From f090f1b39f0583aa27e4babd766163384afc8951 Mon Sep 17 00:00:00 2001 From: Robert Isoski Date: Sun, 31 Mar 2019 13:32:05 +0200 Subject: [PATCH] 2.7.0 (#126) * Update index.php - Adding improvements made by @NicolasCARPi (improved file fetcher, code clean up, minimum password constant). - Added random rassword generator for fresh WonderCMS installs. * Update index.php Removing unnecessary default password message. * Update index.php Applying "patch" to prevent an admin being tricked into a self attack. * Update index.php Reverting for double check / code review. * Update index.php - All changes in one place. - Also removed updateAction function, as it's irrelevant for upcoming version 3.0.0 * Update version Updating to actual version. --- index.php | 105 +++++++++++++++++++++++++++--------------------------- version | 2 +- 2 files changed, 53 insertions(+), 54 deletions(-) diff --git a/index.php b/index.php index fd557888..ddbb51a4 100644 --- a/index.php +++ b/index.php @@ -1,7 +1,7 @@ [ 'dbVersion' => '2.6.0', @@ -153,7 +154,7 @@ private static function createDatabase() 'theme' => 'default', 'defaultPage' => 'home', 'login' => 'loginURL', - 'password' => password_hash('admin', PASSWORD_DEFAULT), + 'password' => password_hash($password, PASSWORD_DEFAULT), 'menuItems' => [ '0' => [ 'name' => 'Home', @@ -180,7 +181,7 @@ private static function createDatabase() 'description' => 'A short description is also good.', 'content' => '

Website alive!

-

Click to login, the password is admin.

' +

Click to login. Your password is: ' . $password . '

' ], 'example' => [ 'title' => 'Example', @@ -230,7 +231,7 @@ private static function createMenuItem($content, $menu, $visibility) } $db->config->{$field}->{$menuCount} = new stdClass; wCMS::save($db); - wCMS::set($conf, $field, $menuCount, 'name', str_replace("-", " ", $content)); + wCMS::set($conf, $field, $menuCount, 'name', str_replace('-', ' ', $content)); wCMS::set($conf, $field, $menuCount, 'slug', $slug); wCMS::set($conf, $field, $menuCount, 'visibility', $visibility); if ($menu) { @@ -253,7 +254,7 @@ private static function createPage($slug = false) $db = wCMS::db(); $db->pages->{(!$slug) ? wCMS::$currentPage : $slug} = new stdClass; wCMS::save($db); - wCMS::set('pages', (!$slug) ? wCMS::slugify(wCMS::$currentPage) : $slug, 'title', (!$slug) ? mb_convert_case(str_replace("-", " ", wCMS::$currentPage), MB_CASE_TITLE) : mb_convert_case(str_replace("-", " ", $slug), MB_CASE_TITLE)); + wCMS::set('pages', (!$slug) ? wCMS::slugify(wCMS::$currentPage) : $slug, 'title', (!$slug) ? mb_convert_case(str_replace('-', ' ', wCMS::$currentPage), MB_CASE_TITLE) : mb_convert_case(str_replace('-', ' ', $slug), MB_CASE_TITLE)); wCMS::set('pages', (!$slug) ? wCMS::slugify(wCMS::$currentPage) : $slug, 'keywords', 'Keywords, are, good, for, search, engines'); wCMS::set('pages', (!$slug) ? wCMS::slugify(wCMS::$currentPage) : $slug, 'description', 'A short description is also good.'); if (!$slug) { @@ -291,7 +292,7 @@ private static function deleteFileThemePluginAction() ]; foreach ($deleteList as $entry) { list($folder, $request) = $entry; - $filename = isset($_REQUEST[$request]) ? str_ireplace(['./', '../', '..', '~', '~/'], null, trim($_REQUEST[$request])) : false; + $filename = isset($_REQUEST[$request]) ? str_ireplace(['/', './', '../', '..', '~', '~/', '\\'], null, trim($_REQUEST[$request])) : false; if (!$filename || empty($filename)) { continue; } @@ -346,9 +347,15 @@ public static function footer() return wCMS::hook('footer', $output)[0]; } + private static function generatePassword() + { + $characters = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcefghijklmnopqrstuvwxyz'; + return substr(str_shuffle($characters), 0, self::MIN_PASSWORD_LENGTH); + } + public static function generateToken() { - return (isset($_SESSION["token"])) ? $_SESSION["token"] : $_SESSION["token"] = bin2hex(openssl_random_pseudo_bytes(32)); + return (isset($_SESSION['token'])) ? $_SESSION['token'] : $_SESSION['token'] = bin2hex(openssl_random_pseudo_bytes(32)); } public static function get() @@ -359,24 +366,29 @@ public static function get() wCMS::$db = wCMS::db(); } switch ($numArgs) { - case 1: return wCMS::$db->{$args[0]}; + case 1: + return wCMS::$db->{$args[0]}; break; - case 2: return wCMS::$db->{$args[0]}->{$args[1]}; + case 2: + return wCMS::$db->{$args[0]}->{$args[1]}; break; - case 3: return wCMS::$db->{$args[0]}->{$args[1]}->{$args[2]}; + case 3: + return wCMS::$db->{$args[0]}->{$args[1]}->{$args[2]}; break; - case 4: return wCMS::$db->{$args[0]}->{$args[1]}->{$args[2]}->{$args[3]}; - break; - default: return false; + case 4: + return wCMS::$db->{$args[0]}->{$args[1]}->{$args[2]}->{$args[3]}; break; + default: + return false; } } - public static function getExternalFile($url) + public static function getFileFromRepo($file) { + $repoUrl = 'https://raw.githubusercontent.com/robiso/wondercms/master/'; $ch = curl_init(); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); - curl_setopt($ch, CURLOPT_URL, $url); + curl_setopt($ch, CURLOPT_URL, $repoUrl . $file); $data = curl_exec($ch); curl_close($ch); return $data; @@ -389,8 +401,7 @@ private static function getMenuSettings() private static function getOfficialVersion() { - $data = trim(wCMS::getExternalFile('https://raw.githubusercontent.com/robiso/wondercms/master/version')); - return $data; + return trim(wCMS::getFileFromRepo('version')); } private static function hook() @@ -419,7 +430,7 @@ private static function installThemePluginAction() if (isset($_POST['installLocation'])) { $installLocation = trim(strtolower($_POST['installLocation'])); $addonURL = $_POST['addonURL']; - $validPaths = array("themes", "plugins"); + $validPaths = array('themes', 'plugins'); } else { wCMS::alert('danger', 'Choose between theme or plugin.'); wCMS::redirect(); @@ -547,14 +558,14 @@ public static function menu() public static function notFoundReponse() { if (!wCMS::$loggedIn && !wCMS::$currentPageExists) { - header("HTTP/1.1 404 Not Found"); + header('HTTP/1.1 404 Not Found'); } } public static function notFoundView() { if (wCMS::$loggedIn) { - return ['title' => str_replace("-", " ", wCMS::$currentPage), 'description' => '', 'keywords' => '', 'content' => '

Click to create content

']; + return ['title' => str_replace('-', ' ', wCMS::$currentPage), 'description' => '', 'keywords' => '', 'content' => '

Click to create content

']; } return wCMS::get('pages', '404'); } @@ -568,13 +579,10 @@ private static function notifyAction() wCMS::alert('info', 'This page (' . wCMS::$currentPage . ') doesn\'t exist. Click inside the content below to create it.'); } if (wCMS::get('config', 'login') === 'loginURL') { - wCMS::alert('warning', 'Change the default admin login URL. (Settings -> Security)', true); + wCMS::alert('danger', 'Change your default password and login URL. (Settings -> Security)', true); } - if (password_verify('admin', wCMS::get('config', 'password'))) { - wCMS::alert('danger', 'Change the default password. (Settings -> Security)', true); - } - if (wCMS::getOfficialVersion() > version) { - wCMS::alert('info', '

New WonderCMS update available

- Backup your website and check what\'s new before updating.
', true); + if (wCMS::getOfficialVersion() > VERSION) { + wCMS::alert('info', '

New WonderCMS update available (requires manual updating)

- Backup your website and check how to manually update WonderCMS.
', true); } } @@ -701,13 +709,17 @@ public static function set() $args = func_get_args(); $db = wCMS::db(); switch ($numArgs) { - case 2: $db->{$args[0]} = $args[1]; + case 2: + $db->{$args[0]} = $args[1]; break; - case 3: $db->{$args[0]}->{$args[1]} = $args[2]; + case 3: + $db->{$args[0]}->{$args[1]} = $args[2]; break; - case 4: $db->{$args[0]}->{$args[1]}->{$args[2]} = $args[3]; + case 4: + $db->{$args[0]}->{$args[1]}->{$args[2]} = $args[3]; break; - case 5: $db->{$args[0]}->{$args[1]}->{$args[2]}->{$args[3]} = $args[4]; + case 5: + $db->{$args[0]}->{$args[1]}->{$args[2]}->{$args[3]} = $args[4]; break; } wCMS::save($db); @@ -756,7 +768,7 @@ public static function settings() foreach ($pluginList as $plugin) { $output .= '× ' . $plugin . '

'; } - $output .= '

Admin login URL

' . wCMS::get('config', 'login') . '

Important: bookmark your login URL after changing
' . wCMS::url(wCMS::get('config', 'login')) . '

Password

Backup

How to restore backup

Better security (Apache only)

HTTPS redirect, 30 day caching, iframes allowed only from same origin, mime type sniffing prevention, stricter refferer and cookie policy.

Read more before enabling

WonderCMS ' . version . '   News   Themes   Plugins   Community   Docs   Donate

'; + $output .= '

Admin login URL

' . wCMS::get('config', 'login') . '

Important: bookmark your login URL after changing
' . wCMS::url(wCMS::get('config', 'login')) . '

Password

Backup

How to restore backup

Better security (Apache only)

HTTPS redirect, 30 day caching, iframes allowed only from same origin, mime type sniffing prevention, stricter refferer and cookie policy.

Read more before enabling

WonderCMS ' . VERSION . '   News   Themes   Plugins   Community   Docs   Donate

'; return wCMS::hook('settings', $output)[0]; } @@ -768,25 +780,10 @@ public static function slugify($text) return empty($text) ? "-" : $text; } - private static function updateAction() - { - if (!wCMS::$loggedIn || !isset($_POST['update'])) { - return; - } - if (hash_equals($_POST['token'], wCMS::generateToken())) { - $contents = wCMS::getExternalFile('https://raw.githubusercontent.com/robiso/wondercms/master/index.php'); - if ($contents) { - file_put_contents(__FILE__, $contents); - } - wCMS::alert('success', 'WonderCMS successfully updated. Wohoo!'); - wCMS::redirect(); - } - } - private static function updateDBVersion() { - if (wCMS::get('config', 'dbVersion') < '2.6.0') { - wCMS::set('config', 'dbVersion', '2.6.0'); + if (wCMS::get('config', 'dbVersion') < VERSION) { + wCMS::set('config', 'dbVersion', VERSION); } } @@ -808,10 +805,12 @@ private static function uploadFileAction() case UPLOAD_ERR_NO_FILE: wCMS::alert('danger', 'No file selected.'); wCMS::redirect(); + break; case UPLOAD_ERR_INI_SIZE: case UPLOAD_ERR_FORM_SIZE: wCMS::alert('danger', 'File too large. Change maximum upload size limit or contact your host.'); wCMS::redirect(); + break; default: wCMS::alert('danger', 'Unknown error.'); wCMS::redirect(); diff --git a/version b/version index e70b4523..24ba9a38 100644 --- a/version +++ b/version @@ -1 +1 @@ -2.6.0 +2.7.0