diff -Naur --exclude=header.inc.php --exclude=CVS ../orig/phpgroupware_0_9_16/filemanager/doc/INSTALL ./filemanager/doc/INSTALL --- ../orig/phpgroupware_0_9_16/filemanager/doc/INSTALL Thu Jul 3 16:42:45 2003 +++ ./filemanager/doc/INSTALL Thu Jan 1 00:00:00 1970 @@ -1,45 +0,0 @@ -INSTALL -------- -Command examples are suggestions only. Use your head. - -COMMAND SUMMARY ---------------- -cp -a /some/path/to/phpgroupware/files /path/to/files -cd /path/to/files -chown -R nobody . --OR- -chmod -R 777 . - -http://yourhost.com/setup/ > Setup/Config > Edit Current Configuration -"Enter the full path for users and group files" => /path/to/files - -FULL EXPLANATION ----------------- -[REQUIRED] Copy phpgroupware/files to where you want to store the files. - THIS SHOULD BE SOMEWHERE NOT INSIDE THE WEBROOT AND NOT ACCESSIBLE TO THE WEB. - Having the files within the webroot is a huge security risk as well as a privacy concern. - The exception to this would be if you WANT the users' and groups' files to be accessible - from the web, such as when setting up public or semi-public web page/document hosting. In - this case, the files directory can be left where it is. - (Make sure you copy the directory, don't just make a new one. The necessary directories - are files/ and files/home/) -[REQUIRED] In http://yourhost.com/setup, login to Setup/Config, then Edit Current Configuration. Enter the FULL path for the files directory you created earlier in the second box from the top. -[REQUIRED] Change permissions for files directory and all it's subdirectories to be writable by Apache - This is the files directory you created earlier and specified in setup (Edit Current Configuration). Note that 'nobody' below could also be 'apache' on your system. Check the 'User' setting in your httpd.conf. - cd /path/to/files - chown -R nobody . - -OR- - chmod -R 777 . - -SECURITY CONCERNS ------------------ -There are many security concerns related with allowing users to store files on the server. The most common problem is that users can upload any type of file, including CGI and PHP scripts. This in effect grants them local access to the machine, and can be used to read database passwords and other sensitive files. The ability to upload files of any type is not forbidden by phpwebhosting because it is sometimes desired, and also the types of vulnerable files differ from server to server. To combat this, you can add a simple entry to Apache's httpd.conf to prevent certain types of files from being executed. Included below is an example that results in .cgi, .pl, .php, .php3, and .phps files being treated as normal text files. It also explicitly turns all Options off, which includes turning Indexes (listing of files) off. - - -Options None -AllowOverride None -DirectoryIndex index.html -RemoveHandler cgi-script .cgi .pl -RemoveType application/x-httpd-php .php .php3 -RemoveType application/x-httpd-php-source .phps - diff -Naur --exclude=header.inc.php --exclude=CVS ../orig/phpgroupware_0_9_16/filemanager/doc/README ./filemanager/doc/README --- ../orig/phpgroupware_0_9_16/filemanager/doc/README Thu Jul 3 16:42:45 2003 +++ ./filemanager/doc/README Thu Jul 3 16:57:04 2003 @@ -1,22 +1,24 @@ -Module: filemanager -Authors: Jason Wies , Jonathon Sim and the team at Zeald +Module: filemanager (formerly phpwebhosting) +Author: Jason Wies +Comments to: address@hidden, address@hidden +Description: The file manager for phpGroupWare. Abilities include all common file actions (upload, mkdir, rename, delete, copy, move), creating and editing text files, and syncing with the file system. Per file/directory comments are stored, and version history is tracked. Group sharing and ACL are fully supported. -Description: The file manager for phpGroupWare. Abilities include all common -file actions (upload, mkdir, rename, delete, copy, move), creating and editing -text files, and syncing with the file system. Per file/directory comments are -stored, and version history is tracked. Group sharing and ACL are fully -supported. Files can be stored either as files on the web server, or on a remote WebDAV -repository. For installation notes see the file INSTALL in this directory - at minimum -you will probably need to set some file permissions. +NOTES +----- +filemanager started as an independent (non-phpGroupWare) project named phpwebhosting, and there continues to be a separate stand-alone distribution available at http://phpwebhosting.sourceforge.net/. +For installation help, see the INSTALL file in the phpgwapi/doc/vfs directory. DEV NOTES --------- -index.php is depreciated by the inc/class.xxphpwebhosting.inc.php files. -index.php is still used in the 0.9.16 release, but all future changes should be -made to the inc/class.xxphpwebhosting.inc.php files in CVS (3-tiered). This includes -using templates. See the docs in phpgwapi/doc/vfs for more information on -interacting with the VFS (Virtual File System). +index.php is depreciated by the inc/class.xxfilemanager.inc.php files. index.php is still used in the 0.9.14 release, but all future changes should be made to the inc/class.xxfilemanager.inc.php files (3-tiered). This includes using templates. -There are some simple unit tests in the tests directory : they mainly test the -functionality of the VFS classes. \ No newline at end of file +See the docs in phpgwapi/doc/vfs for more information on interacting with the VFS (Virtual File System). + +OLD NOTES +--------- +phpwebhosting replaces filemanger. phpwebhosting should be used instead of filemanager in all new installs. + +phpwebhosting will be renamed after 0.9.14, at least in time for 0.9.16, but perhaps much sooner. Most likely it will be renamed to 'filemanager', and the current 'filemanager' removed completely. + +UPDATE: The above renaming has occurred, the module formerly known as 'phpwebhosting' is now 'filemanager', the default file manager for phpGroupWare. Any references to phpwebhosting should be replaced in favor of filemanger. diff -Naur --exclude=header.inc.php --exclude=CVS ../orig/phpgroupware_0_9_16/phpgwapi/doc/vfs/INSTALL ./phpgwapi/doc/vfs/INSTALL --- ../orig/phpgroupware_0_9_16/phpgwapi/doc/vfs/INSTALL Thu Jan 1 00:00:00 1970 +++ ./phpgwapi/doc/vfs/INSTALL Thu Jul 3 16:56:01 2003 @@ -0,0 +1,60 @@ +INSTALL +------- +Command examples are suggestions only. Use your head. + +COMMAND SUMMARY +--------------- +cp -a /some/path/to/phpgroupware/files /path/to/files +cd /path/to/files +chown -R nobody . + +http://yourhost.com/setup/ > Setup/Config > Edit Current Configuration +"Enter the full path for users and group files" => /path/to/files + +FULL EXPLANATION +---------------- +[REQUIRED] Copy phpgroupware/files to where you want to store the files. + THIS SHOULD BE SOMEWHERE NOT INSIDE THE WEBROOT AND NOT ACCESSIBLE TO THE + WEB. Having the files within the webroot is a huge security risk as well as + a privacy concern. The exception to this would be if you WANT the users' + and groups' files to be accessible from the web, such as when setting up + public or semi-public web page/document hosting. In this case, the files + directory can be left where it is. (Make sure you copy the directory, don't + just make a new one. The necessary directories are files/ and files/home/) + +[REQUIRED] In http://yourhost.com/setup, login to Setup/Config, then Edit + Current Configuration. Enter the FULL path for the files directory you + created earlier in the second box from the top. + +[REQUIRED] Change permissions for files directory and all it's + subdirectories to be writable by Apache This is the files directory you + created earlier and specified in setup (Edit Current Configuration). Note + that 'nobody' below could also be 'apache' on your system. Check the 'User' + setting in your httpd.conf. + + cd /path/to/files + chown -R nobody . + +SECURITY CONCERNS +----------------- +There are many security concerns related with allowing users to store files +on the server. The most common problem is that users can upload any type of +file, including CGI and PHP scripts. This in effect grants them local +access to the machine, and can be used to read database passwords and other +sensitive files. The ability to upload files of any type is not forbidden +by filemanager because it is sometimes desired, and also the types of +vulnerable files differ from server to server. To combat this, you can add +a simple entry to Apache's httpd.conf to prevent certain types of files from +being executed. Included below is an example that results in .cgi, .pl, +.php, .php3, and .phps files being treated as normal text files. It also +explicitly turns all Options off, which includes turning Indexes (listing of +files) off. + + +Options None +AllowOverride None +DirectoryIndex index.html +RemoveHandler cgi-script .cgi .pl +RemoveType application/x-httpd-php .php .php3 +RemoveType application/x-httpd-php-source .phps + diff -Naur --exclude=header.inc.php --exclude=CVS ../orig/phpgroupware_0_9_16/phpgwapi/inc/class.vfs_sql.inc.php ./phpgwapi/inc/class.vfs_sql.inc.php --- ../orig/phpgroupware_0_9_16/phpgwapi/inc/class.vfs_sql.inc.php Thu Jul 3 16:42:49 2003 +++ ./phpgwapi/inc/class.vfs_sql.inc.php Thu Jul 3 17:11:46 2003 @@ -21,7 +21,7 @@ * Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * \**************************************************************************/ - /* $Id: class.vfs_sql.inc.php,v 1.15.2.6.2.2 2003/07/03 00:32:58 ralfbecker Exp $ */ + /* $Id: class.vfs_sql.inc.php,v 1.15.2.6.2.1 2003/03/27 00:07:08 ralfbecker Exp $ */ /*! @class vfs @@ -81,18 +81,6 @@ $this->file_actions = 0; } - // test if the files-dir is inside the document-root, and refuse working if so - // - if ($this->file_actions && (strstr($this->basedir,PHPGW_SERVER_ROOT) || strstr($this->basedir,$GLOBALS['HTTP_SERVER_VARS']['DOCUMENT_ROOT']))) - { - $GLOBALS['phpgw']->common->phpgw_header(); - if ($GLOBALS['phpgw_info']['flags']['noheader']) - { - echo parse_navbar(); - } - echo '

'.lang('Path to user and group files HAS TO BE OUTSIDE of the webservers document-root!!!')."

\n"; - $GLOBALS['phpgw']->common->phpgw_exit(); - } /* These are stored in the MIME-type field and should normally be ignored. Adding a type here will ensure it is normally ignored, but you will have to diff -Naur --exclude=header.inc.php --exclude=CVS ../orig/phpgroupware_0_9_16/setup/config.php ./setup/config.php --- ../orig/phpgroupware_0_9_16/setup/config.php Thu Jul 3 16:42:47 2003 +++ ./setup/config.php Thu Jul 3 17:51:58 2003 @@ -9,7 +9,7 @@ * option) any later version. * \**************************************************************************/ - /* $Id: config.php,v 1.78.2.2 2003/07/02 23:57:51 ralfbecker Exp $ */ + /* $Id: config.php,v 1.78.2.1 2003/05/28 02:20:04 skwashd Exp $ */ $phpgw_info = array(); $GLOBALS['phpgw_info']['flags'] = array( @@ -32,15 +32,6 @@ $tpl_root = $GLOBALS['phpgw_setup']->html->setup_tpl_dir('setup'); $setup_tpl = CreateObject('setup.Template',$tpl_root); - - // test if $path lies within the webservers document-root - function in_docroot($path) - { - $ret = strstr($path,PHPGW_SERVER_ROOT) || strstr($path,$GLOBALS['HTTP_SERVER_VARS']['DOCUMENT_ROOT']); - //echo "

in_docroot('$path') = '$ret', PHPGW_SERVER_ROOT='".PHPGW_SERVER_ROOT."',DOCUMENT_ROOT='".$GLOBALS['HTTP_SERVER_VARS']['DOCUMENT_ROOT']."'

\n"; - return $ret; - } - $setup_tpl->set_file(array( 'T_head' => 'head.tpl', 'T_footer' => 'footer.tpl', @@ -56,7 +47,6 @@ /* Guessing default values. */ $GLOBALS['current_config']['hostname'] = $_SERVER['HTTP_HOST']; - // files-dir is not longer allowed in document root, for security reasons !!! $GLOBALS['current_config']['files_dir'] = '/outside/webserver/docroot'; if(@is_dir('/tmp')) @@ -86,9 +76,7 @@ } $newsettings = get_var('newsettings',Array('POST')); - $files_in_docroot = in_docroot($GLOBALS['HTTP_POST_VARS']['newsettings']['files_dir']); - - if(@get_var('submit',Array('POST')) && @$newsettings && !$files_in_docroot) + if(@get_var('submit',Array('POST')) && @$newsettings) { $datetime = CreateObject('phpgwapi.datetime'); switch (intval($newsettings['daytime_port'])) @@ -163,17 +151,6 @@ while(@$GLOBALS['phpgw_setup']->db->next_record()) { $GLOBALS['current_config'][$GLOBALS['phpgw_setup']->db->f('config_name')] = $GLOBALS['phpgw_setup']->db->f('config_value'); - } - - // are we here because of an error: files-dir in docroot - if (is_array($GLOBALS['HTTP_POST_VARS']['newsettings']) && $files_in_docroot) - { - echo '

'.lang('Path to user and group files HAS TO BE OUTSIDE of the webservers document-root!!!')."

\n"; - - foreach($GLOBALS['HTTP_POST_VARS']['newsettings'] as $key => $val) - { - $GLOBALS['current_config'][$key] = $val; - } } if($GLOBALS['error'] == 'badldapconnection') diff -Naur --exclude=header.inc.php --exclude=CVS ../orig/phpgroupware_0_9_16/setup/templates/default/config.tpl ./setup/templates/default/config.tpl --- ../orig/phpgroupware_0_9_16/setup/templates/default/config.tpl Thu Jul 3 16:42:47 2003 +++ ./setup/templates/default/config.tpl Thu Jul 3 16:49:39 2003 @@ -22,7 +22,7 @@ - {lang_Enter_the_full_path_for_users_and_group_files.
Examples:_/files,_E:\FILES}:
{lang_This_has_to_be_outside_the_webservers_document-root!!!}
{lang_or_http://webdav.domain.com_(WebDAV)}: + {lang_Enter_the_full_path_for_users_and_group_files.
Examples:_/files,_E:\FILES,
http://webdav.domain.com (WebDAV).
Note:_There_are_security_problems_when_the_files_directory_is_inside_the_webroot._Please_read_the_security_recommendations_before_choosing_a_files_path.}: