check data directory security FS#2020

This is a javascript based check, executed from the admin menu. If the
data directory is readable, a warning is displayed. Doing this check in
JavaScript makes sure we have a real client side test (opposed to the
check executed from ?do=check)

Question: should this be localized?

1 files changed, 32 insertions, 0 deletions

diff --git a/lib/scripts/script.js b/lib/scripts/script.js
index 57917aeb5..84114923f 100644
--- a/lib/scripts/script.js
+++ b/lib/scripts/script.js
@@ -537,3 +537,35 @@ addInitEvent(function(){
         });
     }
 });
+
+/**
+ * Check data directory security
+ *
+ * Tries to access data/_dummy from the client.
+ * In a proper setup this should fail, if it succeeds a warning is displayed.
+ * This is only done on the Admin screen
+ */
+addInitEvent(function(){
+    var isadmin = $('admin__version');
+    if(!isadmin) return;
+
+    var ajax = new sack(DOKU_BASE + 'data/_dummy');
+    ajax.AjaxFailedAlert = '';
+    ajax.encodeURIString = false;
+    if(ajax.failed) return true;
+    ajax.method = 'GET';
+
+    ajax.onCompletion = function(){
+        if(this.response && (this.response.substr(0,14) == 'data directory')){
+            var msg = document.createElement('div');
+            msg.className = 'error';
+            msg.innerHTML = '<b>Important:</b> Your <code>data</code> directory is not properly '+
+                            'secured. This is a serious security problem and should be fixed '+
+                            'immeadiately.<br /> You can find more info on our '+
+                            '<a href="http://www.dokuwiki.org/security#web_access_security">security page</a>.';
+            var container = $('admin__version').parentNode;
+            container.insertBefore(msg,container.childNodes[0]);
+        }
+    };
+    ajax.runAJAX();
+});