Attachment #218719 for bug #303795

Lines 100-105 Link Here

(-)suphp-0.7.1.orig/doc/CONFIG (+3 lines)
100	Is disabled by default:	100	Is disabled by default:
101	WARNING: Enabling this option is dangerous!	101	WARNING: Enabling this option is dangerous!
102		102
		103	check_all_parent_directory_ownership:
		104	Disable checking directory ownership beyond the parent of the script.
		105
103	check_vhost_docroot:	106	check_vhost_docroot:
104	Checks wheter the script is within DOCUMENT_ROOT specified by the	107	Checks wheter the script is within DOCUMENT_ROOT specified by the
105	webserver. This option is intended to avoid symbol links outside of the	108	webserver. This option is intended to avoid symbol links outside of the




                                               const Configuration& config) const throw (SoftException) {
    File directory = file;
    Logger& logger = API_Helper::getSystemAPI().getSystemLogger();
    bool checkDirOwnership = true;
    do {
        directory = directory.getParentDirectory();

        UserInfo directoryOwner = directory.getUser();
        if (checkDirOwnership && directoryOwner != owner
            && !directoryOwner.isSuperUser()) {
            std::string error = "Directory " + directory.getPath()
                + " is not owned by " + owner.getUsername();
            logger.logWarning(error);

            logger.logWarning(error);
            throw SoftException(error, __FILE__, __LINE__);
        }
#ifdef OPT_USERGROUP_PARANOID
	if(!config.getCheckAllParentDirectoryOwnership()) {
		/* We have checked the parent 
		 * of the script so quit*/
		checkDirOwnership = false;
	}
#endif
    } while (directory.getPath() != "/");
}


Lines 92-97 Link Here

(-)suphp-0.7.1.orig/src/Configuration.cpp (+8 lines)
92	this->allow_directory_group_writeable = false;	92	this->allow_directory_group_writeable = false;
93	this->allow_file_others_writeable = false;	93	this->allow_file_others_writeable = false;
94	this->allow_directory_others_writeable = false;	94	this->allow_directory_others_writeable = false;
		95	this->check_all_parent_directory_ownership = true;
95	#ifdef OPT_DISABLE_CHECKPATH	96	#ifdef OPT_DISABLE_CHECKPATH
96	this->check_vhost_docroot = false;	97	this->check_vhost_docroot = false;
97	#else	98	#else
Lines 141-146 Link Here
141	else if (key == "allow_directory_others_writeable")	142	else if (key == "allow_directory_others_writeable")
142	this->allow_directory_others_writeable =	143	this->allow_directory_others_writeable =
143	this->strToBool(value);	144	this->strToBool(value);
		145	else if (key == "check_all_parent_directory_ownership")
		146	this->check_all_parent_directory_ownership =
		147	this->strToBool(value);
144	else if (key == "check_vhost_docroot")	148	else if (key == "check_vhost_docroot")
145	this->check_vhost_docroot = this->strToBool(value);	149	this->check_vhost_docroot = this->strToBool(value);
146	else if (key == "errors_to_browser")	150	else if (key == "errors_to_browser")
Lines 217-222 Link Here
217	return this->allow_directory_others_writeable;	221	return this->allow_directory_others_writeable;
218	}	222	}
219		223
		224	bool suPHP::Configuration::getCheckAllParentDirectoryOwnership() const {
		225	return this->check_all_parent_directory_ownership;
		226	}
		227
220	bool suPHP::Configuration::getErrorsToBrowser() const {	228	bool suPHP::Configuration::getErrorsToBrowser() const {
221	return this->errors_to_browser;	229	return this->errors_to_browser;
222	}	230	}

Lines 49-54 Link Here

(-)suphp-0.7.1.orig/src/Configuration.hpp (+7 lines)
49	bool allow_directory_group_writeable;	49	bool allow_directory_group_writeable;
50	bool allow_file_others_writeable;	50	bool allow_file_others_writeable;
51	bool allow_directory_others_writeable;	51	bool allow_directory_others_writeable;
		52	bool check_all_parent_directory_ownership;
52	bool check_vhost_docroot;	53	bool check_vhost_docroot;
53	bool errors_to_browser;	54	bool errors_to_browser;
54	std::string env_path;	55	std::string env_path;
Lines 132-137 Link Here
132	bool getAllowDirectoryOthersWriteable() const;	133	bool getAllowDirectoryOthersWriteable() const;
133		134
134	/**	135	/**
		136	* Returns whether suPHP should check ownership beyond the
		137	* parent of the script.
		138	*/
		139	bool getCheckAllParentDirectoryOwnership() const;
		140
		141	/**
135	* Returns whether (minor) error message should be sent to browser	142	* Returns whether (minor) error message should be sent to browser
136	*/	143	*/
137	bool getErrorsToBrowser() const;	144	bool getErrorsToBrowser() const;

Return to bug 303795

Lines 544-554 Link Here

(-)suphp-0.7.1.orig/src/Application.cpp (-1 / +10 lines)
544	const Configuration& config) const throw (SoftException) {	544	const Configuration& config) const throw (SoftException) {
545	File directory = file;	545	File directory = file;
546	Logger& logger = API_Helper::getSystemAPI().getSystemLogger();	546	Logger& logger = API_Helper::getSystemAPI().getSystemLogger();
		547	bool checkDirOwnership = true;
547	do {	548	do {
548	directory = directory.getParentDirectory();	549	directory = directory.getParentDirectory();
549		550
550	UserInfo directoryOwner = directory.getUser();	551	UserInfo directoryOwner = directory.getUser();
551	if (directoryOwner != owner && !directoryOwner.isSuperUser()) {	552	if (checkDirOwnership && directoryOwner != owner
		553	&& !directoryOwner.isSuperUser()) {
552	std::string error = "Directory " + directory.getPath()	554	std::string error = "Directory " + directory.getPath()
553	+ " is not owned by " + owner.getUsername();	555	+ " is not owned by " + owner.getUsername();
554	logger.logWarning(error);	556	logger.logWarning(error);
Lines 572-577 Link Here
572	logger.logWarning(error);	574	logger.logWarning(error);
573	throw SoftException(error, __FILE__, __LINE__);	575	throw SoftException(error, __FILE__, __LINE__);
574	}	576	}
		577	#ifdef OPT_USERGROUP_PARANOID
		578	if(!config.getCheckAllParentDirectoryOwnership()) {
		579	/* We have checked the parent
		580	* of the script so quit*/
		581	checkDirOwnership = false;
		582	}
		583	#endif
575	} while (directory.getPath() != "/");	584	} while (directory.getPath() != "/");
576	}	585	}
577		586