nik/davical
1
0
Fork 0
mirror of https://gitlab.com/davical-project/davical.git synced 2026-03-15 08:20:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

add checks to prevent external binds from being created or updated if curl is missing, add check to setup page

Browse Source
This commit is contained in:
Rob Ostensen 2012-01-05 21:24:02 -06:00 committed by Andrew McMillan
parent 067cbdc841
commit ebfeeb220e
3 changed files with 27 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
htdocs/setup.php
View File

@ -107,6 +107,13 @@ function check_magic_quotes_runtime() {
return new CheckResult( (get_magic_quotes_runtime() == 0) );
}
function check_curl() {
global $phpinfo, $loaded_extensions;
if (!function_exists('curl_init')) return new CheckResult(false);
return new CheckResult(isset($loaded_extensions['curl']));
}
$loaded_extensions = array_flip(get_loaded_extensions());
@ -255,7 +262,8 @@ function build_dependencies_table( ) {
translate('Suhosin "server.strip" disabled') => 'check_suhosin_server_strip',
translate('PHP Magic Quotes GPC off') => 'check_magic_quotes_gpc',
translate('PHP Magic Quotes runtime off') => 'check_magic_quotes_runtime',
translate('PHP calendar extension available') => 'check_calendar'
translate('PHP calendar extension available') => 'check_calendar',
translate('PHP curl support') => 'check_curl'
);
if ( isset($c->authenticate_hook) && isset($c->authenticate_hook['call']) && $c->authenticate_hook['call'] == 'LDAP_check') {

6
inc/caldav-BIND.php
View File

@ -47,8 +47,10 @@ if ( $destination->Exists() ) {
$request->PreconditionFailed(403,'DAV::can-overwrite',translate('A resource already exists at the destination.'));
}
if ( preg_match ( '{^https?://[A-Za-z][^/]*/.+$}', $href ) && ! stripos( $href, 'localhost' ) < 9
&& ! stripos( $href, '127.0.0.1' ) < 9 && ! stripos( $href, $_SERVER['SERVER_NAME'] ) < 9 && ! stripos( $href, $_SERVER['SERVER_ADDR'] ) < 9 ) {
// external binds shouldn't ever point back to ourselves but they should be a valid http[s] url
if ( preg_match ( '{^https?://([^/]+)(:[0-9]\+)?/.+$}', $href, $matches ) &&
strcasecmp( $matches[0], 'localhost' ) !== 0 && strcasecmp( $matches[0], '127.0.0.1' ) !== 0
&& strcasecmp( $matches[0], $_SERVER['SERVER_NAME'] ) !== 0 && strcasecmp( $matches[0], $_SERVER['SERVER_ADDR'] ) !== 0 ) {
require_once('external-fetch.php');
$qry = new AwlQuery( );
$qry->QDo('SELECT collection_id FROM collection WHERE dav_name = :dav_name ', array( ':dav_name' => '/.external/'. md5($href) ));

14
inc/external-fetch.php
View File

@ -13,6 +13,11 @@
function create_external ( $path,$is_calendar,$is_addressbook )
{
global $request;
if ( ! function_exists ( "curl_init" ) ) {
dbg_error_log("external", "external resource cannot be fetched without curl, please install curl");
$request->DoResponse( 503, translate('PHP5 curl support is required for external binds') );
return ;
}
$resourcetypes = '<DAV::collection/>';
if ($is_calendar) $resourcetypes .= '<urn:ietf:params:xml:ns:caldav:calendar/>';
$qry = new AwlQuery();
@ -36,6 +41,11 @@ function create_external ( $path,$is_calendar,$is_addressbook )
function fetch_external ( $bind_id, $min_age )
{
if ( ! function_exists ( "curl_init" ) ) {
dbg_error_log("external", "external resource cannot be fetched without curl, please install curl");
$request->DoResponse( 503, translate('PHP5 curl support is required for external binds') );
return ;
}
$sql = 'SELECT collection.*, collection.dav_name AS path, dav_binding.external_url AS external_url FROM dav_binding LEFT JOIN collection ON (collection.collection_id=bound_source_id) WHERE bind_id = :bind_id';
$params = array( ':bind_id' => $bind_id );
if ( strlen ( $min_age ) > 2 ) {
@ -83,6 +93,10 @@ function update_external ( $request )
global $c;
if ( $c->external_refresh < 1 )
return ;
if ( ! function_exists ( "curl_init" ) ) {
dbg_error_log("external", "external resource cannot be fetched without curl, please install curl");
return ;
}
$sql = 'SELECT bind_id from dav_binding LEFT JOIN collection ON (collection.collection_id=bound_source_id) WHERE dav_binding.dav_name = :dav_name AND collection.modified + interval :interval < NOW()';
$qry = new AwlQuery( $sql, array ( ':dav_name' => $request->dav_name(), ':interval' => $c->external_refresh . ' minutes' ) );
dbg_error_log("external", "checking if external resource needs update");