From af1143b9baf567c913ce2450abc3f77b22206589 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Thu, 9 Sep 2010 13:31:25 +0200 Subject: check data directory security FS#2020 This is a javascript based check, executed from the admin menu. If the data directory is readable, a warning is displayed. Doing this check in JavaScript makes sure we have a real client side test (opposed to the check executed from ?do=check) Question: should this be localized? --- lib/scripts/script.js | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) (limited to 'lib/scripts/script.js') diff --git a/lib/scripts/script.js b/lib/scripts/script.js index 57917aeb5..84114923f 100644 --- a/lib/scripts/script.js +++ b/lib/scripts/script.js @@ -537,3 +537,35 @@ addInitEvent(function(){ }); } }); + +/** + * Check data directory security + * + * Tries to access data/_dummy from the client. + * In a proper setup this should fail, if it succeeds a warning is displayed. + * This is only done on the Admin screen + */ +addInitEvent(function(){ + var isadmin = $('admin__version'); + if(!isadmin) return; + + var ajax = new sack(DOKU_BASE + 'data/_dummy'); + ajax.AjaxFailedAlert = ''; + ajax.encodeURIString = false; + if(ajax.failed) return true; + ajax.method = 'GET'; + + ajax.onCompletion = function(){ + if(this.response && (this.response.substr(0,14) == 'data directory')){ + var msg = document.createElement('div'); + msg.className = 'error'; + msg.innerHTML = 'Important: Your data directory is not properly '+ + 'secured. This is a serious security problem and should be fixed '+ + 'immeadiately.
You can find more info on our '+ + 'security page.'; + var container = $('admin__version').parentNode; + container.insertBefore(msg,container.childNodes[0]); + } + }; + ajax.runAJAX(); +}); -- cgit v1.2.3 From c95a5b7dd09aa1bd32e773cc1d582de72fb3e54c Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Thu, 9 Sep 2010 15:58:33 +0200 Subject: use background image based data security check in admin --- lib/scripts/script.js | 31 ------------------------------- 1 file changed, 31 deletions(-) (limited to 'lib/scripts/script.js') diff --git a/lib/scripts/script.js b/lib/scripts/script.js index 84114923f..c79c9b683 100644 --- a/lib/scripts/script.js +++ b/lib/scripts/script.js @@ -538,34 +538,3 @@ addInitEvent(function(){ } }); -/** - * Check data directory security - * - * Tries to access data/_dummy from the client. - * In a proper setup this should fail, if it succeeds a warning is displayed. - * This is only done on the Admin screen - */ -addInitEvent(function(){ - var isadmin = $('admin__version'); - if(!isadmin) return; - - var ajax = new sack(DOKU_BASE + 'data/_dummy'); - ajax.AjaxFailedAlert = ''; - ajax.encodeURIString = false; - if(ajax.failed) return true; - ajax.method = 'GET'; - - ajax.onCompletion = function(){ - if(this.response && (this.response.substr(0,14) == 'data directory')){ - var msg = document.createElement('div'); - msg.className = 'error'; - msg.innerHTML = 'Important: Your data directory is not properly '+ - 'secured. This is a serious security problem and should be fixed '+ - 'immeadiately.
You can find more info on our '+ - 'security page.'; - var container = $('admin__version').parentNode; - container.insertBefore(msg,container.childNodes[0]); - } - }; - ajax.runAJAX(); -}); -- cgit v1.2.3