From 052e1c84e6f3886785d70726f2b7cd528976d231 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Tue, 5 Jan 2021 11:21:09 +0100
Subject: do not repeat successful security checks. fixes #3363

This avoids creating lots of 403 errors for properly secured data
directories. Only one successful check per browser session will be
executed.
---
 lib/scripts/behaviour.js | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

(limited to 'lib/scripts')

diff --git a/lib/scripts/behaviour.js b/lib/scripts/behaviour.js
index 70b60ef9a..009081f80 100644
--- a/lib/scripts/behaviour.js
+++ b/lib/scripts/behaviour.js
@@ -56,6 +56,7 @@ var dw_behaviour = {
         dw_behaviour.checkWindowsShares();
         dw_behaviour.subscription();
         dw_behaviour.pageRestoreConfirm();
+        dw_behaviour.securityCheck();
 
         dw_behaviour.revisionBoxHandler();
         jQuery(document).on('click','#page__revisions input[type=checkbox]',
@@ -204,6 +205,35 @@ var dw_behaviour = {
                 }
             });
         }
+    },
+
+    /**
+     * Check that access to the data directory is properly secured
+     *
+     * A successful check (a 403 error was returned when loading the image) is saved
+     * to session storage and not repeated again until the next browser session. This
+     * avoids overeager security bans (see #3363)
+     */
+    securityCheck: function () {
+        var $checkA = jQuery('#security__check');
+        if (!$checkA.length) return;
+        if (sessionStorage.getItem('security-check')) {
+            // check was already executed successfully
+            $checkA.remove();
+            return;
+        }
+
+        var img = new Image(347, 63);
+        img.onerror = function () {
+            // successful check will not be repeated during session
+            $checkA.remove();
+            sessionStorage.setItem('security-check', true);
+        }
+        img.onload = function () {
+            // check failed, display the image
+            $checkA.html(img);
+        }
+        img.src = $checkA.data('src');
     }
 };
 
-- 
cgit v1.2.3


From d3f829c2e865411af7ac548cd180da21c39771f2 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Mon, 11 Jan 2021 17:16:30 +0100
Subject: cleaner behaviour for data directory check

Show a properly translated message.
---
 inc/Ui/Admin.php                 |  3 +--
 inc/lang/en/lang.php             |  1 +
 lib/scripts/behaviour.js         | 21 +++++++++++----------
 lib/tpl/dokuwiki/css/_admin.less |  9 +++++++++
 4 files changed, 22 insertions(+), 12 deletions(-)

(limited to 'lib/scripts')

diff --git a/inc/Ui/Admin.php b/inc/Ui/Admin.php
index 27a57225c..d3bbc6503 100644
--- a/inc/Ui/Admin.php
+++ b/inc/Ui/Admin.php
@@ -84,8 +84,7 @@ class Admin extends Ui {
         if(substr($conf['savedir'], 0, 2) !== './') return;
         $img = DOKU_URL . $conf['savedir'] .
             '/dont-panic-if-you-see-this-in-your-logs-it-means-your-directory-permissions-are-correct.png';
-        echo '<a style="border:none; float:right;" id="security__check"
-                href="http://www.dokuwiki.org/security#web_access_security" data-src="' . $img . '">⚠</a>';
+        echo '<div id="security__check" data-src="' . $img . '"></div>';
     }
 
     /**
diff --git a/inc/lang/en/lang.php b/inc/lang/en/lang.php
index 000368ac2..9e56d6f84 100644
--- a/inc/lang/en/lang.php
+++ b/inc/lang/en/lang.php
@@ -171,6 +171,7 @@ $lang['js']['media_done_btn']      = 'Done';
 $lang['js']['media_drop']          = 'Drop files here to upload';
 $lang['js']['media_cancel']        = 'remove';
 $lang['js']['media_overwrt']       = 'Overwrite existing files';
+$lang['js']['data_insecure'] = 'WARNING: It seems your data directory is not properly secured. Please read about <a href="https://www.dokuwiki.org/security#web_access_security">Web Access Security in DokuWiki</a>.';
 
 $lang['rssfailed']             = 'An error occurred while fetching this feed: ';
 $lang['nothingfound']          = 'Nothing was found.';
diff --git a/lib/scripts/behaviour.js b/lib/scripts/behaviour.js
index 009081f80..608a29de0 100644
--- a/lib/scripts/behaviour.js
+++ b/lib/scripts/behaviour.js
@@ -215,25 +215,26 @@ var dw_behaviour = {
      * avoids overeager security bans (see #3363)
      */
     securityCheck: function () {
-        var $checkA = jQuery('#security__check');
-        if (!$checkA.length) return;
-        if (sessionStorage.getItem('security-check')) {
+        var $checkDiv = jQuery('#security__check');
+        if (!$checkDiv.length) return;
+        if (sessionStorage.getItem('dw-security-check:' + DOKU_BASE)) {
             // check was already executed successfully
-            $checkA.remove();
+            $checkDiv.remove();
             return;
         }
 
-        var img = new Image(347, 63);
+        var img = new Image();
         img.onerror = function () {
             // successful check will not be repeated during session
-            $checkA.remove();
-            sessionStorage.setItem('security-check', true);
+            $checkDiv.remove();
+            sessionStorage.setItem('dw-security-check:' + DOKU_BASE, true);
         }
         img.onload = function () {
-            // check failed, display the image
-            $checkA.html(img);
+            // check failed, display a warning message
+            $checkDiv.html(LANG.data_insecure);
+            $checkDiv.addClass('error');
         }
-        img.src = $checkA.data('src');
+        img.src = $checkDiv.data('src');
     }
 };
 
diff --git a/lib/tpl/dokuwiki/css/_admin.less b/lib/tpl/dokuwiki/css/_admin.less
index 38ca4bc63..115861203 100644
--- a/lib/tpl/dokuwiki/css/_admin.less
+++ b/lib/tpl/dokuwiki/css/_admin.less
@@ -61,4 +61,13 @@
         clear: right;
         float: left;
     }
+
+    /* data directory security check */
+    #security__check {
+        float: right;
+        max-width: 20em;
+    }
+    [dir=rtl] & #admin__version {
+        float: left;
+    }
 }
-- 
cgit v1.2.3


From b68a7721c62562cbcd3924f5a14b4df85b5b2305 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Mon, 11 Jan 2021 17:23:22 +0100
Subject: add cache buster on security check request

When doing a normal reload on the admin page to recheck the security,
the browser may not re-request the image again. This adds a timestamp to
the URL to ensure the image is tested again
---
 lib/scripts/behaviour.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib/scripts')

diff --git a/lib/scripts/behaviour.js b/lib/scripts/behaviour.js
index 608a29de0..41702fad7 100644
--- a/lib/scripts/behaviour.js
+++ b/lib/scripts/behaviour.js
@@ -234,7 +234,7 @@ var dw_behaviour = {
             $checkDiv.html(LANG.data_insecure);
             $checkDiv.addClass('error');
         }
-        img.src = $checkDiv.data('src');
+        img.src = $checkDiv.data('src') + '?t=' + Date.now();
     }
 };
 
-- 
cgit v1.2.3


From c8241b3ba70ad84f5feb1a9285371c369abb1df0 Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Sat, 6 Mar 2021 11:08:27 +0100
Subject: Add missing `;` causing syntax error in js.php

---
 lib/scripts/behaviour.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'lib/scripts')

diff --git a/lib/scripts/behaviour.js b/lib/scripts/behaviour.js
index 41702fad7..cd2ace459 100644
--- a/lib/scripts/behaviour.js
+++ b/lib/scripts/behaviour.js
@@ -228,12 +228,12 @@ var dw_behaviour = {
             // successful check will not be repeated during session
             $checkDiv.remove();
             sessionStorage.setItem('dw-security-check:' + DOKU_BASE, true);
-        }
+        };
         img.onload = function () {
             // check failed, display a warning message
             $checkDiv.html(LANG.data_insecure);
             $checkDiv.addClass('error');
-        }
+        };
         img.src = $checkDiv.data('src') + '?t=' + Date.now();
     }
 };
-- 
cgit v1.2.3