Package: davical
Version: 1.1.1-1
Severity: normal
Tags: patch upstream
Hi.
I stumbled over some further minor problems with fopens, because I have
hardened my php.ini as far
as possible (more or less).
Especially the use of open_basedir and allow_url_fopen is quite common to my
knowledge.
The davical source code has the following occurances of fopen():
1) htdocs/setup.php: $version_file = @fopen($url, 'r');
This is the most visible one and actually the reason why I stumbled over all
this.
When allow_url_fopen = Off then the check for the current version in setup.php
will
fail more or less ungracefully.
Attached is a patch to improve this.
2) htdocs/caldav.php: $fh = @fopen($matches[1],'r');
See also #703294, where I suggest to remove that code section alltogether for
security
reasons.
But apart from that... no handling for open_basedir...
and the users would need to add at least their DOCUMENT_ROOT to open_basedir...
but this is even too lax... they should rather add DOCUMENT_ROOT/<path(s) where
the served files are>
instead of the _whole_ DOCUMENT_ROOT.
3) inc/caldav-PUT-vcalendar.php: $fh = fopen('/tmp/PUT.txt','w');
inc/CalDAVRequest.php: $fh =
fopen('/tmp/encoded_data.'.$encoding,'w');
inc/caldav-REPORT.php: $fh = fopen('/tmp/REPORT.txt','w');
inc/caldav-PUT-default.php: $fh = fopen('/tmp/PUT.txt','w');
inc/caldav-MOVE.php: $fh = fopen('/tmp/MOVE.txt','w');
inc/caldav-POST.php: $fh = fopen('/tmp/POST.txt','w');
inc/caldav-ACL.php: $fh = fopen('/tmp/MOVE.txt','w');
inc/caldav-PUT-vcard.php: $fh = fopen('/tmp/PUT.txt','w');
inc/caldav-PUT-functions.php: $fh = fopen('/tmp/PUT-2.txt','w');
/tmp might be forbidden by open_basedir
Nevertheless... that isn't used by default (and it even checks for
open_basedir) and the option
to enable it is not even documented, AFAIK.
So that should be OK... but if that was ever made "public" to the end users, on
should add
information that the need to add /tmp to open_basedir... or even better
write it to /var/log/davical/debug or so (a patch for this would be attached).
4) inc/log_caldav_action.php: $logfile = fopen( $c->action_log_name, "a+" );
AFAICS, this is neither documented nor used anywhere by default. So that seems
to be fine
But analogous to (3)... if that should ever be made public... it shoudl be
added to the
docs that open_basedir must be set.
There is no check on open_basedir... so write would fail ungracefully.
Cheers,
Chris.
Index: davical/inc/CalDAVRequest.php
===================================================================
--- davical.orig/inc/CalDAVRequest.php 2012-07-08 14:53:01.000000000 +0200
+++ davical/inc/CalDAVRequest.php 2013-03-18 17:49:30.327718315 +0100
@@ -183,7 +183,7 @@
@dbg_error_log('caldav', 'Content-Encoding: %s', $encoding );
$encoding = preg_replace('{[^a-z0-9-]}i','',$encoding);
if ( ! ini_get('open_basedir') && (isset($c->dbg['ALL']) || isset($c->dbg['caldav'])) ) {
- $fh = fopen('/tmp/encoded_data.'.$encoding,'w');
+ $fh = fopen('/var/log/davical/debug/encoded_data.'.$encoding,'w');
if ( $fh ) {
fwrite($fh,$c->raw_post);
fclose($fh);
Index: davical/inc/caldav-ACL.php
===================================================================
--- davical.orig/inc/caldav-ACL.php 2012-05-19 09:00:53.000000000 +0200
+++ davical/inc/caldav-ACL.php 2013-03-18 17:49:58.759179104 +0100
@@ -15,7 +15,7 @@
$request->NeedPrivilege('DAV::write-acl');
if ( ! ini_get('open_basedir') && (isset($c->dbg['ALL']) || (isset($c->dbg['put']) && $c->dbg['put'])) ) {
- $fh = fopen('/tmp/MOVE.txt','w');
+ $fh = fopen('/var/log/davical/debug/MOVE.txt','w');
if ( $fh ) {
fwrite($fh,$request->raw_post);
fclose($fh);
Index: davical/inc/caldav-MOVE.php
===================================================================
--- davical.orig/inc/caldav-MOVE.php 2011-11-22 11:45:19.000000000 +0100
+++ davical/inc/caldav-MOVE.php 2013-03-18 17:49:48.863366780 +0100
@@ -15,7 +15,7 @@
$request->NeedPrivilege('DAV::unbind');
if ( ! ini_get('open_basedir') && (isset($c->dbg['ALL']) || (isset($c->dbg['move']) && $c->dbg['move'])) ) {
- $fh = fopen('/tmp/MOVE.txt','w');
+ $fh = fopen('/var/log/davical/debug/MOVE.txt','w');
if ( $fh ) {
fwrite($fh,$request->raw_post);
fclose($fh);
Index: davical/inc/caldav-POST.php
===================================================================
--- davical.orig/inc/caldav-POST.php 2012-03-19 03:09:50.000000000 +0100
+++ davical/inc/caldav-POST.php 2013-03-18 17:49:53.331282045 +0100
@@ -16,7 +16,7 @@
include_once('iSchedule.php');
if ( ! ini_get('open_basedir') && (isset($c->dbg['ALL']) || isset($c->dbg['post'])) ) {
- $fh = fopen('/tmp/POST.txt','w');
+ $fh = fopen('/var/log/davical/debug/POST.txt','w');
if ( $fh ) {
fwrite($fh,$request->raw_post);
fclose($fh);
Index: davical/inc/caldav-PUT-default.php
===================================================================
--- davical.orig/inc/caldav-PUT-default.php 2012-04-04 04:36:07.000000000 +0200
+++ davical/inc/caldav-PUT-default.php 2013-03-18 17:49:43.499468509 +0100
@@ -13,7 +13,7 @@
require_once('DAVResource.php');
if ( ! ini_get('open_basedir') && (isset($c->dbg['ALL']) || (isset($c->dbg['put']) && $c->dbg['put'])) ) {
- $fh = fopen('/tmp/PUT.txt','w');
+ $fh = fopen('/var/log/davical/debug/PUT.txt','w');
if ( $fh ) {
fwrite($fh,$request->raw_post);
fclose($fh);
Index: davical/inc/caldav-PUT-functions.php
===================================================================
--- davical.orig/inc/caldav-PUT-functions.php 2012-06-30 02:48:19.000000000 +0200
+++ davical/inc/caldav-PUT-functions.php 2013-03-18 17:50:10.950947882 +0100
@@ -647,7 +647,7 @@
global $c;
if ( ! ini_get('open_basedir') && (isset($c->dbg['ALL']) || isset($c->dbg['put'])) ) {
- $fh = fopen('/tmp/PUT-2.txt','w');
+ $fh = fopen('/var/log/davical/debug/PUT-2.txt','w');
if ( $fh ) {
fwrite($fh,$import_content);
fclose($fh);
Index: davical/inc/caldav-PUT-vcalendar.php
===================================================================
--- davical.orig/inc/caldav-PUT-vcalendar.php 2012-04-04 04:35:25.000000000 +0200
+++ davical/inc/caldav-PUT-vcalendar.php 2013-03-18 17:49:20.803898938 +0100
@@ -45,7 +45,7 @@
}
if ( ! ini_get('open_basedir') && (isset($c->dbg['ALL']) || (isset($c->dbg['put']) && $c->dbg['put'])) ) {
- $fh = fopen('/tmp/PUT.txt','w');
+ $fh = fopen('/var/log/davical/debug/PUT.txt','w');
if ( $fh ) {
fwrite($fh,$request->raw_post);
fclose($fh);
Index: davical/inc/caldav-PUT-vcard.php
===================================================================
--- davical.orig/inc/caldav-PUT-vcard.php 2012-04-30 03:27:34.000000000 +0200
+++ davical/inc/caldav-PUT-vcard.php 2013-03-18 17:50:04.795064631 +0100
@@ -13,7 +13,7 @@
require_once('DAVResource.php');
if ( ! ini_get('open_basedir') && (isset($c->dbg['ALL']) || (isset($c->dbg['put']) && $c->dbg['put'])) ) {
- $fh = fopen('/tmp/PUT.txt','w');
+ $fh = fopen('/var/log/davical/debug/PUT.txt','w');
if ( $fh ) {
fwrite($fh,$request->raw_post);
fclose($fh);
Index: davical/inc/caldav-REPORT.php
===================================================================
--- davical.orig/inc/caldav-REPORT.php 2012-07-08 13:38:51.000000000 +0200
+++ davical/inc/caldav-REPORT.php 2013-03-18 17:49:37.287586320 +0100
@@ -16,7 +16,7 @@
require_once('RRule-v2.php');
if ( ! ini_get('open_basedir') && (isset($c->dbg['ALL']) || (isset($c->dbg['report']) && $c->dbg['report'])) ) {
- $fh = fopen('/tmp/REPORT.txt','w');
+ $fh = fopen('/var/log/davical/debug/REPORT.txt','w');
if ( $fh ) {
fwrite($fh,$request->raw_post);
fclose($fh);
--- davical.orig/htdocs/setup.php 2013-03-18 17:30:17.889574716 +0100
+++ davical/htdocs/setup.php 2013-03-18 17:41:29.416838960 +0100
@@ -249,6 +249,8 @@
function check_davical_version() {
global $c;
+ if ( ! ini_get('allow_url_fopen') )
+ return new CheckResult( false, translate("Cannot determine upstream version, because PHP has set “<a href=\"http://php.net/manual/en/filesystem.configuration.php#ini.allow-url-fopen\";><code>allow_url_fopen</code></a>” to “<code>FALSE</code>”."), 'dep_warning' );
$url = 'http://www.davical.org/current_davical_version?v='.$c->version_string;
$version_file = @fopen($url, 'r');
if ( ! $version_file ) return new CheckResult( false, translate("Could not retrieve") . " '$url'", 'dep_warning' );
