From 5f7e62142cffa795a7c2213f04f672a7dbfb7507 Mon Sep 17 00:00:00 2001
From: czaks <marcin@6irc.net>
Date: Sun, 21 Sep 2014 00:56:00 +0200
Subject: [PATCH] SECURITY: prevent a DoS attack by disabling HTTP access to
 tools/ scripts.

---
 tools/inc/cli.php       | 57 +----------------------------------------
 tools/rebuild.php       |  4 ---
 tools/recount-bumps.php |  4 ---
 tools/stats.php         |  4 ---
 4 files changed, 1 insertion(+), 68 deletions(-)

diff --git a/tools/inc/cli.php b/tools/inc/cli.php
index cff17e34..f3e8824f 100644
--- a/tools/inc/cli.php
+++ b/tools/inc/cli.php
@@ -13,7 +13,7 @@ error_reporting(E_ALL);
 set_time_limit(0);
 $shell_path = getcwd();
 
-if (isset ($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] != '127.0.0.1' && $_SERVER['REMOTE_ADDR'] != '::1') {
+if (php_sapi_name() != 'cli') {
 	die("This script is executable only from Command Line Interface.");
 }
 
@@ -48,59 +48,4 @@ $mod = Array(
 	'boards' => Array('*')
 );
 
-function get_httpd_privileges() {
-	global $config, $shell_path, $argv;
-	
-	if(php_sapi_name() != 'cli')
-		die("get_httpd_privileges(): invoked from HTTP client.\n");
-	
-	echo "Dropping priviledges...\n";
-	
-	if(!is_writable('.'))
-		die("get_httpd_privileges(): web directory is not writable\n");
-	
-	$filename = '.' . md5(rand()) . '.php';
-	$inc_filename = '.' . md5(rand()) . '.php';
-	
-	echo "Copying rebuilder to web directory...\n";
-	
-	// replace "/inc/cli.php" with its new filename
-	passthru("cat " . escapeshellarg($shell_path . '/' . $_SERVER['PHP_SELF']) . " | sed \"s/'\/inc\/cli\.php'/'\/{$inc_filename}'/\" > {$filename}");
-	
-	$inc_header = "<?php\n";
-	
-	// copy environment
-	$env = explode("\n", shell_exec('printenv | grep ^TINYBOARD'));
-	foreach($env as $line) {
-		if(!empty($line))
-			$inc_header .= "putenv('" . addslashes($line) . "');\n";
-	}
-	
-	// copy command line arguments
-	$inc_header .= "\$argv = " . var_export($argv, true) . ";\n";
-	
-	// copy this file
-	file_put_contents($inc_filename, $inc_header . substr($inc = file_get_contents(__FILE__), strpos($inc, "\n")));
-	
-	chmod($filename, 0666);
-	chmod($inc_filename, 0666);
-	
-	if(preg_match('/^https?:\/\//', $config['root'])) {
-		$url = $config['root'] . $filename;
-	} elseif($host = getenv('TINYBOARD_HOST')) {
-		$url = 'http://' . $host . $config['root'] . $filename;
-	} else {
-		// assume localhost
-		$url = 'http://localhost' . $config['root'] . $filename;
-	}
-	
-	echo "Downloading $url\n";
-	
-	passthru('curl -s -N ' . escapeshellarg($url));
-	
-	unlink($filename);
-	unlink($inc_filename);
-	
-	exit(0);
-}
 
diff --git a/tools/rebuild.php b/tools/rebuild.php
index bbf104a2..3501f8f6 100755
--- a/tools/rebuild.php
+++ b/tools/rebuild.php
@@ -21,10 +21,6 @@
 
 require dirname(__FILE__) . '/inc/cli.php';
 
-if(!is_writable($config['file_script'])) {
-	get_httpd_privileges();
-}
-
 $start = microtime(true);
 
 // parse command line
diff --git a/tools/recount-bumps.php b/tools/recount-bumps.php
index 5adc74d8..06e8ca9f 100644
--- a/tools/recount-bumps.php
+++ b/tools/recount-bumps.php
@@ -4,10 +4,6 @@
 
 require dirname(__FILE__) . '/inc/cli.php';
 
-if(!is_writable($config['file_script'])) {
-        get_httpd_privileges();
-}
-
 if (!isset ($argv[1])) {
 	die("Usage: tools/recount-bumps.php board_uri\n");
 }
diff --git a/tools/stats.php b/tools/stats.php
index 5043c788..0f05d6a8 100755
--- a/tools/stats.php
+++ b/tools/stats.php
@@ -2,10 +2,6 @@
 <?php
 require dirname(__FILE__) . '/inc/cli.php';
                 
-if(!is_writable($config['file_script'])) {
-        get_httpd_privileges();
-}
-
 $variants = [["hour", 3600], ["day", 3600*24], ["3 days", 3600*24*3],
              ["week", 3600*24*7], ["month", 3600*24*7*30]];