From 87e941516eb77e0aa14ed7e01280a6aff1ae36d2 Mon Sep 17 00:00:00 2001
From: OpenXE <>
Date: Wed, 7 Dec 2022 21:31:26 +0000
Subject: [PATCH] .htacces security check feature with automatic repair upon
 login

---
 .htaccess                              | 11 ++++
 phpwf/plugins/class.acl.php            | 75 ++++++++++++++++++++++++--
 www/.htaccess                          | 18 +++++++
 www/themes/new/templates/loginpage.tpl |  2 +-
 4 files changed, 102 insertions(+), 4 deletions(-)
 create mode 100644 .htaccess
 create mode 100644 www/.htaccess

diff --git a/.htaccess b/.htaccess
new file mode 100644
index 00000000..a77c94a7
--- /dev/null
+++ b/.htaccess
@@ -0,0 +1,11 @@
+# Generated file from class.acl.php
+                        # Disable directory browsing 
+                        Options -Indexes
+
+                        Order deny,allow
+                        Deny from all
+
+                        <Files "index.php">
+                            Order Allow,Deny
+                            Allow from all
+                        </Files>
\ No newline at end of file
diff --git a/phpwf/plugins/class.acl.php b/phpwf/plugins/class.acl.php
index 1183c87a..694ecad9 100644
--- a/phpwf/plugins/class.acl.php
+++ b/phpwf/plugins/class.acl.php
@@ -570,12 +570,20 @@ class Acl
 
   public function Login()
   {
-    $this->app->Tpl->Set('LOGINWARNING', 'display:none;visibility:hidden;');
-    if($this->IsInLoginLockMode() === true){
-      $this->app->Tpl->Set('LOGINWARNING', '');
+
+    $result = $this->CheckHtaccess();
+    if ($result !== true) {
+      $this->app->Tpl->Set('LOGINWARNING_TEXT', "Achtung: Zugriffskonfiguration (htaccess) fehlerhaft. Bitte wenden Sie sich an Ihren an Ihren Administrator. <br>($result)");
       return;
     }
 
+    if($this->IsInLoginLockMode() === true)
+    {
+      $this->app->Tpl->Set('LOGINWARNING_TEXT', 'Achtung: Es werden gerade Wartungsarbeiten in Ihrem System (z.B. Update oder Backup) durch Ihre IT-Abteilung durchgeführt. Das System sollte in wenigen Minuten wieder erreichbar sein. Für Rückfragen wenden Sie sich bitte an Ihren Administrator.');
+      return;
+    }
+    $this->app->Tpl->Set('LOGINWARNING_VISIBLE', 'hidden');
+
     $multidbs = $this->app->getDbs();
     if(count($multidbs) > 1)
     {
@@ -1206,4 +1214,65 @@ class Acl
 
   }
 
+  // HTACCESS SECURITY
+  // Check for correct .htaccess settings
+  // true if ok, else error text
+  protected function CheckHtaccess() : mixed {
+
+    $nominal = array(   '# Generated file from class.acl.php
+                        # Disable directory browsing 
+                        Options -Indexes
+
+                        Order deny,allow
+                        Deny from all
+
+                        <Files "index.php">
+                            Order Allow,Deny
+                            Allow from all
+                        </Files>',
+                        '# Generated file from class.acl.php
+                        SetEnv OPENXE_HTACCESS on
+           
+                        # Disable directory browsing 
+                        Options -Indexes
+
+                        Order deny,allow
+                        Allow from all
+
+                        <Files *.php>
+                            Order Allow,Deny
+                            Deny from all
+                        </Files>
+
+                        <Files index.php>
+                            Order Allow,Deny
+                            Allow from all
+                        </Files>');
+    
+    $script_file_name = $_SERVER['SCRIPT_FILENAME'];
+    $htaccess_path = array(
+                        dirname(dirname($script_file_name))."/.htaccess",   // root
+                        dirname($script_file_name)."/.htaccess");           // www
+   
+    for ($count = 0;$count < 2;$count++) {
+        $htaccess = file_get_contents($htaccess_path[$count]);           
+        if ($htacess === false) {
+            return("FATAL: ".$htaccess_path[$count]." nicht gefunden");            
+        }
+
+        $result = strcmp(trim($htaccess[$count]),trim($nominal[$count]));
+        if ($result !== 0) {
+            $result = file_put_contents($htaccess_path[$count],$nominal[$count]);
+            if ($result === false) {
+                return("FATAL: ".$htaccess_path[$count]." fehlerhaft");
+            } 
+        }
+    }
+    if (!isset($_SERVER['OPENXE_HTACCESS'])) {
+        return("FATAL: htaccess nicht aktiv.");
+    }
+    return(true);
+    // HTACCESS SECURITY END
+  }
+
 }
diff --git a/www/.htaccess b/www/.htaccess
new file mode 100644
index 00000000..0e700325
--- /dev/null
+++ b/www/.htaccess
@@ -0,0 +1,18 @@
+# Generated file from class.acl.php
+                        SetEnv OPENXE_HTACCESS on
+           
+                        # Disable directory browsing 
+                        Options -Indexes
+
+                        Order deny,allow
+                        Allow from all
+
+                        <Files *.php>
+                            Order Allow,Deny
+                            Deny from all
+                        </Files>
+
+                        <Files index.php>
+                            Order Allow,Deny
+                            Allow from all
+                        </Files>
\ No newline at end of file
diff --git a/www/themes/new/templates/loginpage.tpl b/www/themes/new/templates/loginpage.tpl
index 92e0d0dd..ef538d1f 100644
--- a/www/themes/new/templates/loginpage.tpl
+++ b/www/themes/new/templates/loginpage.tpl
@@ -31,7 +31,7 @@
 			Willkommen bei OpenXE ERP.<br/>
 			Bitte gib Deinen Benutzernamen und Passwort ein!
 		</div>
-		<div style="[LOGINWARNING]" class="warning"><p>Achtung: Es werden gerade Wartungsarbeiten in Ihrem System (z.B. Update oder Backup) durch Ihre IT-Abteilung durchgeführt. Das System sollte in wenigen Minuten wieder erreichbar sein. Für Rückfragen wenden Sie sich bitte an Ihren Administrator.</p></div>
+		<div [LOGINWARNING_VISIBLE] class="warning"><p>[LOGINWARNING_TEXT]</p></div>
 
 		[SPERRMELDUNGNACHRICHT]
 		[PAGE]