Add force-redirect to firstrun action, and option to disable access check (NOT RECOMMENDED)

2019-05-11 22:52:55 +01:00 · 2019-05-11 22:52:55 +01:00 · f14fd23da5
parent 8a67df8ec4
commit f14fd23da5
3 changed files with 27 additions and 13 deletions
--- a/module_index.json
+++ b/module_index.json
@ -75,7 +75,7 @@
        "version": "0.1",
        "author": "Starbeamrainbowlabs",
        "description": "Displays a special page to aid in setting up a new wiki for the first time.",
-        "lastupdate": 1557582295,
+        "lastupdate": 1557611407,
        "optional": false,
        "extra_data": []
    },
@ -205,7 +205,7 @@
        "version": "0.10",
        "author": "Starbeamrainbowlabs",
        "description": "Adds an action to allow administrators to delete pages.",
-        "lastupdate": 1501009581,
+        "lastupdate": 1557585339,
        "optional": false,
        "extra_data": []
    },
--- a/modules/feature-firstrun.php
+++ b/modules/feature-firstrun.php
@ -7,8 +7,15 @@ register_module([
 	"description" => "Displays a special page to aid in setting up a new wiki for the first time.",
 	"id" => "feature-firstrun",
 	"code" => function() {
+		global $settings, $env;
+		
 		
 		// NOTE: We auto-detect pre-existing wikis in 01-settings.fragment.php
+		if(!$settings->firstrun_complete && preg_match("/^firstrun/", $env->action) !== 1) {
+			http_response_code(307);
+			header("location: ?action=firstrun");
+			exit("Redirecting you to the first-run wizard....");
+		}
 		
 		/**
 		 * @api {get} ?action=firstrun	Display the firstrun page
@ -39,15 +46,21 @@ register_module([
 				<p>You can still complete the setup manually, however! Once done, set <code>firstrun_complete</code> in peppermint.json to <code>true</code>.</p>"));
 			}
 			
-			$request_url = full_url();
-			$request_url = preg_replace("/\/(index.php)?\?.*$/", "/peppermint.json");
-			file_get_contents($request_url);
-			$response_code = intval(explode(" ", $http_response_header[0])[1]);
-			if($response_code >= 200 || $response_code < 300) {
-				file_put_contents("$settingsFilename.compromised", "compromised");
-				http_response_code(307);
-				header("location: index.php");
-				exit();
+			if(!$settings->disable_peppermint_access_check &&
+				php_sapi_name() !== "cli-server") { // The CLI server is single threaded, so it can't support loopback requests
+				$request_url = full_url();
+				$request_url = preg_replace("/\/(index.php)?\?.*$/", "/peppermint.json", $request_url);
+				file_get_contents($request_url);
+				$response_code = intval(explode(" ", $http_response_header[0])[1]);
+				if($response_code >= 200 || $response_code < 300) {
+					file_put_contents("$settingsFilename.compromised", "compromised");
+					http_response_code(307);
+					header("location: index.php");
+					exit();
+				}
+			}
+			else {
+				error_log("Warning: The public peppermint.json access check has been disabled (either manually or because you're using a local PHP development server with php -S ....). It's strongly recommended you ensure that access from outside is blocked to peppermint.json to avoid (many) security issues and other nastiness such as stealing of site secrets and password hashes.");
 			}
 			
 			// TODO: Check the environment here first
@ -78,10 +91,10 @@ register_module([
 		<br />
 		<p><em>Longer is better! Aim for at least 14 characters.</em></p>
 		<label for='username'>Password:</label>
-		<input type='text' id='password' name='password' required />
+		<input type='password' id='password' name='password' required />
 		<br />
 		<label for='username'>Repeat Password:</label>
-		<input type='text' id='password-again' name='password-again' required />
+		<input type='password' id='password-again' name='password-again' required />
 	</fieldset>
 	<fieldset>
 		<legend>Wiki Details</legend>
--- a/peppermint.guiconfig.json
+++ b/peppermint.guiconfig.json
@ -173,5 +173,6 @@
 	"stats_update_processingtime": { "type": "number", "description": "The maximum number of milliseconds that should be spent at once calculating statistics. If some statistics couldn't fit within this limit, then they are scheduled and updated on the next page load. Note that this is a target only - if an individual statistic takes longer than this, then it won't be interrupted. Defaults to 100ms.", "default": 100},
 	"sessionprefix": { "type": "text", "description": "You shouldn't need to change this. The prefix that should be used in the names of the session variables. Defaults to \"auto\", which automatically generates this field. See the readme for more information.", "default": "auto" },
 	"sessionlifetime": { "type": "number", "description": "Again, you shouldn't need to change this under normal circumstances. This setting controls the lifetime of a login session. Defaults to 24 hours, but it may get cut off sooner depending on the underlying PHP session lifetime.", "default": 86400 },
+	"disable_peppermint_access_check": { "type": "checkbox", "description": "Disables the access check for peppermint.json on first-run. VERY DANGEROUS. Use only for development. Note that it's recommend to block access to peppermint.json for a reason - it contains your site secret and password hashes, so an attacker could do all <em>sorts</em> of nefarious things if it's left unblocked.", "default": false },
 	"css": { "type": "textarea", "description": "A string of css to include. Will be included in the &lt;head&gt; of every page inside a &lt;style&gt; tag. This may also be an absolute url - urls will be referenced via a &lt;link rel='stylesheet' /&gt; tag.", "default": "auto" }
 }