Properly logout and improve overall security

rigon · rigon · commit be1a405e18b1 · 2022-01-06T21:38:11.000Z
diff --git a/Dockerfile b/Dockerfile
@@ -3,10 +3,19 @@ FROM php:apache
 # Enable ReWrite module
 RUN a2enmod rewrite
 
+# Install zip
+RUN apt update && \
+    apt install -y zip && \
+    apt clean && rm -rf /var/lib/apt/lists/*
+
 VOLUME /var/www/html/files/
 
 COPY . /var/www/html/
 
-RUN chmod a-w README.md EXAMPLES.md MARKDOWN-STYLES.md && \
+RUN ln -svf ../../README.md files/readme/readme.md && \
+    ln -svf ../../EXAMPLES.md files/examples/examples.md && \
+    ln -svf ../../MARKDOWN-STYLES.md files/markdown_styles/markdown_styles.md && \
+    chmod a-w README.md EXAMPLES.md MARKDOWN-STYLES.md && \
+    chown www-data files/ && \
     echo "upload_max_filesize = 50M" > /usr/local/etc/php/conf.d/upload_size.ini && \
     echo "post_max_size = 50M" >> /usr/local/etc/php/conf.d/upload_size.ini
diff --git a/README.md b/README.md
@@ -70,6 +70,9 @@ You can set environment variables to customize your installation:
  - `USER`: Username used for authentication
  - `PASS`: Password for the user
 
+For a multi-arch build, it can be done with:
+
+    docker buildx build --push -t rigon/spmdwe --platform linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8,linux/ppc64le .
 
 Download
 ---
diff --git a/index.php b/index.php
@@ -10,7 +10,7 @@
 
 # Configuration
 $file_name = get_env("HOMEPAGE","home");	# file by default
-$file_mode = "view";						# "view" (implied default); "edit", "save", "save_edit", "upload", "template_save", "publish"
+$file_mode = "view";						# "view" (default), "edit", "save", "save_edit", "upload", "template_save", "publish", "published"
 
 define_env('SITE_NAME', 'Spmdwe Editor');	# Website name
 define_env('SAVE_ENABLED', true);			# set to false to disable saving ("demo mode")
@@ -73,48 +73,42 @@ function define_env($name, $default) {
 	session_start();
 	
 	## Check if authentication is provided
-	if(!isset($_SERVER['PHP_AUTH_USER']) or !isset($_SERVER['PHP_AUTH_PW'])) {
-		$authenticated = false;
-		$message .= 'Authentication failed!\nProceeding in published mode...\n';
-	}
-	## Check user credentials using environment variables
-	elseif(isset($_ENV['USER']) and isset($_ENV['PASS'])) {
-		$user = $_SERVER['PHP_AUTH_USER'];
-		$pass = $_SERVER['PHP_AUTH_PW'];
-		if($user == $_ENV['USER'] and $pass == $_ENV['PASS'])
-			$authenticated = true;
-		else {
-			$authenticated = false;
-			$message .= 'Authentication failed!\nProceeding in published mode...\n';
+	if(isset($_SERVER['PHP_AUTH_USER']) and isset($_SERVER['PHP_AUTH_PW'])) {
+
+		## Check user credentials using environment variables (overrides htpasswd)
+		if(isset($_ENV['USER']) and isset($_ENV['PASS'])) {
+			$user = $_SERVER['PHP_AUTH_USER'];
+			$pass = $_SERVER['PHP_AUTH_PW'];
+			if($user == $_ENV['USER'] and $pass == $_ENV['PASS'])
+				$authenticated = true;
 		}
-	}
-	## Check user credentials using htpasswd
-	elseif(file_exists(AUTH_FILE)) {
-		$user = escapeshellarg($_SERVER['PHP_AUTH_USER']);
-		$pass = escapeshellarg($_SERVER['PHP_AUTH_PW']);
-		
-		exec("htpasswd -vb ".AUTH_FILE." $user $pass 2>&1", $output, $returnval);
-		$message .= implode('\n', $output).'\n';
-		
-		// Start session if valid
-		if($returnval == 0 and isset($_GET['login']))
-			$_SESSION['session_started'] = true;
-		
-		// Authenticate user if valid
-		if($returnval == 0 and isset($_SESSION['session_started']) and $_SESSION['session_started'] == true)
-			$authenticated = true;
-		else {
-			$authenticated = false;
-			$message .= 'Authentication failed!\nProceeding in published mode...\n';
+
+		## Check user credentials using htpasswd
+		elseif(file_exists(AUTH_FILE)) {
+			$user = escapeshellarg($_SERVER['PHP_AUTH_USER']);
+			$pass = escapeshellarg($_SERVER['PHP_AUTH_PW']);
+			
+			exec("htpasswd -vb ".AUTH_FILE." $user $pass 2>&1", $output, $returnval);
+			$message .= implode('\n', $output).'\n';
+			
+			// Start session if valid
+			if($returnval == 0 and isset($_GET['login']))
+				$_SESSION['session_started'] = true;
+			
+			// Authenticate user if valid
+			if($returnval == 0 and isset($_SESSION['session_started']) and $_SESSION['session_started'] == true)
+				$authenticated = true;
 		}
+
+		// Cleanup
+		$user = $_SERVER['PHP_AUTH_USER'];
+		unset($pass);
 	}
+
 	## Not authenticated
-	else
-		$authenticated = false;
-	
-	// Cleanup
-	$user = $_SERVER['PHP_AUTH_USER'];
-	unset($pass);
+	if(!$authenticated) {
+		$message .= 'Authentication failed!\n';
+	}
 	
 	## Login
 	if((isset($_GET['login']) and !$authenticated)) {
@@ -128,6 +122,7 @@ function define_env($name, $default) {
 	if(isset($_GET['logout']) and $authenticated) {
 		unset($_SESSION['session_started']);
 		$authenticated = false;
+		http_response_code(401);
 	}
 	//	$redirect_url = $_SERVER['REQUEST_SCHEME'].'://'.$_SERVER['HTTP_HOST'].substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'],'?'));
 	//	header("Location: $redirect_url");
@@ -146,7 +141,6 @@ function define_env($name, $default) {
 if(isset($_REQUEST['mode']))
 	$file_mode = $_REQUEST['mode'];
 
-
 # Discover the base URL of the application
 $baseurlapp = dirname($_SERVER['PHP_SELF']);
 if($baseurlapp == '/') $baseurlapp = '';
@@ -181,6 +175,11 @@ function define_env($name, $default) {
 	$message .= "Demo mode - files are just read only\\n";
 }
 
+# Published mode
+if($file_mode == "preview" or ($file_mode == "view" and !$authenticated and REQUIRE_AUTH)) {
+	$file_mode = "published";
+	$message .= 'Proceeding in published mode.\n';
+}
 
 # Set file as read-only
 if($file_mode == "readonly") {
@@ -228,7 +227,7 @@ function define_env($name, $default) {
 }
 
 # Upload a new file
-else if($file_mode == "upload" and !$file_readonly) {
+else if($file_mode == "upload" and !$file_readonly and REQUIRE_AUTH) {
 	$uploadfile = $file_path . basename($_FILES['file']['name']);
 
 	if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
@@ -244,7 +243,7 @@ function define_env($name, $default) {
 }
 
 # Save template
-else if($file_mode == "template_save") {
+else if($file_mode == "template_save" and REQUIRE_AUTH) {
 	$template = $_REQUEST['template'];
 	$result = file_put_contents(TEMPLATE_PUBLISH, $template);
 	
@@ -341,15 +340,15 @@ function define_env($name, $default) {
 	}
 }
 
-function max_upload() {
-	// Determines the maximum upload size allowed
-	$max_upload = (int)(ini_get('upload_max_filesize'));
-	$max_post = (int)(ini_get('post_max_size'));
-	$memory_limit = (int)(ini_get('memory_limit'));
-	$upload_mb = min($max_upload, $max_post, $memory_limit);
+// Determines the maximum upload size allowed
+$max_upload = min(
+	(int)(ini_get('upload_max_filesize')),
+	(int)(ini_get('post_max_size')),
+	(int)(ini_get('memory_limit')));
 
-	return $upload_mb;
-}
+# Get template file
+$template_file = htmlspecialchars(file_get_contents(
+		file_exists(TEMPLATE_PUBLISH) ? TEMPLATE_PUBLISH : TEMPLATE_EDIT));
 
 // for unicode output: (http://stackoverflow.com/questions/713293)
 header('Content-Type: text/html; charset=utf-8');
@@ -360,19 +359,14 @@ function max_upload() {
 //header('Cache-Control: post-check=0, pre-check=0', FALSE);
 //header('Pragma: no-cache');
 
-# Get template file
-$template_file = htmlspecialchars(file_get_contents(
-		file_exists(TEMPLATE_PUBLISH) ? TEMPLATE_PUBLISH : TEMPLATE_EDIT));
-
 # Preview with the template provided
-if(isset($_REQUEST['preview']) and isset($_REQUEST['template']))
-	eval('?>'.$_REQUEST['template'].'<?php ');	
+if($file_mode == "published" and isset($_REQUEST['template']) and REQUIRED_AUTH)
+	eval('?>'.$_REQUEST['template'].'<?php ');
 
 # Preview with the saved template
-else if(file_exists(TEMPLATE_PUBLISH) and (!$authenticated or (isset($_REQUEST['preview']) and !isset($_REQUEST['template']))))
+elseif($file_mode == "published" and file_exists(TEMPLATE_PUBLISH))
 	include(TEMPLATE_PUBLISH);
 
-# Use the edit template	
+# Use the edit template
 else
 	include(TEMPLATE_EDIT);
-
diff --git a/template.php b/template.php
@@ -1,22 +1,22 @@
 <?php
 /**
-GLOBAL VARIABLES
-================
-SITE_NAME			- name of the website
-$base_file_name		- name of the file, all revision files have the same base filename
-$file_name			- filename of the current file
-$file_revisions		- list of revisions to the file
-$file_readonly		- flag indicating if the file is read only
-$file_mode			- mode of the file, view or edit
-$file_contents		- contents of the file
-$file_css			- list of CSS snippets
-$list_files			- list of attached files
-$url_files			- URL to the files
-$baseurlapp			- base URL for the application, i. e. URL without the filename
-$baseurl			- URL with the filename
-$html				- HTML of the published version of the file
-
-*/
+ * GLOBAL VARIABLES
+ * ================
+ * SITE_NAME		- name of the website
+ * $base_file_name	- name of the file, all revision files have the same base filename
+ * $file_name		- filename of the current file
+ * $file_revisions	- list of revisions to the file
+ * $file_readonly	- flag indicating if the file is read only
+ * $file_mode		- mode of the file (view, edit or published)
+ * $file_contents	- contents of the file
+ * $file_css		- list of CSS snippets
+ * $list_files		- list of attached files
+ * $url_files		- URL to the files
+ * $baseurlapp		- base URL for the application, i. e. URL without the filename
+ * $baseurl			- URL with the filename
+ * $html			- HTML of the published version of the file
+ * $max_upload		- Maximum size for uploading data
+ */
 ?><!DOCTYPE html>
 <html>
 	<head>
@@ -269,7 +269,7 @@
 							<ul class="dropdown-menu" role="menu">
 								<li><a id="template_edit_button" href="#">Edit template</a></li>
 								<li><a id="publish" href="#">Publish file</a></li>
-								<li><a href="<?php echo $baseurl; ?>?preview" target="_blank">View published version</a></li>
+								<li><a href="<?php echo $baseurl; ?>?mode=preview" target="_blank">View published version</a></li>
 								<li class="divider"></li>
 								<li><a id="download_html" href="#">Download as HTML</a></li>
 								<li><a id="download_markdown" href="#">Download as Markdown</a></li>
@@ -327,7 +327,9 @@
 		<div class="container">
 			<div class="row">
 				<!-- Markdown -->
-				<div id="wmd-preview-editor" class="viewer col-md-<?php echo ($file_mode=="edit" ? "6" : "12"); ?>"></div>
+				<div id="wmd-preview-editor" class="viewer col-md-<?php echo ($file_mode=="edit" ? "6" : "12"); ?>">
+					<?php if($file_mode=="published") { echo $html; } ?>
+				</div>
 
 				<!-- Editor -->
 				<?php if ($file_mode=="edit") { ?>
@@ -398,7 +400,9 @@
 				});
 				
 				// Fills the viewer with HTML
-				$("#wmd-preview-editor").html(converter.makeHtml(markdown));
+				if(mode != 'published') {
+					$("#wmd-preview-editor").html(converter.makeHtml(markdown));
+				}
 				
 				if(mode == 'edit') {
 					// Sets textarea with the text
@@ -445,7 +449,7 @@
 			});
 			
 			$("#template_preview").click(function() {
-				$.post("<?php echo $baseurl; ?>?preview", {
+				$.post("<?php echo $baseurl; ?>?mode=preview", {
 					template: templateEditor.getValue()
 				}).done(function(data) {
 					var previewWindow = window.open("", "spmdwe_preview");
@@ -477,7 +481,7 @@
 
 			var dropzone = new Dropzone(document.documentElement, {		// Make the whole document a dropzone
 				url: "<?php echo $baseurl; ?>",	// Set the url
-				maxFilesize: <?php echo max_upload(); ?>,
+				maxFilesize: <?php echo $max_upload; ?>,
 				thumbnailWidth: 80,
 				thumbnailHeight: 80,
 				parallelUploads: 30,
