\n".
292
"define('DB_PASSWORD', '$database_password');\n".
293
"define('TABLE_PREFIX', '$table_prefix');\n".
294
"\n".
295
"define('WB_URL', '$wb_url');\n".
296
"define('ADMIN_DIRECTORY', 'admin'); // no leading/trailing slash or backslash!! A simple directory only!!\n".
297
"\n".
298
"require_once(dirname(__FILE__).'/framework/initialize.php');\n";
299

  
300
$config_filename = '../config.php';
374
$sConfigContent = 
375
 ";<?php die('sorry, illegal file access'); ?>#####\n"
376
.";################################################\n"
377
."; WebsiteBaker configuration file\n"
378
."; auto generated ".date('Y-m-d h:i:s A e ')."\n"
379
.";################################################\n"
380
."[Constants]\n"
381
."debug     = false\n"
382
."wb_url    = ".$wb_url."\n"
383
."admin_directory = admin\n"
384
.";##########\n"
385
."[DataBase]\n"
386
."type    = \"mysql\"\n"
387
."user    = \"".$database_username."\"\n"
388
."pass    = \"".$database_password."\"\n"
389
."host    = \"".$database_host."\"\n"
390
."port    = \"3306\"\n"
391
."name    = \"".$database_name."\"\n"
392
."charset = \"utf8\"\n"
393
."table_prefix = \"".$table_prefix."\"\n"
394
.";\n"
395
.";################################################\n";
396
$sConfigFile = realpath('../setup.ini.php');
397
$sConfigName = basename($sConfigFile);
301 398
// Check if the file exists and is writable first.
302
if(file_exists($config_filename) AND is_writable($config_filename)) {
303
	if(!$handle = fopen($config_filename, 'w')) {
304
		set_error("Cannot open the configuration file ($config_filename)");
399
if(file_exists($sConfigFile) && is_writable($sConfigFile)) {
400
	if(!$handle = fopen($sConfigFile, 'w')) {
401
		set_error("Cannot open the configuration file ($sConfigName)");
305 402
	} else {
306
		if (fwrite($handle, $config_content) === FALSE) {
307
			set_error("Cannot write to the configuration file ($config_filename)");
403
		if (fwrite($handle, $sConfigContent) === FALSE) {
404
			set_error("Cannot write to the configuration file ($sConfigName)");
308 405
		}
309 406
		// Close file
310 407
		fclose($handle);
311 408
	}
312 409
} else {
313
	set_error("The configuration file $config_filename is not writable. Change its permissions so it is, then re-run step 4.");
410
	set_error("The configuration file $sConfigName is not writable. Change its permissions so it is, then re-run step 4.");
314 411
}
315 412

  
316
// Define configuration vars
317
define('DEBUG', false);
318
define('DB_TYPE', 'mysql');
319
define('DB_HOST', $database_host);
320
define('DB_NAME', $database_name);
321
define('DB_USERNAME', $database_username);
322
define('DB_PASSWORD', $database_password);
323
define('TABLE_PREFIX', $table_prefix);
324
define('WB_PATH', dirname(dirname(__FILE__)));
325
define('WB_URL', $wb_url);
326
define('ADMIN_DIRECTORY', 'admin');
327
define('ADMIN_PATH', WB_PATH.'/'.ADMIN_DIRECTORY);
328
define('ADMIN_URL', $wb_url.'/'.ADMIN_DIRECTORY);
413
// load db configuration ---
414
$sDbConnectType = 'url'; // depending from class WbDatabase it can be 'url' or 'dsn'
415
$aSqlData = _readConfiguration($sDbConnectType);
329 416

  
330
// Check if the user has entered a correct path
331
	if(!file_exists(WB_PATH.'/framework/class.admin.php')) {
332
		set_error('It appears the Absolute path that you entered is incorrect');
417
_SetInstallPathConstants();
418

  
419
if(!file_exists(WB_PATH.'/framework/class.admin.php')) {
420
	set_error('It appears the Absolute path that you entered is incorrect');
421
}
422

  
423
$database = WbDatabase::getInstance();
424
try{
425
	if($sDbConnectType == 'dsn') {
426
		$bTmp = @$database->doConnect($aSqlData[0], $aSqlData[1]['user'], $aSqlData[1]['pass'], $aSqlData[2]);
427
	}else {
428
		$bTmp = @$database->doConnect($aSqlData[0], TABLE_PREFIX);
333 429
	}
334
	$sSqlUrl = DB_TYPE.'://'.DB_USERNAME.':'.DB_PASSWORD.'@'.DB_HOST.'/'.DB_NAME;
335
	$database = WbDatabase::getInstance();
336
	$database->doConnect($sSqlUrl);
430
} catch (RuntimeException $e) {
431
	if(!file_put_contents($sConfigFile,"<?php\n")) {
432
		set_error("Cannot write to the configuration file ($sSetupFile)");
433
	}
434
	set_error($e->getMessage()); 
435
}
337 436

  
338
	$sSecMod = (defined('SECURE_FORM_MODULE') && SECURE_FORM_MODULE != '') ? '.'.SECURE_FORM_MODULE : '';
339
	$sSecMod = WB_PATH.'/framework/SecureForm'.$sSecMod.'.php';
340
	require_once($sSecMod);
341
	require_once(WB_PATH.'/framework/class.admin.php');
437
unset($aSqlData);
438
// write the config.php
439
$sConfigContent = "<?php\n"
440
    ."/* this file is for backward compatibility only */\n"
441
    ."include_once(dirname(__FILE__).'/framework/initialize.php');\n";
442
$sSetupFile = WB_PATH.'/config.php';
443
if(!file_put_contents($sSetupFile,$sConfigContent)) {
444
	set_error("Cannot write to the configuration file ($sSetupFile)");
445
}
446
$sSecMod = (defined('SECURE_FORM_MODULE') && SECURE_FORM_MODULE != '') ? '.'.SECURE_FORM_MODULE : '';
447
$sSecMod = WB_PATH.'/framework/SecureForm'.$sSecMod.'.php';
448
require_once($sSecMod);
449
require_once(WB_PATH.'/framework/class.admin.php');
342 450

  
343 451
// Dummy class to allow modules' install scripts to call $admin->print_error
344 452
	class admin_dummy extends admin
345 453

  

Also available in: Unified diff