From: Michael M Slusarz Date: Wed, 13 Jan 2010 23:40:08 +0000 (-0700) Subject: Test script can be disabled via Horde configuration X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=9b67f7766979cb1a6b1561ac781815d733ded353;p=horde.git Test script can be disabled via Horde configuration --- diff --git a/horde/config/conf.php.dist b/horde/config/conf.php.dist index 00f3db0a7..ccfd524f7 100644 --- a/horde/config/conf.php.dist +++ b/horde/config/conf.php.dist @@ -55,6 +55,9 @@ $conf['cookie']['domain'] = $_SERVER['SERVER_NAME']; // http://lists.horde.org/archives/imp/Week-of-Mon-20030113/029149.html $conf['cookie']['path'] = '/horde'; +// Disable the test script (horde/test.php)? +$conf['testdisable'] = false; + // YOU SHOULDN'T CHANGE ANTHING BELOW THIS LINE. $conf['debug_level'] = E_ALL & ~E_NOTICE; $conf['umask'] = 077; diff --git a/horde/config/conf.xml b/horde/config/conf.xml index 1fd4084b7..edaabb45e 100644 --- a/horde/config/conf.xml +++ b/horde/config/conf.xml @@ -33,6 +33,8 @@ 077 + false diff --git a/horde/docs/SECURITY b/horde/docs/SECURITY index 64341dbb7..b70ae84ee 100644 --- a/horde/docs/SECURITY +++ b/horde/docs/SECURITY @@ -106,12 +106,8 @@ Restricting test.php files The ``test.php`` files provide a wealth of information that can be used against the site by attackers. One you have confirmed that everything is -working, you should disable access to the test.php files. You can do this via -the web server, or via system file permissions. On a unix system, you might -issue a command such as:: - -$ chmod a-rwx /home/httpd/html/horde/test.php -$ chmod a-rwx /home/httpd/html/horde/*/test.php +working, you should disable access to the test.php files, which can be done by +setting 'testdisable' to true in the Horde configuration. Preventing Apache from serving configuration and source files diff --git a/horde/test.php b/horde/test.php index fe7d0978a..f765b9713 100644 --- a/horde/test.php +++ b/horde/test.php @@ -22,17 +22,22 @@ require_once dirname(__FILE__) . '/lib/Application.php'; $api = new Horde_Application(array('authentication' => 'none')); +if (!empty($conf['testdisable'])) { + echo '

Horde test scripts have been disabled in the local configuration.

'; + exit; +} + /* We should have loaded the String class, from the Horde_Util package. If it * isn't defined, then we're not finding some critical libraries. */ if (!class_exists('Horde_String')) { - echo '

Required Horde libraries were not found. If PHP\'s error_reporting setting is high enough and display_errors is on, there should be error messages printed above that may help you in debugging the problem. If you are simply missing these files, then you need to install the framework module.

'; + echo '

Required Horde libraries were not found. If PHP\'s error_reporting setting is high enough and display_errors is on, there should be error messages printed above that may help you in debugging the problem. If you are simply missing these files, then you need to install the framework module.

'; exit; } /* Initialize the Horde_Test:: class. */ if (!class_exists('Horde_Test')) { /* Try and provide enough information to debug the missing file. */ - echo '

Unable to find the Horde_Test library. Your Horde installation may be missing critical files, or PHP may not have sufficient permissions to include files. There may be error messages printed above this message that will help you in debugging the problem.

'; + echo '

Unable to find the Horde_Test library. Your Horde installation may be missing critical files, or PHP may not have sufficient permissions to include files. There may be error messages printed above this message that will help you in debugging the problem.

'; exit; }