projects / manu / suphp.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
r9183@datura: manu | 2008-06-04 09:59:07 +0200
[manu/suphp.git] / src / Application.cpp
diff --git a/src/Application.cpp b/src/Application.cpp
index 72e6731..bb7ce50 100644 (file)
--- a/src/Application.cpp
+++ b/src/Application.cpp
@@ -177,7 +177,6 @@ void suPHP::Application::checkScriptFile(
     throw (SystemException, SoftException) {
     Logger& logger = API_Helper::getSystemAPI().getSystemLogger();
     File scriptFile = File(scriptFilename);
     throw (SystemException, SoftException) {
     Logger& logger = API_Helper::getSystemAPI().getSystemLogger();
     File scriptFile = File(scriptFilename);
-    File realScriptFile = File(scriptFile.getRealPath());
 
     // Check wheter file exists
     if (!scriptFile.exists()) {
 
     // Check wheter file exists
     if (!scriptFile.exists()) {
@@ -185,13 +184,11 @@ void suPHP::Application::checkScriptFile(
        logger.logWarning(error);
        throw SoftException(error, __FILE__, __LINE__);
     }
        logger.logWarning(error);
        throw SoftException(error, __FILE__, __LINE__);
     }
-    if (!realScriptFile.exists()) {
-        std::string error = "File " + realScriptFile.getPath() 
-            + " referenced by symlink " +scriptFile.getPath() 
-            + " does not exist";
-        logger.logWarning(error);
-        throw SoftException(error, __FILE__, __LINE__);
-    }
+    
+    // Get full path to script file
+
+    File realScriptFile = File(scriptFile.getRealPath());
+    File directory = realScriptFile.getParentDirectory();
     
     // Check wheter script is in docroot
     if (realScriptFile.getPath().find(config.getDocroot()) != 0) {
     
     // Check wheter script is in docroot
     if (realScriptFile.getPath().find(config.getDocroot()) != 0) {
@@ -216,19 +213,8 @@ void suPHP::Application::checkScriptFile(
        logger.logWarning(error);
        throw SoftException(error, __FILE__, __LINE__);
     }
        logger.logWarning(error);
        throw SoftException(error, __FILE__, __LINE__);
     }
-    if (config.getCheckVHostDocroot()
-        && scriptFile.getPath().find(environment.getVar("DOCUMENT_ROOT")) 
-        != 0) {
-        
-        std::string error = "File \"" + scriptFile.getPath()
-            + "\" is not in document root of Vhost \""
-            + environment.getVar("DOCUMENT_ROOT") + "\"";
-        logger.logWarning(error);
-        throw SoftException(error, __FILE__, __LINE__);
-    }
 
 
-    // Check script permissions
-    // Directories will be checked later
+    // Check script and directory permissions
     if (!realScriptFile.hasUserReadBit()) {
        std::string error = "File \"" + realScriptFile.getPath()
            + "\" not readable";
     if (!realScriptFile.hasUserReadBit()) {
        std::string error = "File \"" + realScriptFile.getPath()
            + "\" not readable";
@@ -245,6 +231,14 @@ void suPHP::Application::checkScriptFile(
        throw SoftException(error, __FILE__, __LINE__);
     }
     
        throw SoftException(error, __FILE__, __LINE__);
     }
     
+    if (!config.getAllowDirectoryGroupWriteable() 
+       && directory.hasGroupWriteBit()) {
+       std::string error = "Directory \"" + directory.getPath()
+           + "\" is writeable by group";
+       logger.logWarning(error);
+       throw SoftException(error, __FILE__, __LINE__);
+    }
+
     if (!config.getAllowFileOthersWriteable()
        && realScriptFile.hasOthersWriteBit()) {
        std::string error = "File \"" + realScriptFile.getPath()
     if (!config.getAllowFileOthersWriteable()
        && realScriptFile.hasOthersWriteBit()) {
        std::string error = "File \"" + realScriptFile.getPath()
@@ -253,6 +247,14 @@ void suPHP::Application::checkScriptFile(
        throw SoftException(error, __FILE__, __LINE__);
     }
     
        throw SoftException(error, __FILE__, __LINE__);
     }
     
+    if (!config.getAllowDirectoryOthersWriteable()
+       && directory.hasOthersWriteBit()) {
+       std::string error = "Directory \"" + directory.getPath()
+           + "\" is writeable by others";
+       logger.logWarning(error);
+       throw SoftException(error, __FILE__, __LINE__);
+    }
+
     // Check UID/GID of symlink is matching target
     if (scriptFile.getUser() != realScriptFile.getUser()
        || scriptFile.getGroup() != realScriptFile.getGroup()) {
     // Check UID/GID of symlink is matching target
     if (scriptFile.getUser() != realScriptFile.getUser()
        || scriptFile.getGroup() != realScriptFile.getGroup()) {
@@ -272,8 +274,7 @@ void suPHP::Application::changeProcessPermissions(
     UserInfo targetUser;
     GroupInfo targetGroup;
 
     UserInfo targetUser;
     GroupInfo targetGroup;
 
-    File scriptFile = File(scriptFilename);
-    File realScriptFile = File(scriptFile.getRealPath());
+    File scriptFile = File(File(scriptFilename).getRealPath());
     API& api = API_Helper::getSystemAPI();
     Logger& logger = api.getSystemLogger();
 
     API& api = API_Helper::getSystemAPI();
     Logger& logger = api.getSystemLogger();
 
@@ -359,11 +360,7 @@ void suPHP::Application::changeProcessPermissions(
        throw SoftException(error, __FILE__, __LINE__);
     }
 #endif // OPT_USERGROUP_PARANOID    
        throw SoftException(error, __FILE__, __LINE__);
     }
 #endif // OPT_USERGROUP_PARANOID    
-    
-    // Check directory ownership and permissions
-    checkParentDirectories(realScriptFile, targetUser, config);
-    checkParentDirectories(scriptFile, targetUser, config);
-    
+
     // Common code used for all modes
 
     // Set new group first, because we still need super-user privileges
     // Common code used for all modes
 
     // Set new group first, because we still need super-user privileges
@@ -483,43 +480,6 @@ void suPHP::Application::executeScript(const std::string& scriptFilename,
 }
 
 
 }
 
 
-void suPHP::Application::checkParentDirectories(const File& file,
-                                               const UserInfo& owner,
-                                               const Configuration& config) const throw (SoftException) {
-    File directory = file;
-    Logger& logger = API_Helper::getSystemAPI().getSystemLogger();
-    do {
-        directory = directory.getParentDirectory();
-        
-        UserInfo directoryOwner = directory.getUser();
-        if (directoryOwner != owner && !directoryOwner.isSuperUser()) {
-            std::string error = "Directory " + directory.getPath()
-                + " is not owned by " + owner.getUsername();
-            logger.logWarning(error);
-            throw SoftException(error, __FILE__, __LINE__);
-        }
-        
-        if (!directory.isSymlink()
-            && !config.getAllowDirectoryGroupWriteable() 
-            && directory.hasGroupWriteBit()) {
-            std::string error = "Directory \"" + directory.getPath()
-                + "\" is writeable by group";
-            logger.logWarning(error);
-            throw SoftException(error, __FILE__, __LINE__);
-        }
-        
-        if (!directory.isSymlink()
-            && !config.getAllowDirectoryOthersWriteable()
-            && directory.hasOthersWriteBit()) {
-            std::string error = "Directory \"" + directory.getPath()
-                + "\" is writeable by others";
-            logger.logWarning(error);
-            throw SoftException(error, __FILE__, __LINE__);
-        }
-    } while (directory.getPath() != "/");
-}
-
-
 int main(int argc, char **argv) {
     try {
        API& api = API_Helper::getSystemAPI();
 int main(int argc, char **argv) {
     try {
        API& api = API_Helper::getSystemAPI();
suphp Debian package