index.php @ 3998:48e5fe3e4c22

Visit:

Revision 3998:48e5fe3e4c22, 17.8 KB checked in by franck <carnet.franck.paul@…>, 6 years ago (diff)
Remove unsafe-inline from CSP script-src directive (install/default/upgrade)

Line
1	<?php
2	/**
3	* @package Dotclear
4	* @subpackage Install
5	*
6	* @copyright Olivier Meunier & Association Dotclear
7	* @copyright GPL-2.0-only
8	*/
9
10	if (isset($_SERVER['DC_RC_PATH'])) {
11	$rc_path = $_SERVER['DC_RC_PATH'];
12	} elseif (isset($_SERVER['REDIRECT_DC_RC_PATH'])) {
13	$rc_path = $_SERVER['REDIRECT_DC_RC_PATH'];
14	} else {
15	$rc_path = dirname(__FILE__) . '/../../inc/config.php';
16	}
17
18	require dirname(__FILE__) . '/../../inc/prepend.php';
19	require dirname(__FILE__) . '/check.php';
20
21	$can_install = true;
22	$err = '';
23
24	# Loading locales for detected language
25	$dlang = http::getAcceptLanguage();
26	if ($dlang != 'en') {
27	l10n::init($dlang);
28	l10n::set(dirname(__FILE__) . '/../../locales/' . $dlang . '/date');
29	l10n::set(dirname(__FILE__) . '/../../locales/' . $dlang . '/main');
30	l10n::set(dirname(__FILE__) . '/../../locales/' . $dlang . '/plugins');
31	}
32
33	if (!defined('DC_MASTER_KEY') \|\| DC_MASTER_KEY == '') {
34	$can_install = false;
35	$err = '<p>' . __('Please set a master key (DC_MASTER_KEY) in configuration file.') . '</p>';
36	}
37
38	# Check if dotclear is already installed
39	$schema = dbSchema::init($core->con);
40	if (in_array($core->prefix . 'post', $schema->getTables())) {
41	$can_install = false;
42	$err = '<p>' . __('Dotclear is already installed.') . '</p>';
43	}
44
45	# Check system capabilites
46	if (!dcSystemCheck($core->con, $_e)) {
47	$can_install = false;
48	$err = '<p>' . __('Dotclear cannot be installed.') . '</p><ul><li>' . implode('</li><li>', $_e) . '</li></ul>';
49	}
50
51	# Get information and perform install
52	$u_email = $u_firstname = $u_name = $u_login = $u_pwd = '';
53	$mail_sent = false;
54	if ($can_install && !empty($_POST)) {
55	$u_email = !empty($_POST['u_email']) ? $_POST['u_email'] : null;
56	$u_firstname = !empty($_POST['u_firstname']) ? $_POST['u_firstname'] : null;
57	$u_name = !empty($_POST['u_name']) ? $_POST['u_name'] : null;
58	$u_login = !empty($_POST['u_login']) ? $_POST['u_login'] : null;
59	$u_pwd = !empty($_POST['u_pwd']) ? $_POST['u_pwd'] : null;
60	$u_pwd2 = !empty($_POST['u_pwd2']) ? $_POST['u_pwd2'] : null;
61
62	try
63	{
64	# Check user information
65	if (empty($u_login)) {
66	throw new Exception(__('No user ID given'));
67	}
68	if (!preg_match('/^[A-Za-z0-9@._-]{2,}$/', $u_login)) {
69	throw new Exception(__('User ID must contain at least 2 characters using letters, numbers or symbols.'));
70	}
71	if ($u_email && !text::isEmail($u_email)) {
72	throw new Exception(__('Invalid email address'));
73	}
74
75	if (empty($u_pwd)) {
76	throw new Exception(__('No password given'));
77	}
78	if ($u_pwd != $u_pwd2) {
79	throw new Exception(__("Passwords don't match"));
80	}
81	if (strlen($u_pwd) < 6) {
82	throw new Exception(__('Password must contain at least 6 characters.'));
83	}
84
85	# Try to guess timezone
86	$default_tz = 'Europe/London';
87	if (!empty($_POST['u_date']) && function_exists('timezone_open')) {
88	if (preg_match('/$(.+)$$/', $_POST['u_date'], $_tz)) {
89	$_tz = $_tz[1];
90	$_tz = @timezone_open($_tz);
91	if ($_tz instanceof DateTimeZone) {
92	$_tz = @timezone_name_get($_tz);
93
94	// check if timezone is valid
95	// date_default_timezone_set throw E_NOTICE and/or E_WARNING if timezone is not valid and return false
96	if (@date_default_timezone_set($_tz) !== false && $_tz) {
97	$default_tz = $_tz;
98	}
99	}
100	unset($_tz);
101	}
102	}
103
104	# Create schema
105	$_s = new dbStruct($core->con, $core->prefix);
106	require dirname(__FILE__) . '/../../inc/dbschema/db-schema.php';
107
108	$si = new dbStruct($core->con, $core->prefix);
109	$changes = $si->synchronize($_s);
110
111	# Create user
112	$cur = $core->con->openCursor($core->prefix . 'user');
113	$cur->user_id = $u_login;
114	$cur->user_super = 1;
115	$cur->user_pwd = $core->auth->crypt($u_pwd);
116	$cur->user_name = (string) $u_name;
117	$cur->user_firstname = (string) $u_firstname;
118	$cur->user_email = (string) $u_email;
119	$cur->user_lang = $dlang;
120	$cur->user_tz = $default_tz;
121	$cur->user_creadt = date('Y-m-d H:i:s');
122	$cur->user_upddt = date('Y-m-d H:i:s');
123	$cur->user_options = serialize($core->userDefaults());
124	$cur->insert();
125
126	$core->auth->checkUser($u_login);
127
128	$admin_url = preg_replace('%install/index.php$%', '', $_SERVER['REQUEST_URI']);
129	$root_url = preg_replace('%/admin/install/index.php$%', '', $_SERVER['REQUEST_URI']);
130
131	# Create blog
132	$cur = $core->con->openCursor($core->prefix . 'blog');
133	$cur->blog_id = 'default';
134	$cur->blog_url = http::getHost() . $root_url . '/index.php?';
135	$cur->blog_name = __('My first blog');
136	$core->addBlog($cur);
137	$core->blogDefaults($cur->blog_id);
138
139	$blog_settings = new dcSettings($core, 'default');
140	$blog_settings->addNamespace('system');
141	$blog_settings->system->put('blog_timezone', $default_tz);
142	$blog_settings->system->put('lang', $dlang);
143	$blog_settings->system->put('public_url', $root_url . '/public');
144	$blog_settings->system->put('themes_url', $root_url . '/themes');
145
146	# date and time formats
147	$formatDate = __('%A, %B %e %Y');
148	$date_formats = ['%Y-%m-%d', '%m/%d/%Y', '%d/%m/%Y', '%Y/%m/%d', '%d.%m.%Y', '%b %e %Y', '%e %b %Y', '%Y %b %e',
149	'%a, %Y-%m-%d', '%a, %m/%d/%Y', '%a, %d/%m/%Y', '%a, %Y/%m/%d', '%B %e, %Y', '%e %B, %Y', '%Y, %B %e', '%e. %B %Y',
150	'%A, %B %e, %Y', '%A, %e %B, %Y', '%A, %Y, %B %e', '%A, %Y, %B %e', '%A, %e. %B %Y'];
151	$time_formats = ['%H:%M', '%I:%M', '%l:%M', '%Hh%M', '%Ih%M', '%lh%M'];
152	if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN') {
153	$formatDate = preg_replace('#(?<!%)((?:%%)*)%e#', '\1%#d', $formatDate);
154	$date_formats = array_map(
155	function ($f) {
156	return str_replace('%e', '%#d', $f);
157	},
158	$date_formats);
159	}
160	$blog_settings->system->put('date_format', $formatDate);
161	$blog_settings->system->put('date_formats', $date_formats, 'array', 'Date formats examples', true, true);
162	$blog_settings->system->put('time_formats', $time_formats, 'array', 'Time formats examples', true, true);
163
164	# Add repository URL for themes and plugins
165	$blog_settings->system->put('store_plugin_url', 'http://update.dotaddict.org/dc2/plugins.xml', 'string', 'Plugins XML feed location', true, true);
166	$blog_settings->system->put('store_theme_url', 'http://update.dotaddict.org/dc2/themes.xml', 'string', 'Themes XML feed location', true, true);
167
168	# CSP directive (admin part)
169
170	/* SQlite Clearbricks driver does not allow using single quote at beginning or end of a field value
171	so we have to use neutral values (localhost and 127.0.0.1) for some CSP directives
172	*/
173	$csp_prefix = $core->con->driver() == 'sqlite' ? 'localhost ' : ''; // Hack for SQlite Clearbricks driver
174	$csp_suffix = $core->con->driver() == 'sqlite' ? ' 127.0.0.1' : ''; // Hack for SQlite Clearbricks driver
175
176	$blog_settings->system->put('csp_admin_on', true, 'boolean', 'Send CSP header (admin)', true, true);
177	$blog_settings->system->put('csp_admin_report_only', false, 'boolean', 'CSP Report only violations (admin)', true, true);
178	$blog_settings->system->put('csp_admin_default',
179	$csp_prefix . "'self'" . $csp_suffix, 'string', 'CSP default-src directive', true, true);
180	$blog_settings->system->put('csp_admin_script',
181	$csp_prefix . "'self' 'unsafe-eval'" . $csp_suffix, 'string', 'CSP script-src directive', true, true);
182	$blog_settings->system->put('csp_admin_style',
183	$csp_prefix . "'self' 'unsafe-inline'" . $csp_suffix, 'string', 'CSP style-src directive', true, true);
184	$blog_settings->system->put('csp_admin_img',
185	$csp_prefix . "'self' data: http://media.dotaddict.org blob:", 'string', 'CSP img-src directive', true, true);
186
187	# Add Dotclear version
188	$cur = $core->con->openCursor($core->prefix . 'version');
189	$cur->module = 'core';
190	$cur->version = (string) DC_VERSION;
191	$cur->insert();
192
193	# Create first post
194	$core->setBlog('default');
195
196	$cur = $core->con->openCursor($core->prefix . 'post');
197	$cur->user_id = $u_login;
198	$cur->post_format = 'xhtml';
199	$cur->post_lang = $dlang;
200	$cur->post_title = __('Welcome to Dotclear!');
201	$cur->post_content = '<p>' . __('This is your first entry. When you\'re ready ' .
202	'to blog, log in to edit or delete it.') . '</p>';
203	$cur->post_content_xhtml = $cur->post_content;
204	$cur->post_status = 1;
205	$cur->post_open_comment = 1;
206	$cur->post_open_tb = 0;
207	$post_id = $core->blog->addPost($cur);
208
209	# Add a comment to it
210	$cur = $core->con->openCursor($core->prefix . 'comment');
211	$cur->post_id = $post_id;
212	$cur->comment_tz = $default_tz;
213	$cur->comment_author = __('Dotclear Team');
214	$cur->comment_email = 'contact@dotclear.net';
215	$cur->comment_site = 'http://www.dotclear.org/';
216	$cur->comment_content = __("<p>This is a comment.</p>\n<p>To delete it, log in and " .
217	"view your blog's comments. Then you might remove or edit it.</p>");
218	$core->blog->addComment($cur);
219
220	# Plugins initialization
221	define('DC_CONTEXT_ADMIN', true);
222	$core->plugins->loadModules(DC_PLUGINS_ROOT);
223	$plugins_install = $core->plugins->installModules();
224
225	# Add dashboard module options
226	$core->auth->user_prefs->addWorkspace('dashboard');
227	$core->auth->user_prefs->dashboard->put('doclinks', true, 'boolean', '', null, true);
228	$core->auth->user_prefs->dashboard->put('dcnews', true, 'boolean', '', null, true);
229	$core->auth->user_prefs->dashboard->put('quickentry', true, 'boolean', '', null, true);
230	$core->auth->user_prefs->dashboard->put('nodcupdate', false, 'boolean', '', null, true);
231
232	# Add accessibility options
233	$core->auth->user_prefs->addWorkspace('accessibility');
234	$core->auth->user_prefs->accessibility->put('nodragdrop', false, 'boolean', '', null, true);
235
236	# Add user interface options
237	$core->auth->user_prefs->addWorkspace('interface');
238	$core->auth->user_prefs->interface->put('enhanceduploader', true, 'boolean', '', null, true);
239
240	# Add default favorites
241	$core->favs = new dcFavorites($core);
242	$init_favs = ['posts', 'new_post', 'newpage', 'comments', 'categories', 'media', 'blog_theme', 'widgets', 'simpleMenu', 'prefs', 'help'];
243	$core->favs->setFavoriteIDs($init_favs, true);
244
245	$step = 1;
246	} catch (Exception $e) {
247	$err = $e->getMessage();
248	}
249	}
250
251	if (!isset($step)) {
252	$step = 0;
253	}
254	header('Content-Type: text/html; charset=UTF-8');
255
256	// Prevents Clickjacking as far as possible
257	header('X-Frame-Options: SAMEORIGIN'); // FF 3.6.9+ Chrome 4.1+ IE 8+ Safari 4+ Opera 10.5+
258
259	?>
260	<!DOCTYPE html>
261	<html lang="en">
262	<head>
263	<meta charset="UTF-8" />
264	<meta http-equiv="Content-Script-Type" content="text/javascript" />
265	<meta http-equiv="Content-Style-Type" content="text/css" />
266	<meta http-equiv="Content-Language" content="en" />
267	<meta name="ROBOTS" content="NOARCHIVE,NOINDEX,NOFOLLOW" />
268	<meta name="GOOGLEBOT" content="NOSNIPPET" />
269	<title><?php echo __('Dotclear Install'); ?></title>
270
271	<link rel="stylesheet" href="../style/install.css" type="text/css" media="screen" />
272
273	<?php echo dcPage::jsLoad('../js/prepend.js'); ?>
274	<?php echo dcPage::jsLoad('../js/jquery/jquery.js'); ?>
275	<?php echo dcPage::jsLoad('../js/jquery/jquery.pwstrength.js'); ?>
276	<?php echo dcPage::jsJson('install', [
277	sprintf(__('Password strength: %s'), __('very weak')),
278	sprintf(__('Password strength: %s'), __('weak')),
279	sprintf(__('Password strength: %s'), __('mediocre')),
280	sprintf(__('Password strength: %s'), __('strong')),
281	sprintf(__('Password strength: %s'), __('very strong'))
282	]);
283	?>
284	<?php echo dcPage::jsJson('install_show', __('show')); ?>
285	<?php echo dcPage::jsLoad('../js/_install.js'); ?>
286	</head>
287
288	<body id="dotclear-admin" class="install">
289	<div id="content">
290	<?php
291	echo
292	'<h1>' . __('Dotclear installation') . '</h1>' .
293	'<div id="main">';
294
295	if (!is_writable(DC_TPL_CACHE)) {
296	echo '<div class="error" role="alert"><p>' . sprintf(__('Cache directory %s is not writable.'), DC_TPL_CACHE) . '</p></div>';
297	}
298
299	if ($can_install && !empty($err)) {
300	echo '<div class="error" role="alert"><p><strong>' . __('Errors:') . '</strong></p>' . $err . '</div>';
301	}
302
303	if (!empty($_GET['wiz'])) {
304	echo '<p class="success" role="alert">' . __('Configuration file has been successfully created.') . '</p>';
305	}
306
307	if ($can_install && $step == 0) {
308	echo
309	'<h2>' . __('User information') . '</h2>' .
310
311	'<p>' . __('Please provide the following information needed to create the first user.') . '</p>' .
312
313	'<form action="index.php" method="post">' .
314	'<fieldset><legend>' . __('User information') . '</legend>' .
315	'<p><label for="u_firstname">' . __('First Name:') . '</label> ' .
316	form::field('u_firstname', 30, 255, [
317	'default' => html::escapeHTML($u_firstname),
318	'autocomplete' => 'given-name'
319	]) .
320	'</p>' .
321	'<p><label for="u_name">' . __('Last Name:') . '</label> ' .
322	form::field('u_name', 30, 255, [
323	'default' => html::escapeHTML($u_name),
324	'autocomplete' => 'family-name'
325	]) .
326	'</p>' .
327	'<p><label for="u_email">' . __('Email:') . '</label> ' .
328	form::email('u_email', [
329	'size' => 30,
330	'default' => html::escapeHTML($u_email),
331	'autocomplete' => 'email'
332	]) .
333	'</p>' .
334	'</fieldset>' .
335
336	'<fieldset><legend>' . __('Username and password') . '</legend>' .
337	'<p><label for="u_login" class="required"><abbr title="' . __('Required field') . '">*</abbr> ' . __('Username:') . ' ' .
338	form::field('u_login', 30, 32, [
339	'default' => html::escapeHTML($u_login),
340	'extra_html' => 'required placeholder="' . __('Username') . '"',
341	'autocomplete' => 'username'
342	]) .
343	'</label></p>' .
344	'<div class="pw-table">' .
345	'<p class="pw-cell">' .
346	'<label for="u_pwd" class="required"><abbr title="' . __('Required field') . '">*</abbr> ' . __('New password:') . '</label>' .
347	form::password('u_pwd', 30, 255, [
348	'extra_html' => 'data-indicator="pwindicator" required placeholder="' . __('Password') . '"',
349	'autocomplete' => 'new-password'
350	]) .
351	'</p>' .
352	'<div id="pwindicator">' .
353	' <div class="bar"></div>' .
354	' <p class="label no-margin"></p>' .
355	'</div>' .
356	'</div>' .
357	'<p><label for="u_pwd2" class="required"><abbr title="' . __('Required field') . '">*</abbr> ' . __('Confirm password:') . ' ' .
358	form::password('u_pwd2', 30, 255, [
359	'extra_html' => 'required placeholder="' . __('Password') . '"',
360	'autocomplete' => 'new-password'
361	]) .
362	'</label></p>' .
363	'</fieldset>' .
364
365	'<p><input type="submit" value="' . __('Save') . '" /></p>' .
366	'</form>';
367	} elseif ($can_install && $step == 1) {
368	# Plugins install messages
369	$plugins_install_result = '';
370	if (!empty($plugins_install['success'])) {
371	$plugins_install_result .= '<div class="static-msg">' . __('Following plugins have been installed:') . '<ul>';
372	foreach ($plugins_install['success'] as $k => $v) {
373	$plugins_install_result .= '<li>' . $k . '</li>';
374	}
375	$plugins_install_result .= '</ul></div>';
376	}
377	if (!empty($plugins_install['failure'])) {
378	$plugins_install_result .= '<div class="error">' . __('Following plugins have not been installed:') . '<ul>';
379	foreach ($plugins_install['failure'] as $k => $v) {
380	$plugins_install_result .= '<li>' . $k . ' (' . $v . ')</li>';
381	}
382	$plugins_install_result .= '</ul></div>';
383	}
384
385	echo
386	'<h2>' . __('All done!') . '</h2>' .
387
388	$plugins_install_result .
389
390	'<p class="success" role="alert">' . __('Dotclear has been successfully installed. Here is some useful information you should keep.') . '</p>' .
391
392	'<h3>' . __('Your account') . '</h3>' .
393	'<ul>' .
394	'<li>' . __('Username:') . ' <strong>' . html::escapeHTML($u_login) . '</strong></li>' .
395	'<li>' . __('Password:') . ' <strong id="password">' . html::escapeHTML($u_pwd) . '</strong></li>' .
396	'</ul>' .
397
398	'<h3>' . __('Your blog') . '</h3>' .
399	'<ul>' .
400	'<li>' . __('Blog address:') . ' <strong>' . html::escapeHTML(http::getHost() . $root_url) . '/index.php?</strong></li>' .
401	'<li>' . __('Administration interface:') . ' <strong>' . html::escapeHTML(http::getHost() . $admin_url) . '</strong></li>' .
402	'</ul>' .
403
404	'<form action="../auth.php" method="post">' .
405	'<p><input type="submit" value="' . __('Manage your blog now') . '" />' .
406	form::hidden(['user_id'], html::escapeHTML($u_login)) .
407	form::hidden(['user_pwd'], html::escapeHTML($u_pwd)) .
408	'</p>' .
409	'</form>';
410	} elseif (!$can_install) {
411	echo '<h2>' . __('Installation can not be completed') . '</h2>' .
412	'<div class="error" role="alert"><p><strong>' . __('Errors:') . '</strong></p>' . $err . '</div>' .
413	'<p>' . __('For the said reasons, Dotclear can not be installed. ' .
414	'Please refer to <a href="http://dotclear.org/documentation/2.0/admin/install">' .
415	'the documentation</a> to learn how to correct the problem.') . '</p>';
416	}
417	?>
418	</div>
419	</div>
420	</body>
421	</html>

Note: See TracBrowser for help on using the repository browser.

Dotclear

Context Navigation

source: admin/install/index.php @ 3998:48e5fe3e4c22

Download in other formats:

Sites map