index.php @ 2792:08fe3c330258

Visit:

Revision 2792:08fe3c330258, 14.6 KB checked in by franck <carnet.franck.paul@…>, 11 years ago (diff)
Prevents Clickjacking as far as possible (see https://www.owasp.org/index.php/Clickjacking), thanks Narendra Bhati for reporting this.

Line
1	<?php
2	# -- BEGIN LICENSE BLOCK ---------------------------------------
3	#
4	# This file is part of Dotclear 2.
5	#
6	# Copyright (c) 2003-2013 Olivier Meunier & Association Dotclear
7	# Licensed under the GPL version 2.0 license.
8	# See LICENSE file or
9	# http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
10	#
11	# -- END LICENSE BLOCK -----------------------------------------
12
13	if (isset($_SERVER['DC_RC_PATH'])) {
14	$rc_path = $_SERVER['DC_RC_PATH'];
15	} elseif (isset($_SERVER['REDIRECT_DC_RC_PATH'])) {
16	$rc_path = $_SERVER['REDIRECT_DC_RC_PATH'];
17	} else {
18	$rc_path = dirname(__FILE__).'/../../inc/config.php';
19	}
20
21	require dirname(__FILE__).'/../../inc/prepend.php';
22	require dirname(__FILE__).'/check.php';
23
24	$can_install = true;
25	$err = '';
26
27	# Loading locales for detected language
28	$dlang = http::getAcceptLanguage();
29	if ($dlang != 'en')
30	{
31	l10n::init($dlang);
32	l10n::set(dirname(__FILE__).'/../../locales/'.$dlang.'/date');
33	l10n::set(dirname(__FILE__).'/../../locales/'.$dlang.'/main');
34	l10n::set(dirname(__FILE__).'/../../locales/'.$dlang.'/plugins');
35	}
36
37	if (!defined('DC_MASTER_KEY') \|\| DC_MASTER_KEY == '') {
38	$can_install = false;
39	$err = '<p>'.__('Please set a master key (DC_MASTER_KEY) in configuration file.').'</p>';
40	}
41
42	# Check if dotclear is already installed
43	$schema = dbSchema::init($core->con);
44	if (in_array($core->prefix.'post',$schema->getTables())) {
45	$can_install = false;
46	$err = '<p>'.__('Dotclear is already installed.').'</p>';
47	}
48
49	# Check system capabilites
50	if (!dcSystemCheck($core->con,$_e)) {
51	$can_install = false;
52	$err = '<p>'.__('Dotclear cannot be installed.').'</p><ul><li>'.implode('</li><li>',$_e).'</li></ul>';
53	}
54
55	# Get information and perform install
56	$u_email = $u_firstname = $u_name = $u_login = $u_pwd = '';
57	$mail_sent = false;
58	if ($can_install && !empty($_POST))
59	{
60	$u_email = !empty($_POST['u_email']) ? $_POST['u_email'] : null;
61	$u_firstname = !empty($_POST['u_firstname']) ? $_POST['u_firstname'] : null;
62	$u_name = !empty($_POST['u_name']) ? $_POST['u_name'] : null;
63	$u_login = !empty($_POST['u_login']) ? $_POST['u_login'] : null;
64	$u_pwd = !empty($_POST['u_pwd']) ? $_POST['u_pwd'] : null;
65	$u_pwd2 = !empty($_POST['u_pwd2']) ? $_POST['u_pwd2'] : null;
66
67	try
68	{
69	# Check user information
70	if (empty($u_login)) {
71	throw new Exception(__('No user ID given'));
72	}
73	if (!preg_match('/^[A-Za-z0-9@._-]{2,}$/',$u_login)) {
74	throw new Exception(__('User ID must contain at least 2 characters using letters, numbers or symbols.'));
75	}
76	if ($u_email && !text::isEmail($u_email)) {
77	throw new Exception(__('Invalid email address'));
78	}
79
80	if (empty($u_pwd)) {
81	throw new Exception(__('No password given'));
82	}
83	if ($u_pwd != $u_pwd2) {
84	throw new Exception(__("Passwords don't match"));
85	}
86	if (strlen($u_pwd) < 6) {
87	throw new Exception(__('Password must contain at least 6 characters.'));
88	}
89
90	# Try to guess timezone
91	$default_tz = 'Europe/London';
92	if (!empty($_POST['u_date']) && function_exists('timezone_open'))
93	{
94	if (preg_match('/$(.+)$$/',$_POST['u_date'],$_tz)) {
95	$_tz = $_tz[1];
96	$_tz = @timezone_open($_tz);
97	if ($_tz instanceof DateTimeZone) {
98	$_tz = @timezone_name_get($_tz);
99
100	// check if timezone is valid
101	// date_default_timezone_set throw E_NOTICE and/or E_WARNING if timezone is not valid and return false
102	if (@date_default_timezone_set($_tz)!==false && $_tz) {
103	$default_tz = $_tz;
104	}
105	}
106	unset($_tz);
107	}
108	}
109
110	# Create schema
111	$_s = new dbStruct($core->con,$core->prefix);
112	require dirname(__FILE__).'/../../inc/dbschema/db-schema.php';
113
114	$si = new dbStruct($core->con,$core->prefix);
115	$changes = $si->synchronize($_s);
116
117	# Create user
118	$cur = $core->con->openCursor($core->prefix.'user');
119	$cur->user_id = $u_login;
120	$cur->user_super = 1;
121	$cur->user_pwd = crypt::hmac(DC_MASTER_KEY,$u_pwd);
122	$cur->user_name = (string) $u_name;
123	$cur->user_firstname = (string) $u_firstname;
124	$cur->user_email = (string) $u_email;
125	$cur->user_lang = $dlang;
126	$cur->user_tz = $default_tz;
127	$cur->user_creadt = date('Y-m-d H:i:s');
128	$cur->user_upddt = date('Y-m-d H:i:s');
129	$cur->user_options = serialize($core->userDefaults());
130	$cur->insert();
131
132	$core->auth->checkUser($u_login);
133
134	$admin_url = preg_replace('%install/index.php$%','',$_SERVER['REQUEST_URI']);
135	$root_url = preg_replace('%/admin/install/index.php$%','',$_SERVER['REQUEST_URI']);
136
137	# Create blog
138	$cur = $core->con->openCursor($core->prefix.'blog');
139	$cur->blog_id = 'default';
140	$cur->blog_url = http::getHost().$root_url.'/index.php?';
141	$cur->blog_name = __('My first blog');
142	$core->addBlog($cur);
143	$core->blogDefaults($cur->blog_id);
144
145	$blog_settings = new dcSettings($core,'default');
146	$blog_settings->addNamespace('system');
147	$blog_settings->system->put('blog_timezone',$default_tz);
148	$blog_settings->system->put('lang',$dlang);
149	$blog_settings->system->put('public_url',$root_url.'/public');
150	$blog_settings->system->put('themes_url',$root_url.'/themes');
151
152	# date and time formats
153	$formatDate = __('%A, %B %e %Y');
154	$date_formats = array('%Y-%m-%d','%m/%d/%Y','%d/%m/%Y','%Y/%m/%d','%d.%m.%Y','%b %e %Y','%e %b %Y','%Y %b %e',
155	'%a, %Y-%m-%d','%a, %m/%d/%Y','%a, %d/%m/%Y','%a, %Y/%m/%d','%B %e, %Y','%e %B, %Y','%Y, %B %e','%e. %B %Y',
156	'%A, %B %e, %Y','%A, %e %B, %Y','%A, %Y, %B %e','%A, %Y, %B %e','%A, %e. %B %Y');
157	$time_formats = array('%H:%M','%I:%M','%l:%M','%Hh%M','%Ih%M','%lh%M');
158	if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN') {
159	$formatDate = preg_replace('#(?<!%)((?:%%)*)%e#','\1%#d',$formatDate);
160	$date_formats = array_map(create_function('$f',
161	'return str_replace(\'%e\',\'%#d\',$f);'
162	),$date_formats);
163	}
164	$blog_settings->system->put('date_format',$formatDate);
165	$blog_settings->system->put('date_formats',serialize($date_formats),'string','Date formats examples',true,true);
166	$blog_settings->system->put('time_formats',serialize($time_formats),'string','Time formats examples',true,true);
167
168	# Add repository URL for themes and plugins
169	$blog_settings->system->put('store_plugin_url','http://update.dotaddict.org/dc2/plugins.xml','string','Plugins XML feed location',true,true);
170	$blog_settings->system->put('store_theme_url','http://update.dotaddict.org/dc2/themes.xml','string','Themes XML feed location',true,true);
171
172	# Add Dotclear version
173	$cur = $core->con->openCursor($core->prefix.'version');
174	$cur->module = 'core';
175	$cur->version = (string) DC_VERSION;
176	$cur->insert();
177
178	# Create first post
179	$core->setBlog('default');
180
181	$cur = $core->con->openCursor($core->prefix.'post');
182	$cur->user_id = $u_login;
183	$cur->post_format = 'xhtml';
184	$cur->post_lang = $dlang;
185	$cur->post_title = __('Welcome to Dotclear!');
186	$cur->post_content = '<p>'.__('This is your first entry. When you\'re ready '.
187	'to blog, log in to edit or delete it.').'</p>';
188	$cur->post_content_xhtml = $cur->post_content;
189	$cur->post_status = 1;
190	$cur->post_open_comment = 1;
191	$cur->post_open_tb = 0;
192	$post_id = $core->blog->addPost($cur);
193
194	# Add a comment to it
195	$cur = $core->con->openCursor($core->prefix.'comment');
196	$cur->post_id = $post_id;
197	$cur->comment_tz = $default_tz;
198	$cur->comment_author = __('Dotclear Team');
199	$cur->comment_email = 'contact@dotclear.net';
200	$cur->comment_site = 'http://www.dotclear.org/';
201	$cur->comment_content = __("<p>This is a comment.</p>\n<p>To delete it, log in and ".
202	"view your blog's comments. Then you might remove or edit it.</p>");
203	$core->blog->addComment($cur);
204
205	# Plugins initialization
206	define('DC_CONTEXT_ADMIN',true);
207	$core->plugins->loadModules(DC_PLUGINS_ROOT);
208	$plugins_install = $core->plugins->installModules();
209
210	# Add dashboard module options
211	$core->auth->user_prefs->addWorkspace('dashboard');
212	$core->auth->user_prefs->dashboard->put('doclinks',true,'boolean','',null,true);
213	$core->auth->user_prefs->dashboard->put('dcnews',true,'boolean','',null,true);
214	$core->auth->user_prefs->dashboard->put('quickentry',true,'boolean','',null,true);
215
216	# Add accessibility options
217	$core->auth->user_prefs->addWorkspace('accessibility');
218	$core->auth->user_prefs->accessibility->put('nodragdrop',false,'boolean','',null,true);
219
220	# Add user interface options
221	$core->auth->user_prefs->addWorkspace('interface');
222	$core->auth->user_prefs->interface->put('enhanceduploader',true,'boolean','',null,true);
223
224	# Add default favorites
225	$core->favs = new dcFavorites($core);
226	$init_favs = array('posts','new_post','newpage','comments','categories','media','blog_theme','widgets','simpleMenu','prefs','help');
227	$core->favs->setFavoriteIDs($init_favs,true);
228
229	$step = 1;
230	}
231	catch (Exception $e)
232	{
233	$err = $e->getMessage();
234	}
235	}
236
237	if (!isset($step)) {
238	$step = 0;
239	}
240	header('Content-Type: text/html; charset=UTF-8');
241
242	// Prevents Clickjacking as far as possible
243	header('X-Frame-Options: SAMEORIGIN'); // FF 3.6.9+ Chrome 4.1+ IE 8+ Safari 4+ Opera 10.5+
244
245	?>
246	<!DOCTYPE html>
247	<html lang="en">
248	<head>
249	<meta charset="UTF-8" />
250	<meta http-equiv="Content-Script-Type" content="text/javascript" />
251	<meta http-equiv="Content-Style-Type" content="text/css" />
252	<meta http-equiv="Content-Language" content="en" />
253	<meta name="ROBOTS" content="NOARCHIVE,NOINDEX,NOFOLLOW" />
254	<meta name="GOOGLEBOT" content="NOSNIPPET" />
255	<title><?php echo __('Dotclear Install'); ?></title>
256
257	<link rel="stylesheet" href="../style/install.css" type="text/css" media="screen" />
258
259	<script type="text/javascript" src="../js/jquery/jquery.js"></script>
260	<?php echo dcPage::jsLoad('../js/jquery/jquery.pwstrength.js'); ?>
261	<script type="text/javascript">
262	//<![CDATA[
263	$(function() {
264	var login_re = new RegExp('[^A-Za-z0-9@._-]+','g');
265	$('#u_firstname').keyup(function() {
266	var login = this.value.toLowerCase().replace(login_re,'').substring(0,32);
267	$('#u_login').val(login);
268	});
269	$('#u_login').keyup(function() {
270	$(this).val(this.value.replace(login_re,''));
271	});
272
273	<?php echo "\$('#u_pwd').pwstrength({texts: ['".
274	sprintf(__('Password strength: %s'),__('very weak'))."', '".
275	sprintf(__('Password strength: %s'),__('weak'))."', '".
276	sprintf(__('Password strength: %s'),__('mediocre'))."', '".
277	sprintf(__('Password strength: %s'),__('strong'))."', '".
278	sprintf(__('Password strength: %s'),__('very strong'))."']});\n"; ?>
279
280	$('#u_login').parent().after($('<input type="hidden" name="u_date" value="' + Date().toLocaleString() + '" />'));
281
282	var password_link = $('<a href="#" id="obfus"><?php echo(__('show')); ?></a>').click(function() {
283	$('#password').show();
284	$(this).remove();
285	return false;
286	});
287	$('#password').hide().before(password_link);
288	});
289	//]]>
290	</script>
291	</head>
292
293	<body id="dotclear-admin" class="install">
294	<div id="content">
295	<?php
296	echo
297	'<h1>'.__('Dotclear installation').'</h1>'.
298	'<div id="main">';
299
300	if (!is_writable(DC_TPL_CACHE)) {
301	echo '<div class="error" role="alert"><p>'.sprintf(__('Cache directory %s is not writable.'),DC_TPL_CACHE).'</p></div>';
302	}
303
304	if ($can_install && !empty($err)) {
305	echo '<div class="error" role="alert"><p><strong>'.__('Errors:').'</strong></p>'.$err.'</div>';
306	}
307
308	if (!empty($_GET['wiz'])) {
309	echo '<p class="success" role="alert">'.__('Configuration file has been successfully created.').'</p>';
310	}
311
312	if ($can_install && $step == 0)
313	{
314	echo
315	'<h2>'.__('User information').'</h2>'.
316
317	'<p>'.__('Please provide the following information needed to create the first user.').'</p>'.
318
319	'<form action="index.php" method="post">'.
320	'<fieldset><legend>'.__('User information').'</legend>'.
321	'<p><label for="u_firstname">'.__('First Name:').'</label> '.
322	form::field('u_firstname',30,255,html::escapeHTML($u_firstname)).'</p>'.
323	'<p><label for="u_name">'.__('Last Name:').'</label> '.
324	form::field('u_name',30,255,html::escapeHTML($u_name)).'</p>'.
325	'<p><label for="u_email">'.__('Email:').'</label> '.
326	form::field('u_email',30,255,html::escapeHTML($u_email)).'</p>'.
327	'</fieldset>'.
328
329	'<fieldset><legend>'.__('Username and password').'</legend>'.
330	'<p><label for="u_login" class="required"><abbr title="'.__('Required field').'">*</abbr> '.__('Username:').' '.
331	form::field('u_login',30,32,html::escapeHTML($u_login)).'</label></p>'.
332	'<div class="pw-table">'.
333	'<p class="pw-cell">'.
334	'<label for="u_pwd" class="required"><abbr title="'.__('Required field').'">*</abbr> '.__('New password:').'</label>'.
335	form::password('u_pwd',30,255,'','','',false,' data-indicator="pwindicator" ').
336	'</p>'.
337	'<div id="pwindicator">'.
338	' <div class="bar"></div>'.
339	' <p class="label no-margin"></p>'.
340	'</div>'.
341	'</div>'.
342	'<p><label for="u_pwd2" class="required"><abbr title="'.__('Required field').'">*</abbr> '.__('Confirm password:').' '.
343	form::password('u_pwd2',30,255).'</label></p>'.
344	'</fieldset>'.
345
346	'<p><input type="submit" value="'.__('Save').'" /></p>'.
347	'</form>';
348	}
349	elseif ($can_install && $step == 1)
350	{
351	# Plugins install messages
352	$plugins_install_result = '';
353	if (!empty($plugins_install['success']))
354	{
355	$plugins_install_result .= '<div class="static-msg">'.__('Following plugins have been installed:').'<ul>';
356	foreach ($plugins_install['success'] as $k => $v) {
357	$plugins_install_result .= '<li>'.$k.'</li>';
358	}
359	$plugins_install_result .= '</ul></div>';
360	}
361	if (!empty($plugins_install['failure']))
362	{
363	$plugins_install_result .= '<div class="error">'.__('Following plugins have not been installed:').'<ul>';
364	foreach ($plugins_install['failure'] as $k => $v) {
365	$plugins_install_result .= '<li>'.$k.' ('.$v.')</li>';
366	}
367	$plugins_install_result .= '</ul></div>';
368	}
369
370	echo
371	'<h2>'.__('All done!').'</h2>'.
372
373	$plugins_install_result.
374
375	'<p class="success" role="alert">'.__('Dotclear has been successfully installed. Here is some useful information you should keep.').'</p>'.
376
377	'<h3>'.__('Your account').'</h3>'.
378	'<ul>'.
379	'<li>'.__('Username:').' <strong>'.html::escapeHTML($u_login).'</strong></li>'.
380	'<li>'.__('Password:').' <strong id="password">'.html::escapeHTML($u_pwd).'</strong></li>'.
381	'</ul>'.
382
383	'<h3>'.__('Your blog').'</h3>'.
384	'<ul>'.
385	'<li>'.__('Blog address:').' <strong>'.html::escapeHTML(http::getHost().$root_url).'/index.php?</strong></li>'.
386	'<li>'.__('Administration interface:').' <strong>'.html::escapeHTML(http::getHost().$admin_url).'</strong></li>'.
387	'</ul>'.
388
389	'<form action="../auth.php" method="post">'.
390	'<p><input type="submit" value="'.__('Manage your blog now').'" />'.
391	form::hidden(array('user_id'),html::escapeHTML($u_login)).
392	form::hidden(array('user_pwd'),html::escapeHTML($u_pwd)).
393	'</p>'.
394	'</form>';
395	}
396	elseif (!$can_install)
397	{
398	echo '<h2>'.__('Installation can not be completed').'</h2>'.
399	'<div class="error" role="alert"><p><strong>'.__('Errors:').'</strong></p>'.$err.'</div>'.
400	'<p>'.__('For the said reasons, Dotclear can not be installed. '.
401	'Please refer to <a href="http://dotclear.org/documentation/2.0/admin/install">'.
402	'the documentation</a> to learn how to correct the problem.').'</p>';
403	}
404	?>
405	</div>
406	</div>
407	</body>
408	</html>

Note: See TracBrowser for help on using the repository browser.

Dotclear

Context Navigation

source: admin/install/index.php @ 2792:08fe3c330258

Download in other formats:

Sites map