Ticket #545 (new enhancement)

Opened 7 years ago

Last modified 5 years ago

GetEnv() revisited AKA "Relocatable Wikka"

Reported by: JavaWoman Owned by: JavaWoman
Priority: normal Milestone: blue-sky
Component: architecture Version: 1.1.6.3
Severity: normal Keywords: security, "multiple installations", cookie
Cc:

Description (last modified by JavaWoman) (diff)

Since the start of Wikka (I think) the startup file wikka.php has supported an environment variable 'WAKKA_CONFIG' that allowed an admin to point to a configuration file in a different location that the default one (the installation directory).

This has two advantages:

  1. The configuration file can be moved outside the webroot (providing security when PHP isn't active: the file can not be viewed from a browser then)
  2. The configuration file could be shared between different Wikka installations

Unfortunately, GetEnv() itself has security issues, which we addressed in security release 1.1.6.3 by replacing the environment variable with an optional defined constant. However, this would require an admin to edit the wikka.php file.

Taking the original idea a step further though, it would be desirable to:

  1. Allow more files to be shared between installations
  2. Allow more files to be moved outside the webroot
  3. Provide an easy way for admins to override default paths, with any edits as localized as possible

The solution would be to take the idea as implemented in 1.1.6.3 a little further and provide a little external file that only needs to be edited for paths to allow an admin to override the default paths. In fact, development of 1.1.7 (currently trunk) has already made multiple overrides desirable since the default configuration is now also stored in an external file: obviously that path needs to be overridable as well.

This makes #470 (milestone 1.1.7) a subticket of this one; I'm giving this a 1.1.7. milestone as well. (Component is a little hazy but I'll assign it to architecture - please correct if you know a better one!)


See  Relocating or Sharing a Wikka installation for more background and use cases.


Child tickets: #470, #81

See also: #98, #187

Change History

  Changed 7 years ago by JavaWoman

In [624] I've taken the first step in implementing this: i.e., not just for the "local configuration" but for the default configuration and all other "library files" as well. (This implies that even the core class Wakka.class.php is now relocatable!)

  Changed 7 years ago by JavaWoman

(In [662]) "Relocatable Wikka" - part 1

This is the core of the functionality to make Wikka's code and configuration relocatable. See  http://wikkawiki.org/RelocatingWikka for background and detailed description. WARNING: trunk will be highly unstable until all parts of "Relocatable Wikka" have been committed! refs #470, #545

  • wikka.php:
    • simple mechanism with 'key files' to enable working in 'development mode' (NOTICES shown) and/or 'debug mode' (debug messages shown) without needing to edit the source
    • major restructuring - each section clearly demarcated with comments, and dependencies indicated; do NOT change this order unless you have an intimate understanding of what's happening here, and why!
    • two little function moved from Compatibility.lib.php to here, to enable evaluating some path overrides before including some libraries, including Compatibility.lib.php (!)
    • all paths to relocatable (groups of) components are now derived as CONSTANTS; consequently in the rest of Wikka (including the installer) either these constants (or the configuration values overriding the defaults they set) must be used instead of using string constants!
  • Compatibility.lib.php:
    • two little functions moved to wikka.php
    • other minor updates necessary for the relatabale functionality
  • Config.class.php:
    • new variables added
    • some new docblocks added where they were still missing
    • to enable the relocation functionality, several variables now (must!) pick up their default value from constants derived in wikka.php
    • a few now-obsolete variables commented out
  • override.config.php (new file):
    • this file includes the (commented-out) constants that may define possible overrides
    • every constant carefully commented
    • file docblock explains purpose, usage and has some tips

  Changed 7 years ago by JavaWoman

(In [663]) "Relocatable Wikka" - part 2

Some changes in the (en) language file

refs #470, #545

  • en.inc.php:
    • a few texts promoted to general (WIKKA_) constants
    • a few constants were moved to wikka.php
    • obsolete constants uncommented
    • several minor textual changes
    • comments, todo markers

  Changed 7 years ago by JavaWoman

(In [664]) "Relocatable Wikka" - part 3

The Wikka core class Wikka.class.php

refs #470, #545

  • updated/added comments and @todo/@@@ markers
  • added constant WIKKA_URL_EXTENSION to use in building paths
  • added object variables for URL and URL components
  • Query(): extended error reporting with MySQL error number (easier to look up)
  • CheckMySQLVersion(): modified to make use of getMysqlVersion() (in Compatibility.lib.php) and version_compare(): interface changed: now only needs a single string representing the baseline version to compare against
  • IncludeBuffred(): removed @todo since the $path parameter now originates from a path component derived and validated in wikka.php
  • ReturnSafeHTML():
    • uses (possibly relocated!) path from configuration
    • uses instantiate() for PHP-version-dependent method to return an object reference
  • LoadWantedPages2(): fixed bug occurring when called with no $sort parameter specified
  • FullTextSearch(): makes use of new interface for CheckMySQLVersion() (including in commented-out section in case we ever want to re-instate that)
  • Redirect(): no longer uses config "base_url" for default (obsoleted by relocation functionality) but derives default URL from new object variable "wikka_path" (see above, and Run() below)
  • Href(): no longer uses config "base_url" and literal 'wikka.php?wakka=' to start building URL, but new object variable "wikka_path" instead (see above, and Run() below)
  • StaticHref(): rewritten to comply with relocatability:
    • parameter $filename renamed to $filepath to more clearly designate its function; it can now be:
      • a relative path
      • an absolute path (starting with a slash)
      • a fully-qualified URL (in which case the input is simply returned)
    • docblock updated
    • makes use of new object variables "base_domain_url" and "base_url" to build a URL (see above, and Run() below)
  • LogReferrer(): no longer uses config "base_url" but object variable "base_url" (see above, and Run() below) to build its regex to find external referrer
  • Action(): uses renamed config value "wikka_action_path" (which now may be a relocated path)
  • Handler(): uses renamed config value "wikka_handler_path" (which now may be a relocated path)
  • SaveACL(): slight change to how the "values list" for the query is built to make it easier to turn this into a function
  • CloneACLs(): slight change to how the "values list" for the query is built to make it easier to turn this into a function
  • Run() - several changes:
    • restructured, all major steps are now also commented with a short description
    • added a section to derive (once!) URL and URL component object variables so they can be used directly instead of being derived repeatedly all over the place; this also obsoletes the configuration value "base_url"
    • removed now-obsoleted redirects for images and stylesheets

  Changed 7 years ago by JavaWoman

(In [665]) "Relocatable Wikka" - part 4

The installer.

Note: although it's apparent quite a bit of work still needs to be done on the new installer, i've done my best to ,limit my changes to only those needed for the new relocation functionality; I have added various todo markers though.

refs #470, #545

  • inc/functions.inc.php:
    • update_default_page():
      • interface: instead of building paths with string literals, it now gets passed two extra parameters with location of default pages for default language, and a fallback path for the system default language
      • changed 'txt_filename' to 'txt_filepath' to avoid confusion with an actual file name
    • Language_selectbox():
      • uses constant WIKKA_LANG_PATH (which may contain a related path) instead of literal 'lang'
  • index.php:
    • use constant WIKKA_SETUP_PATH instead of string literal
  • default.php:
    • use constant CONFIG_DEFAULT_LANGUAGE for the system default language instead of string literal
  • check.php:
    • use already-defined constants MINIMUM_PHP_VERSION and MINIMUM_MYSQL_VERSION instead of PHP_REQ and MYSQL_REQ
    • make sure result of @touch() is evaluated and any error reported
  • setup.php:
    • directly use constant SITE_CONFIGFILE (which contains the -possibly relocated - path for the site configuration file) instead of a variable
    • make sure result of @touch() is evaluated and any error reported
    • report intended path for site config file before testing, so user can always check the intended path is being used (not only on error)
  • install.php:
    • derive variables for location of default pages for default language, and a fallback path for the system default language
    • pass these as extra parameters to the function update_default_page() (see above)
    • added pointer to future handling of page-specific ACLs for default pages will be needed for split up of UserSettings (refs #79)
    • directly use constant SITE_CONFIGFILE (which contains the -possibly relocated - path for the site configuration file) instead of a variable
  • links.php:
    • removed error_reporting(E_ALL): replaced by usage of 'errors' key file to trigger development mode - see wikka.php commit notes for [662]!
  • writeconfig.php
    • no longer writes $configbase_url? = $url (OBSOLETE now: Run() handles this dynamically)
    • no longer use $configbase_url? but internal variable $url instead (which holds the correct value)
    • minor correction to regex for deriving $rewrite_base
    • directly use constant SITE_CONFIGFILE (which contains the -possibly relocated - path for the site configuration file) instead of a variable

  Changed 7 years ago by JavaWoman

(In [666]) "Relocatable Wikka" - part 5

Actions and not-really action.

refs #470, #545

Actions:

  • colour.php:
    • uses new name 'wikka_action_path' instead of 'action_path' for configuration value to build include path
  • emailpassword.php:
    • uses new object variable "wikka_url" instead of OBSOLETE configuration value "base_url" to build path to reference in email
  • mindmap.php:
    • use new config variable "freemind_uripath" instead of string literal to build URI path to the Freemind applet
    • removed needless span on error message
  • rss.php:
    • use new config variable "onyx_path" instead of string literal to build URI path to the Onyx-RSS class
    • removed needless span on error message
  • textsearch.php:
    • use new interface for CheckMySQLVersion(), passing one version string instead of three values

Not-really action:

  • header.php:
    • <base> element no longer needed (with correct usage of StaticHref())
    • consequently we no longer need the config variable "base_url" (let alone its replacement)

  Changed 7 years ago by JavaWoman

(In [667]) "Relocatable Wikka" - part 6 (last of this set)

Handlers.

refs #470, #545

  • comments.xml.php:
    • use new config variable "feedcreator_path" (which may contain a relocated path) instead of string literal to build URI path to the FeedCreator class
    • uses instantiate() for PHP-version-dependent method to return an object reference
    • uses new object variable "base_url" instead of OBSOLETE configuration value "base_url" to use as source location
  • delete.php:
    • reformatted queries (slightly - needs more work)
    • uses new object variable "base_url" instead of OBSOLETE configuration value "base_url"
  • edit.php:
    • commented out dummy generation of header and footer since links aren't tracked there any more anyway
    • uses new config variable "wikiedit_uripath" (which may contain a relocated path) instead of string literal to build URI paths to the WikiEdit scripts
    • uses new config variable "wikiedit_uripath" (which may contain a relocated path) to build the variable $wikiedit_imgpath to pass as fourth parameter to the init() function of the WikiEdit object, so it can find its own images even if relocated. Note: WikiEdit already had this fourth parameter; it was just unused till now!
  • mindmap_fullscreen.php:
    • use constants WIKKA_LANG_PATH and CONFIG_DEFAULT_LANGUAGE to build paths to language file for selected default language and fallback language file (using system default language)
    • use constant ERROR_LANGUAGE_FILE_MISSING (in wikka.php) to generate error message if no language file can be found
    • use new config variable "freemind_uripath" instead of string literal to build URI path to the Freemind applet
    • a little cleanup (whitespace, naming)
  • recentchanges.xml.php:
    • use new config variable "feedcreator_path" (which may contain a relocated path) instead of string literal to build URI path to the FeedCreator class
    • uses instantiate() for PHP-version-dependent method to return an object reference
    • uses new object variable "base_url" instead of OBSOLETE configuration value "base_url" to use as source location
  • recentchanges.xml.php (note that even with the listed i18n changes i18n is not yet complete for this handler):
    • use FIRST_NODE_LABEL instead of string literal (i18n - refs #340)
    • use new object variable "wikka_url" instead of (OBSOLETE) config variable "base path" and constant WIKKA_URL_EXTENSION to build link to the current page
    • use WIKKA_ERROR_CAPTION and WIKKA_ERROR_ACL_READ_INFO instead of string literals to build error message (i18n - refs #340)
    • considerable cleanup (whitespace, coding guidelines)

  Changed 7 years ago by JavaWoman

With changesets [662], [663], [664], [665], [666] and [667], the first phase of this ticket is complete (as is child ticket #470).

With this set of changesets complete, trunk should be (reasonably ;)) stable again.

Note for this ticket (which targets relocation of many more Wikka components using the same mechanism) more work needs to be done! (More child tickets for follow-up phases to be added.)

  Changed 7 years ago by JavaWoman

  • description modified (diff)

  Changed 7 years ago by JavaWoman

  • description modified (diff)

  Changed 7 years ago by JavaWoman

  • description modified (diff)
  • summary changed from GetEnv() revisited to GetEnv() revisited AKA "Relocatable Wikka"

I thought I'd need to create a ticket for Wikka to set a proper cookie path instead of always using "/" which leads to not only different Wikkas on the same system seeing each other's cookies (and possible session leakage), but even other applications being set Wikka's cookies.

Cookies should be sent with an appropriate path.

We have already solved some of the cookie problems by hashing and making different Wikka installations using different cookie names, but the core problem remains unsolved: using a proper cookie path.

So: I'm making #81 a child ticket of this one: all issues are already described there, and the only thing that remains to be solved is proper cookie paths. No need to create a new ticket then!

Also, I've taken #81 from NilsLindenberg (and set target to 1.1.7) as this is the very next thing I'd figured needs to be solved after enabling relocating/sharing Wikka installations. And with the changes in place, it's trivial now.

See also #187, which is somewhat related, and might be tackled at the same time.

  Changed 7 years ago by JavaWoman

  • keywords installations", cookie added; installations" removed

  Changed 7 years ago by JavaWoman

(In [668]) Better cookie handling

  • Ensures that the cookie path is always set to the path corresponding with Wikka's URL path - including session cookie (in wikka.php). Fixes #81
  • New method SetACookie() which supports setting both session cookies and (default) persistent cookies; old methods SetSessionCookie() and SetPersistentCookie are retained as wrapper functions for backwards compatibility (for now). Fixes #187
  • Enhanced DeleteCookie() to enable it to remove cookies with old (not suffixed) names and with a specific path
  • New method DeleteOldCookies() which removes old-name cookies as well as cookies with path set to root if the current path is not root; the Run() method now uses this method to clean up

Note that the code still contains some debug code; this will be cleaned up in a later phase.

refs #545

in reply to: ↑ description   Changed 7 years ago by bzg

Since the start of Wikka (I think) the startup file wikka.php has supported an environment variable 'WAKKA_CONFIG' that allowed an admin to point to a configuration file in a different location that the default one (the installation directory).

Yes. But i not only want to share one instance of Wikka, i also want users to be able to install standalone Wikka instances on the fly (iff they get my authorization first, of course).

See  http://scz.wiki.mailxmail.com/PaginaInicial for an example (not fully tested though).

  Changed 5 years ago by DarTar

  • milestone changed from 1.2 to 1.3

Retargeting to 1.3. Code for this ticket may have already been committed to trunk, from which 1.3 will be branched. Consider backporting urgent issues to 1.2.X

  Changed 5 years ago by BrianKoontz

  • milestone changed from 1.3 to blue-sky
Note: See TracTickets for help on using tickets.