From f14fd23da5a69db1867e099bf321f614bd92cc9c Mon Sep 17 00:00:00 2001 From: Starbeamrainbowlabs Date: Sat, 11 May 2019 22:52:55 +0100 Subject: [PATCH] Add force-redirect to firstrun action, and option to disable access check (NOT RECOMMENDED) --- module_index.json | 4 ++-- modules/feature-firstrun.php | 35 ++++++++++++++++++++++++----------- peppermint.guiconfig.json | 1 + 3 files changed, 27 insertions(+), 13 deletions(-) diff --git a/module_index.json b/module_index.json index b90b600..f5c968b 100755 --- a/module_index.json +++ b/module_index.json @@ -75,7 +75,7 @@ "version": "0.1", "author": "Starbeamrainbowlabs", "description": "Displays a special page to aid in setting up a new wiki for the first time.", - "lastupdate": 1557582295, + "lastupdate": 1557611407, "optional": false, "extra_data": [] }, @@ -205,7 +205,7 @@ "version": "0.10", "author": "Starbeamrainbowlabs", "description": "Adds an action to allow administrators to delete pages.", - "lastupdate": 1501009581, + "lastupdate": 1557585339, "optional": false, "extra_data": [] }, diff --git a/modules/feature-firstrun.php b/modules/feature-firstrun.php index 72a075b..5a8f70a 100644 --- a/modules/feature-firstrun.php +++ b/modules/feature-firstrun.php @@ -7,8 +7,15 @@ register_module([ "description" => "Displays a special page to aid in setting up a new wiki for the first time.", "id" => "feature-firstrun", "code" => function() { + global $settings, $env; + // NOTE: We auto-detect pre-existing wikis in 01-settings.fragment.php + if(!$settings->firstrun_complete && preg_match("/^firstrun/", $env->action) !== 1) { + http_response_code(307); + header("location: ?action=firstrun"); + exit("Redirecting you to the first-run wizard...."); + } /** * @api {get} ?action=firstrun Display the firstrun page @@ -39,15 +46,21 @@ register_module([

You can still complete the setup manually, however! Once done, set firstrun_complete in peppermint.json to true.

")); } - $request_url = full_url(); - $request_url = preg_replace("/\/(index.php)?\?.*$/", "/peppermint.json"); - file_get_contents($request_url); - $response_code = intval(explode(" ", $http_response_header[0])[1]); - if($response_code >= 200 || $response_code < 300) { - file_put_contents("$settingsFilename.compromised", "compromised"); - http_response_code(307); - header("location: index.php"); - exit(); + if(!$settings->disable_peppermint_access_check && + php_sapi_name() !== "cli-server") { // The CLI server is single threaded, so it can't support loopback requests + $request_url = full_url(); + $request_url = preg_replace("/\/(index.php)?\?.*$/", "/peppermint.json", $request_url); + file_get_contents($request_url); + $response_code = intval(explode(" ", $http_response_header[0])[1]); + if($response_code >= 200 || $response_code < 300) { + file_put_contents("$settingsFilename.compromised", "compromised"); + http_response_code(307); + header("location: index.php"); + exit(); + } + } + else { + error_log("Warning: The public peppermint.json access check has been disabled (either manually or because you're using a local PHP development server with php -S ....). It's strongly recommended you ensure that access from outside is blocked to peppermint.json to avoid (many) security issues and other nastiness such as stealing of site secrets and password hashes."); } // TODO: Check the environment here first @@ -78,10 +91,10 @@ register_module([

Longer is better! Aim for at least 14 characters.

- +
- +
Wiki Details diff --git a/peppermint.guiconfig.json b/peppermint.guiconfig.json index f557b23..73232c1 100644 --- a/peppermint.guiconfig.json +++ b/peppermint.guiconfig.json @@ -173,5 +173,6 @@ "stats_update_processingtime": { "type": "number", "description": "The maximum number of milliseconds that should be spent at once calculating statistics. If some statistics couldn't fit within this limit, then they are scheduled and updated on the next page load. Note that this is a target only - if an individual statistic takes longer than this, then it won't be interrupted. Defaults to 100ms.", "default": 100}, "sessionprefix": { "type": "text", "description": "You shouldn't need to change this. The prefix that should be used in the names of the session variables. Defaults to \"auto\", which automatically generates this field. See the readme for more information.", "default": "auto" }, "sessionlifetime": { "type": "number", "description": "Again, you shouldn't need to change this under normal circumstances. This setting controls the lifetime of a login session. Defaults to 24 hours, but it may get cut off sooner depending on the underlying PHP session lifetime.", "default": 86400 }, + "disable_peppermint_access_check": { "type": "checkbox", "description": "Disables the access check for peppermint.json on first-run. VERY DANGEROUS. Use only for development. Note that it's recommend to block access to peppermint.json for a reason - it contains your site secret and password hashes, so an attacker could do all sorts of nefarious things if it's left unblocked.", "default": false }, "css": { "type": "textarea", "description": "A string of css to include. Will be included in the <head> of every page inside a <style> tag. This may also be an absolute url - urls will be referenced via a <link rel='stylesheet' /> tag.", "default": "auto" } }