Make class.secure.php more convenient (and helpful) about blackcatcms HOT 6 CLOSED

I definitely agree that we need a solution here. I know some developers, who simply drop the include of class.secure.php. That is definitely a security problem. If we give module authors a way to handle their own files, this would be a great improvement.
But we should limit this to the module folder, so module author can't allow any file outside

LEPTON_PATH . '/modules/' . $module_directory . '/' . {FILES DEFINED BY AUTHOR}

We could add a new file files.inc.php that stores the files that should be added for this module in an array. Something like:

$secure_files = array(
    'add_xcz.php',
    '/modiyxyz/xyz.php'
);

We could search for this array inside the install.php or upgrade.php as this array is only needed on installation.

from blackcatcms.

The solution I created is a bit different. I added a function to Addons-Helper that allows for register files. It can be used by install.php or upgrade.php. Here's the code for News module, for example:

// add files to class_secure
foreach(
    array( 'add_group.php', 'add_post.php', 'comment.php', 'delete_comment.php', 'delete_group.php', 'delete_post.php',
           'modify_comment.php', 'modify_group.php', 'modify_post.php', 'modify_settings.php', 'move_down.php', 'move_up.php',
           'rss.php', 'save_comment.php', 'save_group.php', 'save_post.php', 'save_settings.php', 'submit_comment.php' )
    as $file
) {
    if ( false === $admin->get_helper('Addons')->sec_register_file( 'news', $file ) )
    {
         error_log( "Unable to register file -$file-!" );
    }
}

Filenames must be relative to the module dir, so giving paths outside module directory is not allowed. The list is stored in a new table called class_secure. Core files have mod_id 0, while all other files have mod_id from addons table. So it's easy to remove all file entries on module uninstall without forcing the module dev to do so.

from blackcatcms.

Open ToDo's:

• Drop id column from table class_secure (I always add an auto_increment column as first thing, but it's not needed here)
• Add some checks to sec_register_file() method:

** Do not allow use outside installer (don't know if this is possible)
** Validate given file path

from blackcatcms.

We should find a method to force the use of class.secure.php somehow. At least by not listing modules that don't in the repository.

from blackcatcms.

Added some more functionality:

• auto-add csrf-magic in backend
• auto-check authentication in backend (checks for configured backend subfolder name in current path)
• auto-set template search path for backend (this is done in initialize.php for the frontend)

IMPORTANT NOTE: Ajax is allowed via POST only and must set _cat_ajax param.

from blackcatcms.

As this was meant as a brainstorming issue and no more suggestions where made, I close this issue now. Just open a new one if you have suggestions on how to extend the class with more features.

from blackcatcms.