Fixed a critical vulnerability of the install tool (see #6855)

contao · Apr 7, 2014 · d4a14f1 · d4a14f1
1 parent ba3fead
commit d4a14f1
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 47 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,13 @@
 Contao Open Source CMS Changelog
 ================================
 
+Version 2.11.17 (2014-04-07)
+----------------------------
+
+### Fixed
+Fixed a critical vulnerability of the install tool (see #6855).
+
+
 Version 2.11.16 (2014-02-13)
 ----------------------------
 

diff --git a/contao/install.php b/contao/install.php
@@ -33,6 +33,7 @@
  * Initialize the system
  */
 define('TL_MODE', 'BE');
+define('TL_INSTALL', true);
 require_once('../system/initialize.php');
 
 
@@ -68,14 +69,6 @@ public function __construct()
 		$GLOBALS['TL_CONFIG']['showHelp'] = false;
 		$GLOBALS['TL_CONFIG']['displayErrors'] = true;
 
-		// Remove the pathconfig.php file if TL_PATH is wrong (see #5428)
-		if (($strPath = preg_replace('/\/contao\/[^\/]*$/i', '', $this->Environment->requestUri)) != TL_PATH)
-		{
-			$objFile = new File('system/config/pathconfig.php');
-			$objFile->delete();
-			$this->reload();
-		}
-
 		// Static URLs
 		$this->setStaticUrl('TL_FILES_URL', $GLOBALS['TL_CONFIG']['staticFiles']);
 		$this->setStaticUrl('TL_SCRIPT_URL', $GLOBALS['TL_CONFIG']['staticSystem']);
@@ -214,16 +207,6 @@ public function run()
 		}
 
 
-		/**
-		 * Check the websitePath
-		 */
-		if ($GLOBALS['TL_CONFIG']['websitePath'] !== null && !preg_match('/^' . preg_quote(TL_PATH, '/') . '\/contao\/' . preg_quote(basename(__FILE__), '/') . '/', $this->Environment->requestUri))
-		{
-			$this->Config->delete("\$GLOBALS['TL_CONFIG']['websitePath']");
-			$this->reload();
-		}
-
-
 		/**
 		 * Make the user accept the LGPL license
 		 */
@@ -291,6 +274,12 @@ public function run()
 		}
 
 
+		/**
+		 * Store the relative path
+		 */
+		$this->storeRelativePath();
+
+
 		/**
 		 * Set the install script password
 		 */
@@ -943,6 +932,39 @@ protected function setAuthCookie()
 	}
 
 
+	/**
+	 * Store the relative path
+	 */
+	protected function storeRelativePath()
+	{
+		if (TL_PATH === null)
+		{
+			return;
+		}
+
+		if (file_exists(TL_ROOT . '/system/config/pathconfig.php'))
+		{
+			$strPath = include TL_ROOT . '/system/config/pathconfig.php';
+
+			if (TL_PATH == $strPath)
+			{
+				return;
+			}
+		}
+
+		try
+		{
+			$objFile = new File('system/config/pathconfig.php');
+			$objFile->write("<?php\n\n// Relative path to the installation\nreturn " . var_export(TL_PATH, true) . ";\n");
+			$objFile->close();
+		}
+		catch (Exception $e)
+		{
+			log_message($e->getMessage());
+		}
+	}
+
+
 	/**
 	 * Output the template file and exit
 	 */

diff --git a/system/initialize.php b/system/initialize.php
@@ -67,21 +67,19 @@
  */
 $objEnvironment = Environment::getInstance();
 
-if (file_exists(TL_ROOT . '/system/config/pathconfig.php'))
+if (file_exists(TL_ROOT . '/system/config/pathconfig.php') && !defined('TL_INSTALL'))
 {
 	define('TL_PATH', include TL_ROOT . '/system/config/pathconfig.php');
 }
 elseif (TL_MODE == 'BE')
 {
-	define('TL_PATH', preg_replace('/\/contao\/[^\/]*$/i', '', $objEnvironment->requestUri));
+	define('TL_PATH', preg_replace('/\/contao\/[a-z]+\.php$/i', '', $objEnvironment->scriptName));
 }
 else
 {
 	define('TL_PATH', null); // cannot be reliably determined
 }
 
-$GLOBALS['TL_CONFIG']['websitePath'] = TL_PATH; // backwards compatibility
-
 
 /**
  * Start the session
@@ -98,6 +96,12 @@
 $objToken = RequestToken::getInstance();
 
 
+/**
+ * Set the website path (backwards compatibility)
+ */
+$GLOBALS['TL_CONFIG']['websitePath'] = TL_PATH;
+
+
 /**
  * Set error_reporting
  */
@@ -112,31 +116,6 @@
 @date_default_timezone_set($GLOBALS['TL_CONFIG']['timeZone']);
 
 
-/**
- * Store the relative path
- *
- * Only store this value if the temp directory is writable and the local
- * configuration file exists, otherwise it will initialize a Files object and
- * prevent the install tool from loading the Safe Mode Hack (see #3215).
- */
-if (TL_PATH !== null && !file_exists(TL_ROOT . '/system/config/pathconfig.php'))
-{
-	if (is_writable(TL_ROOT . '/system/tmp') && file_exists(TL_ROOT . '/system/config/localconfig.php'))
-	{
-		try
-		{
-			$objFile = new File('system/config/pathconfig.php');
-			$objFile->write("<?php\n\n// Relative path to the installation\nreturn '" . TL_PATH . "';\n");
-			$objFile->close();
-		}
-		catch (Exception $e)
-		{
-			log_message($e->getMessage());
-		}
-	}
-}
-
-
 /**
  * Set the mbstring encoding
  */