From 25c4afb8d352fa02fddec2253b301c13d0cd3fb2 Mon Sep 17 00:00:00 2001
From: Christopher Smith <chris@jalakai.co.uk>
Date: Sat, 16 Feb 2013 17:02:05 +0000
Subject: FS#2111, improve security check

---
 inc/html.php | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

(limited to 'inc')

diff --git a/inc/html.php b/inc/html.php
index ddaed2261..c2723bceb 100644
--- a/inc/html.php
+++ b/inc/html.php
@@ -1636,11 +1636,16 @@ function html_admin(){
     }
 
     // data security check
-    // @todo: could be checked and only displayed if $conf['savedir'] is under the web root
-    echo '<a style="border:none; float:right;"
-            href="http://www.dokuwiki.org/security#web_access_security">
-            <img src="data/security.png" alt="Your data directory seems to be protected properly."
-             onerror="this.parentNode.style.display=\'none\'" /></a>';
+    // simple check if the 'savedir' is relative and accessible when appended to DOKU_URL
+    // it verifies either:
+    //   'savedir' has been moved elsewhere, or
+    //   has protection to prevent the webserver serving files from it
+    if (substr($conf['savedir'],0,2) == './'){
+        echo '<a style="border:none; float:right;"
+                href="http://www.dokuwiki.org/security#web_access_security">
+                <img src="'.DOKU_URL.$conf['savedir'].'/security.png" alt="Your data directory seems to be protected properly."
+                onerror="this.parentNode.style.display=\'none\'" /></a>';
+    }
 
     print p_locale_xhtml('admin');
 
-- 
cgit v1.2.3