# HG changeset patch # User Dan # Date 1182441616 14400 # Node ID ccad6026a16871e62ddcfe6d4fe9e523e671f361 # Parent 2f530ad04f1b8af90e41788257878503d35f364b Finalized permissions on files and directories; adding PHP shutoff button (actual shutoff not implemented) diff -r 2f530ad04f1b -r ccad6026a168 cache/.htaccess diff -r 2f530ad04f1b -r ccad6026a168 cache/index.php diff -r 2f530ad04f1b -r ccad6026a168 files/.htaccess diff -r 2f530ad04f1b -r ccad6026a168 files/index.php diff -r 2f530ad04f1b -r ccad6026a168 images/bad.gif diff -r 2f530ad04f1b -r ccad6026a168 images/delete.png diff -r 2f530ad04f1b -r ccad6026a168 images/disenable.png diff -r 2f530ad04f1b -r ccad6026a168 images/edit.png diff -r 2f530ad04f1b -r ccad6026a168 images/error.png diff -r 2f530ad04f1b -r ccad6026a168 images/good.gif diff -r 2f530ad04f1b -r ccad6026a168 images/grippy.gif diff -r 2f530ad04f1b -r ccad6026a168 images/icons/empty.gif diff -r 2f530ad04f1b -r ccad6026a168 images/icons/join.gif diff -r 2f530ad04f1b -r ccad6026a168 images/icons/joinbottom.gif diff -r 2f530ad04f1b -r ccad6026a168 images/icons/line.gif diff -r 2f530ad04f1b -r ccad6026a168 images/icons/page.gif diff -r 2f530ad04f1b -r ccad6026a168 images/info.png diff -r 2f530ad04f1b -r ccad6026a168 images/lock16.png diff -r 2f530ad04f1b -r ccad6026a168 images/minus.gif diff -r 2f530ad04f1b -r ccad6026a168 images/move.png diff -r 2f530ad04f1b -r ccad6026a168 images/php-shutoff.png Binary file images/php-shutoff.png has changed diff -r 2f530ad04f1b -r ccad6026a168 images/plus.gif diff -r 2f530ad04f1b -r ccad6026a168 images/question.png diff -r 2f530ad04f1b -r ccad6026a168 images/redirector.png diff -r 2f530ad04f1b -r ccad6026a168 images/unknown.gif diff -r 2f530ad04f1b -r ccad6026a168 images/wait.png diff -r 2f530ad04f1b -r ccad6026a168 images/warning.png diff -r 2f530ad04f1b -r ccad6026a168 includes/clientside/static/ajax.js --- a/includes/clientside/static/ajax.js Tue Jun 19 18:41:10 2007 -0400 +++ b/includes/clientside/static/ajax.js Thu Jun 21 12:00:16 2007 -0400 @@ -569,3 +569,39 @@ window.location = loc; } +function ajaxDisableEmbeddedPHP() +{ + if ( !confirm('Are you really sure you want to do this? Some pages might not function if this emergency-only feature is activated.') ) + return false; + var $killdiv = $dynano('php_killer'); + if ( !$killdiv.object ) + { + alert('Can\'t get kill div object'); + return false; + } + $killdiv.object.innerHTML = 'Loading...
Making request...'; + var url = makeUrlNS('Admin', 'Home', 'src=ajax'); + ajaxPost(url, 'act=kill_php', function() { + if ( ajax.readyState == 4 ) + { + if ( ajax.responseText == '1' ) + { + var $killdiv = $dynano('php_killer'); + //$killdiv.object.innerHTML = 'Success
Embedded PHP in pages has been disabled.'; + $killdiv.object.parentNode.removeChild($killdiv.object); + var newdiv = document.createElement('div'); + // newdiv.style = $killdiv.object.style; + newdiv.className = $killdiv.object.className; + newdiv.innerHTML = 'Success
Embedded PHP in pages has been disabled.'; + $killdiv.object.parentNode.appendChild(newdiv); + $killdiv.object.parentNode.removeChild($killdiv.object); + } + else + { + var $killdiv = $dynano('php_killer'); + $killdiv.object.innerHTML = ajax.responseText; + } + } + }); +} + diff -r 2f530ad04f1b -r ccad6026a168 includes/paths.php --- a/includes/paths.php Tue Jun 19 18:41:10 2007 -0400 +++ b/includes/paths.php Thu Jun 21 12:00:16 2007 -0400 @@ -44,7 +44,6 @@ ); // ACL types - // Note: you can set any of these to AUTH_DENY to universally and unconditionally deny access to the selected action. // These can also be added from within plugins $session->register_acl_type('read', AUTH_ALLOW, 'Read page(s)'); @@ -71,7 +70,7 @@ $session->register_acl_type('upload_files', AUTH_DISALLOW, 'Upload files', Array('create_page'), 'Article|User|Project|Template|File|Help|System|Category|Special'); $session->register_acl_type('upload_new_version', AUTH_WIKIMODE, 'Upload new versions of files', Array('upload_files'), 'Article|User|Project|Template|File|Help|System|Category|Special'); $session->register_acl_type('create_page', AUTH_WIKIMODE, 'Create pages', Array(), 'Article|User|Project|Template|File|Help|System|Category|Special'); - $session->register_acl_type('php_in_pages', AUTH_DISALLOW, 'Embed PHP code in pages', Array('edit_page'), 'Article|User|Project|Template|File|Help|System|Category'); + $session->register_acl_type('php_in_pages', AUTH_DISALLOW, 'Embed PHP code in pages', Array('edit_page'), 'Article|User|Project|Template|File|Help|System|Category|Admin'); $session->register_acl_type('edit_acl', AUTH_DISALLOW, 'Edit access control lists', Array('read', 'post_comments', 'edit_comments', 'edit_page', 'view_source', 'mod_comments', 'history_view', 'history_rollback', 'history_rollback_extra', 'protect', 'rename', 'clear_logs', 'vote_delete', 'vote_reset', 'delete_page', 'set_wiki_mode', 'password_set', 'password_reset', 'mod_misc', 'edit_cat', 'even_when_protected', 'upload_files', 'upload_new_version', 'create_page', 'php_in_pages')); // DO NOT add new admin pages here! Use a plugin to call $paths->addAdminNode(); diff -r 2f530ad04f1b -r ccad6026a168 install.php --- a/install.php Tue Jun 19 18:41:10 2007 -0400 +++ b/install.php Thu Jun 21 12:00:16 2007 -0400 @@ -12,7 +12,7 @@ * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details. */ -//@include('config.php'); +@include('config.php'); if( ( defined('ENANO_INSTALLED') || defined('MIDGET_INSTALLED') ) && ((isset($_GET['mode']) && ($_GET['mode']!='finish' && $_GET['mode']!='css')) || !isset($_GET['mode']))) { $_GET['title'] = 'Enano:WhoCaresWhatThisIs'; require('includes/common.php'); @@ -168,6 +168,61 @@ mysql_close($conn); die('good'); break; + case 'pophelp': + $topic = ( isset($_GET['topic']) ) ? $_GET['topic'] : 'invalid'; + switch($topic) + { + case 'admin_embed_php': + $title = 'Allow administrators to embed PHP'; + $content = '

This option allows you to control whether anything between the standard <?php and ?> tags will be treated as + PHP code by Enano. If this option is enabled, and members of the Administrators group use these tags, Enano will + execute that code when the page is loaded. There are obvious potential security implications here, which should + be carefully considered before enabling this option.

+

If you are the only administrator of this site, or if you have a high level of trust for those will be administering + the site with you, you should enable this to allow extreme customization of pages.

+

Leave this option off if you are at all concerned about security – if your account is compromised and PHP embedding + is enabled, an attacker can run arbitrary code on your server! Enabling this will also allow administrators to + embed Javascript and arbitrary HTML and CSS.

+

If you don\'t have experience coding in PHP, you can safely disable this option. You may change this at any time + using the ACL editor by selecting the Administrators group and This Entire Website under the scope selection, or by + using the "embedded PHP kill switch" in the administration panel.

'; + break; + default: + $title = 'Invalid topic'; + $content = 'Invalid help topic.'; + break; + } + echo << + + + Enano installation quick help • {$title} + + + + +

{$title}

+ {$content} +

+ Close window +

+ + +EOF; + exit; + break; default: break; } @@ -717,6 +772,21 @@ Administration password:Good/bad icon Enter it again to confirm: Your e-mail address:Good/bad icon + + + Allow administrative embedding of PHP:
+ Do not under any circumstances enable this option without reading these + important security implications. + + + +    + + + + If your browser supports Javascript, the password you enter here will be encrypted with AES before it is sent to the server.