Access the installer via public_html

Author: alecpl

index.php

@@ -234,13 +234,13 @@
     }
 
     // check if installer is still active
-    if ($RCMAIL->config->get('enable_installer') && is_readable('./installer/index.php')) {
+    if ($RCMAIL->config->get('enable_installer') && is_readable(__DIR__ . '/public_html/installer.php')) {
         $RCMAIL->output->add_footer(html::div(['id' => 'login-addon', 'style' => "background:#ef9398; border:2px solid #dc5757; padding:0.5em; margin:2em auto; width:50em"],
-            html::tag('h2', ['style' => "margin-top:0.2em"], "Installer script is still accessible") .
-            html::p(null, "The install script of your Roundcube installation is still stored in its default location!") .
-            html::p(null, "Please <b>remove</b> the whole <tt>installer</tt> folder from the Roundcube directory because
-                these files may expose sensitive configuration data like server passwords and encryption keys
-                to the public. Make sure you cannot access the <a href=\"./installer/\">installer script</a> from your browser.")
+            html::tag('h2', ['style' => "margin-top:0.2em"], "The Installer is still accessible") .
+            html::p(null, "The install script of your Roundcube installation is still available to everyone!") .
+            html::p(null, "Please <b>remove</b> the <tt>public_html/installer.php</tt> file from the Roundcube directory because
+                it may expose sensitive configuration data like server passwords and encryption keys
+                to the public. Make sure you cannot access <a href=\"installer.php\">the script</a> from your browser.")
         ));
     }
 

installer/check.php

@@ -15,7 +15,7 @@
 */
 
 if (!class_exists('rcmail_install', false) || !isset($RCI)) {
-    exit("Not allowed! Please open installer/index.php instead.");
+    exit("Not allowed! Please use installer.php instead.");
 }
 
 $required_php_exts = [
@@ -97,7 +97,7 @@
 ];
 
 ?>
-<form action="index.php" method="get">
+<form action="?" method="get">
 
 <?php
 echo '<input type="hidden" name="_step" value="' . ($RCI->configured ? 3 : 2) . '" />';

installer/config.php

@@ -15,7 +15,7 @@
 */
 
 if (!class_exists('rcmail_install', false) || !isset($RCI)) {
-    exit("Not allowed! Please open installer/index.php instead.");
+    exit("Not allowed! Please use installer.php instead.");
 }
 
 // allow the current user to get to the next step
@@ -39,7 +39,7 @@
         $save_button = '';
         if (($dir = sys_get_temp_dir()) && @is_writable($dir)) {
             echo '<iframe name="getconfig" style="display:none"></iframe>';
-            echo '<form id="getconfig_form" action="index.php" method="get" target="getconfig" style="display:none">';
+            echo '<form id="getconfig_form" action="?" method="get" target="getconfig" style="display:none">';
             echo '<input name="_getconfig" value="2" /></form>';
 
             $button_txt  = html::quote('Save in ' . $dir);
@@ -49,7 +49,7 @@
         echo '<p class="notice">Copy or download the following configuration and save it';
         echo ' as <tt><b>config.inc.php</b></tt> within the <tt>' . RCUBE_CONFIG_DIR . '</tt> directory of your Roundcube installation.<br/>';
         echo ' Make sure that there are no characters before the <tt>&lt;?php</tt> bracket when saving the file.';
-        echo '&nbsp;<input type="button" onclick="location.href=\'index.php?_getconfig=1\'" value="Download" />';
+        echo '&nbsp;<input type="button" onclick="location.href=\'?_getconfig=1\'" value="Download" />';
         echo $save_button;
 
         if ($RCI->legacy_config) {
@@ -66,14 +66,14 @@
     echo '<p class="hint">Of course there are more options to configure.
     Have a look at the defaults.inc.php file or visit <a href="https://github.com/roundcube/roundcubemail/wiki/Configuration" target="_blank">Howto_Config</a> to find out.</p>';
 
-    echo '<p><input type="button" onclick="location.href=\'./index.php?_step=3\'" value="CONTINUE" /></p>';
+    echo '<p><input type="button" onclick="location.href=\'?_step=3\'" value="CONTINUE" /></p>';
 
     // echo '<style type="text/css"> .configblock { display:none } </style>';
     echo "\n<hr style='margin-bottom:1.6em' />\n";
 }
 
 ?>
-<form action="index.php" method="post">
+<form action="?" method="post">
 <input type="hidden" name="_step" value="2" />
 
 <fieldset>

installer/index.php

@@ -86,7 +86,7 @@
 
 // go to 'check env' step if we have a local configuration
 if ($RCI->configured && empty($_REQUEST['_step'])) {
-    header("Location: ./?_step=1");
+    header("Location: ?_step=1");
     exit;
 }
 
@@ -97,15 +97,15 @@
 <title>Roundcube Webmail Installer</title>
 <meta name="Robots" content="noindex,nofollow" />
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-<link rel="stylesheet" type="text/css" href="styles.css" />
-<script type="text/javascript" src="client.js"></script>
+<link rel="stylesheet" type="text/css" href="static.php/installer/styles.css" />
+<script type="text/javascript" src="static.php/installer/client.js"></script>
 </head>
 
 <body>
 
 <div id="banner">
   <div class="banner-bg"></div>
-  <div class="banner-logo"><a href="http://roundcube.net"><img src="images/roundcube_logo.png" width="210" height="55" border="0" alt="Roundcube - open source webmail software" /></a></div>
+  <div class="banner-logo"><a href="http://roundcube.net"><img src="static.php/installer/images/roundcube_logo.png" width="210" height="55" border="0" alt="Roundcube - open source webmail software" /></a></div>
 </div>
 
 <div id="topnav">
@@ -140,9 +140,9 @@
 <ol id="progress">
 <?php
 $include_steps = [
-    1 => './check.php',
-    2 => './config.php',
-    3 => './test.php',
+    1 => __DIR__ . '/check.php',
+    2 => __DIR__ . '/config.php',
+    3 => __DIR__ . '/test.php',
 ];
 
 if (!in_array($RCI->step, array_keys($include_steps))) {
@@ -151,7 +151,7 @@
 
 foreach (['Check environment', 'Create config', 'Test config'] as $i => $item) {
     $j = $i + 1;
-    $link = ($RCI->step >= $j || $RCI->configured) ? '<a href="./index.php?_step=' . $j . '">' . rcube::Q($item) . '</a>' : rcube::Q($item);
+    $link = ($RCI->step >= $j || $RCI->configured) ? '<a href="?_step=' . $j . '">' . rcube::Q($item) . '</a>' : rcube::Q($item);
     printf('<li class="step%d%s">%s</li>', $j + 1, $RCI->step > $j ? ' passed' : ($RCI->step == $j ? ' current' : ''), $link);
 }
 ?>

installer/test.php

@@ -15,7 +15,7 @@
 */
 
 if (!class_exists('rcmail_install', false) || !isset($RCI)) {
-    exit("Not allowed! Please open installer/index.php instead.");
+    exit("Not allowed! Please use installer.php instead.");
 }
 
 ?>
@@ -172,7 +172,7 @@
     $db_read = $DB->query("SELECT count(*) FROM " . $DB->quote_identifier($RCI->config['db_prefix'] . 'users'));
     if ($DB->is_error()) {
         $RCI->fail('DB Schema', "Database not initialized");
-        echo '<form action="index.php?_step=3" method="post">'
+        echo '<form action="?_step=3" method="post">'
             . '<p><input type="submit" name="initdb" value="Initialize database" /></p>'
             . '</form>';
 
@@ -185,7 +185,7 @@
         $select = $RCI->versions_select(['name' => 'version']);
         $select->add('0.9 or newer', '');
 
-        echo '<form action="index.php?_step=3" method="post">'
+        echo '<form action="?_step=3" method="post">'
             . '<p class="suggestion">You should run the update queries to get the schema fixed.'
             . '<br/><br/>Version to update from: ' . $select->show('')
             . '&nbsp;<input type="submit" name="updatedb" value="Update" /></p>'
@@ -304,7 +304,7 @@
 
 ?>
 
-<form action="index.php?_step=3" method="post">
+<form action="?_step=3" method="post">
 
 <h3>Test SMTP config</h3>
 
@@ -406,7 +406,7 @@
 
 </form>
 
-<form action="index.php?_step=3" method="post">
+<form action="?_step=3" method="post">
 
 <h3>Test IMAP config</h3>
 
@@ -489,12 +489,12 @@
 
 <p class="warning">
 
-After completing the installation and the final tests please <b>remove</b> the whole
-installer folder from the document root of the webserver or make sure that
+After completing the installation and the final tests please <b>remove</b> the
+installer.php file from the document root of the webserver or make sure that
 <tt>enable_installer</tt> option in <tt>config.inc.php</tt> is disabled.<br />
 <br />
 
-These files may expose sensitive configuration data like server passwords and encryption keys
-to the public. Make sure you cannot access this installer from your browser.
+The installer may expose sensitive configuration data like server passwords and encryption keys
+to the public. Make sure you cannot access it from your browser.
 
 </p>

public_html/plugins

@@ -49,16 +49,17 @@
  * @const array Path prefixes to look for the requested files
  */
 const ALLOWED_PATHS = [
+    'installer/',
     'plugins/',
     'program/',
     'skins/',
 ];
 
 define('INSTALL_PATH', realpath(__DIR__ . '/..') . '/');
 
-$path = $_SERVER['PATH_INFO'];
+$path = validateStaticFile($_SERVER['PATH_INFO']);
 
-if (!($path = validateStaticFile($path))) {
+if (!$path) {
     header('HTTP/1.1 404 Not Found');
     exit;
 }