From 9bed2ce8e2a25918a9ea0c5a8463e02153eb7f88 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 16 Feb 2018 22:00:34 +0100 Subject: [PATCH] Fix ignore file integrity check on filefunc.inc.php for deb/rpm package --- .../patches/use-etc-dolibarr-conf.patch | 13 +++++++++++ build/rpm/dolibarr-forrpm.patch | 14 ++++++++++++ build/rpm/dolibarr_fedora.spec | 1 + build/rpm/dolibarr_generic.spec | 1 + build/rpm/dolibarr_mandriva.spec | 1 + build/rpm/dolibarr_opensuse.spec | 1 + htdocs/admin/system/dolibarr.php | 2 +- htdocs/core/lib/files.lib.php | 22 +++++++++++++++---- htdocs/filefunc.inc.php | 22 ++++--------------- 9 files changed, 54 insertions(+), 23 deletions(-) diff --git a/build/debian/patches/use-etc-dolibarr-conf.patch b/build/debian/patches/use-etc-dolibarr-conf.patch index 04543e5fac6..07346ad4e63 100644 --- a/build/debian/patches/use-etc-dolibarr-conf.patch +++ b/build/debian/patches/use-etc-dolibarr-conf.patch @@ -9,6 +9,19 @@ Forwarded: not-needed Last-Update: 2013-07-29 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/htdocs/filefunc.inc.php ++++ b/htdocs/filefunc.inc.php +@@ -63,8 +63,8 @@ $conffiletoshowshort = "conf.php"; + $conffile = "conf/conf.php"; + $conffiletoshow = "htdocs/conf/conf.php"; + // For debian/redhat like systems +-//$conffile = "/etc/dolibarr/conf.php"; +-//$conffiletoshow = "/etc/dolibarr/conf.php"; ++$conffile = "/etc/dolibarr/conf.php"; ++$conffiletoshow = "/etc/dolibarr/conf.php"; + + + // Include configuration --- a/htdocs/install/inc.php +++ b/htdocs/install/inc.php @@ -73,8 +73,8 @@ $conffiletoshowshort = "conf.php"; diff --git a/build/rpm/dolibarr-forrpm.patch b/build/rpm/dolibarr-forrpm.patch index 5ea52664b98..5413702efa3 100644 --- a/build/rpm/dolibarr-forrpm.patch +++ b/build/rpm/dolibarr-forrpm.patch @@ -1,3 +1,17 @@ +diff -up htdocs/filefunc.inc.php.patch htdocs/filefunc.inc.php +--- htdocs/filefunc.inc.php.patch 2011-09-03 02:32:48.666952000 +0200 ++++ htdocs/filefunc.inc.php 2011-09-03 02:33:00.510952001 +0200 +@@ -63,8 +63,8 @@ + $conffile = "conf/conf.php"; + $conffiletoshow = "htdocs/conf/conf.php"; + // For debian/redhat like systems +-//$conffile = "/etc/dolibarr/conf.php"; +-//$conffiletoshow = "/etc/dolibarr/conf.php"; ++$conffile = "/etc/dolibarr/conf.php"; ++$conffiletoshow = "/etc/dolibarr/conf.php"; + + + // Include configuration diff -up htdocs/install/inc.php.patch htdocs/install/inc.php --- htdocs/install/inc.php.patch 2011-09-03 02:33:26.450952000 +0200 +++ htdocs/install/inc.php 2011-09-03 02:33:36.286952001 +0200 diff --git a/build/rpm/dolibarr_fedora.spec b/build/rpm/dolibarr_fedora.spec index db3ca84ec03..6df6ccf052e 100755 --- a/build/rpm/dolibarr_fedora.spec +++ b/build/rpm/dolibarr_fedora.spec @@ -215,6 +215,7 @@ done >>%{name}.lang %_datadir/dolibarr/htdocs/webservices %_datadir/dolibarr/htdocs/website %_datadir/dolibarr/htdocs/*.ico +%_datadir/dolibarr/htdocs/*.patch %_datadir/dolibarr/htdocs/*.php %_datadir/dolibarr/htdocs/*.txt diff --git a/build/rpm/dolibarr_generic.spec b/build/rpm/dolibarr_generic.spec index efffb54d092..f99836b7f74 100755 --- a/build/rpm/dolibarr_generic.spec +++ b/build/rpm/dolibarr_generic.spec @@ -295,6 +295,7 @@ done >>%{name}.lang %_datadir/dolibarr/htdocs/webservices %_datadir/dolibarr/htdocs/website %_datadir/dolibarr/htdocs/*.ico +%_datadir/dolibarr/htdocs/*.patch %_datadir/dolibarr/htdocs/*.php %_datadir/dolibarr/htdocs/*.txt diff --git a/build/rpm/dolibarr_mandriva.spec b/build/rpm/dolibarr_mandriva.spec index 438f2bd096d..1034615c80a 100755 --- a/build/rpm/dolibarr_mandriva.spec +++ b/build/rpm/dolibarr_mandriva.spec @@ -212,6 +212,7 @@ done >>%{name}.lang %_datadir/dolibarr/htdocs/webservices %_datadir/dolibarr/htdocs/website %_datadir/dolibarr/htdocs/*.ico +%_datadir/dolibarr/htdocs/*.patch %_datadir/dolibarr/htdocs/*.php %_datadir/dolibarr/htdocs/*.txt diff --git a/build/rpm/dolibarr_opensuse.spec b/build/rpm/dolibarr_opensuse.spec index aa3844073a7..eb1887f229f 100755 --- a/build/rpm/dolibarr_opensuse.spec +++ b/build/rpm/dolibarr_opensuse.spec @@ -223,6 +223,7 @@ done >>%{name}.lang %_datadir/dolibarr/htdocs/webservices %_datadir/dolibarr/htdocs/website %_datadir/dolibarr/htdocs/*.ico +%_datadir/dolibarr/htdocs/*.patch %_datadir/dolibarr/htdocs/*.php %_datadir/dolibarr/htdocs/*.txt diff --git a/htdocs/admin/system/dolibarr.php b/htdocs/admin/system/dolibarr.php index 8c4711f98c0..c36db521f70 100644 --- a/htdocs/admin/system/dolibarr.php +++ b/htdocs/admin/system/dolibarr.php @@ -49,7 +49,7 @@ $version='0.0'; if ($action == 'getlastversion') { - $result = getURLContent('http://sourceforge.net/projects/dolibarr/rss'); + $result = getURLContent('https://sourceforge.net/projects/dolibarr/rss'); //var_dump($result['content']); $sfurl = simplexml_load_string($result['content']); } diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php index 206d1bb8099..f62fb14c68b 100644 --- a/htdocs/core/lib/files.lib.php +++ b/htdocs/core/lib/files.lib.php @@ -2777,28 +2777,42 @@ function dol_readcachefile($directory, $filename) */ function getFilesUpdated(&$file_list, SimpleXMLElement $dir, $path = '', $pathref = '', &$checksumconcat = array()) { + global $conffile; + $exclude = 'install'; foreach ($dir->md5file as $file) // $file is a simpleXMLElement { $filename = $path.$file['name']; $file_list['insignature'][] = $filename; + $expectedmd5 = (string) $file; //if (preg_match('#'.$exclude.'#', $filename)) continue; if (!file_exists($pathref.'/'.$filename)) { - $file_list['missing'][] = array('filename'=>$filename, 'expectedmd5'=>(string) $file); + $file_list['missing'][] = array('filename'=>$filename, 'expectedmd5'=>$expectedmd5); } else { $md5_local = md5_file($pathref.'/'.$filename); - if ($md5_local != (string) $file) $file_list['updated'][] = array('filename'=>$filename, 'expectedmd5'=>(string) $file, 'md5'=>(string) $md5_local); - $checksumconcat[] = $md5_local; + + if ($conffile == '/etc/dolibarr/conf.php' && $filename == '/filefunc.inc.php') // For install with deb or rpm, we ignore test on filefunc.inc.php that was modified by package + { + $checksumconcat[] = $expectedmd5; + } + else + { + if ($md5_local != $expectedmd5) $file_list['updated'][] = array('filename'=>$filename, 'expectedmd5'=>$expectedmd5, 'md5'=>(string) $md5_local); + $checksumconcat[] = $md5_local; + } } } - foreach ($dir->dir as $subdir) getFilesUpdated($file_list, $subdir, $path.$subdir['name'].'/', $pathref, $checksumconcat); + foreach ($dir->dir as $subdir) // $subdir['name'] is '' or '/accountancy/admin' for example + { + getFilesUpdated($file_list, $subdir, $path.$subdir['name'].'/', $pathref, $checksumconcat); + } return $file_list; } diff --git a/htdocs/filefunc.inc.php b/htdocs/filefunc.inc.php index f0f35ada857..3e9fffae38b 100644 --- a/htdocs/filefunc.inc.php +++ b/htdocs/filefunc.inc.php @@ -62,30 +62,16 @@ $conffiletoshowshort = "conf.php"; $conffile = "conf/conf.php"; $conffiletoshow = "htdocs/conf/conf.php"; // For debian/redhat like systems -if (! file_exists($conffile)) -{ - $conffile = "/etc/dolibarr/conf.php"; - $conffiletoshow = "/etc/dolibarr/conf.php"; -} +//$conffile = "/etc/dolibarr/conf.php"; +//$conffiletoshow = "/etc/dolibarr/conf.php"; + // Include configuration // --- End of part replaced by Dolibarr packager makepack-dolibarr -// Replace conf filename with "conf" parameter on url by GET -/* Disabled. This is a serious security hole -if (! empty($_GET['conf'])) -{ - $confname=basename($_GET['conf']); - setcookie('dolconf', $confname, 0, '/'); - $conffile = 'conf/'.$confname.'.php'; -} else { - $confname=basename(empty($_COOKIE['dolconf']) ? 'conf' : $_COOKIE['dolconf']); - $conffile = 'conf/'.$confname.'.php'; -} -*/ // Include configuration -$result=@include_once $conffile; // Keep @ because with some error reporting this break the redirect +$result=@include_once $conffile; // Keep @ because with some error reporting this break the redirect done when file not found if (! $result && ! empty($_SERVER["GATEWAY_INTERFACE"])) // If install not done and we are in a web session {