Merge pull request #3368 from splitbrain/fix3363

do not repeat successful security checks. fixes #3363

1 files changed, 31 insertions, 0 deletions

diff --git a/lib/scripts/behaviour.js b/lib/scripts/behaviour.js
index 70b60ef9a..41702fad7 100644
--- a/lib/scripts/behaviour.js
+++ b/lib/scripts/behaviour.js
@@ -56,6 +56,7 @@ var dw_behaviour = {
         dw_behaviour.checkWindowsShares();
         dw_behaviour.subscription();
         dw_behaviour.pageRestoreConfirm();
+        dw_behaviour.securityCheck();
 
         dw_behaviour.revisionBoxHandler();
         jQuery(document).on('click','#page__revisions input[type=checkbox]',
@@ -204,6 +205,36 @@ var dw_behaviour = {
                 }
             });
         }
+    },
+
+    /**
+     * Check that access to the data directory is properly secured
+     *
+     * A successful check (a 403 error was returned when loading the image) is saved
+     * to session storage and not repeated again until the next browser session. This
+     * avoids overeager security bans (see #3363)
+     */
+    securityCheck: function () {
+        var $checkDiv = jQuery('#security__check');
+        if (!$checkDiv.length) return;
+        if (sessionStorage.getItem('dw-security-check:' + DOKU_BASE)) {
+            // check was already executed successfully
+            $checkDiv.remove();
+            return;
+        }
+
+        var img = new Image();
+        img.onerror = function () {
+            // successful check will not be repeated during session
+            $checkDiv.remove();
+            sessionStorage.setItem('dw-security-check:' + DOKU_BASE, true);
+        }
+        img.onload = function () {
+            // check failed, display a warning message
+            $checkDiv.html(LANG.data_insecure);
+            $checkDiv.addClass('error');
+        }
+        img.src = $checkDiv.data('src') + '?t=' + Date.now();
     }
 };