Allow cache files inside web root

Cache files now use PHP to avoid being readable. We also prevent access with .htaccess (for the common Apache setup).

Allow cache files inside web root
Cache files now use PHP to avoid being readable. We also prevent access with .htaccess (for the common Apache setup).
f394a34c · Scott · 618a5039 · f394a34c · f394a34c · f394a34c
Commit f394a34c authored Dec 22, 2017 by Scott
Showing with 11 additions and 11 deletions

.gitignore .gitignore +1 -1

.htaccess qa-cache/.htaccess +1 -0

qa-config-example.php qa-config-example.php +4 -4

FileCacheDriver.php qa-include/Q2A/Storage/FileCacheDriver.php +5 -6

No files found.
--- a/.gitignore
+++ b/.gitignore
 # Ignore config file in development
 qa-config.php
+qa-cache/*/
 # Other files
 .DS_Store
@@ -9,5 +10,4 @@ qa-config.php
 .Trashes
 ehthumbs.db
 Thumbs.db
 .idea/
--- a/qa-cache/.htaccess
+++ b/qa-cache/.htaccess
+Deny from all
--- a/qa-config-example.php
+++ b/qa-config-example.php
@@ -86,10 +86,10 @@
 */
 /*
-	If you wish to use caching, you must define QA_CACHE_DIRECTORY to store the cache files. The
+	If you wish to use file-based caching, you must define QA_CACHE_DIRECTORY to store the cache
-	directory must be writable by the web server. It also must be OUTSIDE the public root. For
+	files. The directory must be writable by the web server. For maximum security it's STRONGLY
-	example if your site resides in '/var/www/yoursite/public_html', then the cache directory could
+	recommended to place the folder outside of the web root (so they can never be accessed via a
-	be '/var/www/yoursite/qa-cache', but it cannot be '/var/www/yoursite/public_html/qa-cache'.
+	web browser).
 	define('QA_CACHE_DIRECTORY', '/path/to/writable_cache_directory/');
 */

--- a/qa-include/Q2A/Storage/FileCacheDriver.php
+++ b/qa-include/Q2A/Storage/FileCacheDriver.php
@@ -30,6 +30,8 @@ class Q2A_Storage_FileCacheDriver implements Q2A_Storage_CacheDriver
 	private $error;
 	private $cacheDir;
+	private $phpProtect = '<?php header($_SERVER[\'SERVER_PROTOCOL\'].\' 404 Not Found\'); die; ?>';
 	/**
 	 * Creates a new FileCache instance and checks we can write to the cache directory.
 	 * @param array $config Configuration data, including cache storage directory.
@@ -46,12 +48,8 @@ class Q2A_Storage_FileCacheDriver implements Q2A_Storage_CacheDriver
 		if (isset($config['dir'])) {
 			$this->cacheDir = realpath($config['dir']);
 			if (!is_writable($this->cacheDir)) {
 				$this->error = qa_lang_html_sub('admin/caching_dir_error', $config['dir']);
-			} elseif (strpos($this->cacheDir, realpath($_SERVER['DOCUMENT_ROOT'])) === 0 || strpos($this->cacheDir, realpath(QA_BASE_DIR)) === 0) {
-				// check the folder is outside the public root - checks against server root and Q2A root, in order to handle symbolic links
-				$this->error = qa_lang_html_sub('admin/caching_dir_public', $config['dir']);
 			}
 		} else {
 			$this->error = qa_lang_html('admin/caching_dir_missing');
@@ -77,6 +75,7 @@ class Q2A_Storage_FileCacheDriver implements Q2A_Storage_CacheDriver
 		if (is_readable($file)) {
 			$lines = file($file, FILE_IGNORE_NEW_LINES);
+			$skipLine = array_shift($lines);
 			$actualKey = array_shift($lines);
 			// double check this is the correct data
@@ -114,7 +113,7 @@ class Q2A_Storage_FileCacheDriver implements Q2A_Storage_CacheDriver
 		if ($this->enabled && $ttl > 0) {
 			$encData = serialize($data);
 			$expiry = time() + ($ttl * 60);
-			$cache = $fullKey . "\n" . $expiry . "\n" . $encData;
+			$cache = $this->phpProtect . "\n" . $fullKey . "\n" . $expiry . "\n" . $encData;
 			$file = $this->getFilename($fullKey);
 			$dir = dirname($file);
@@ -279,6 +278,6 @@ class Q2A_Storage_FileCacheDriver implements Q2A_Storage_CacheDriver
 	private function getFilename($fullKey)
 	{
 		$filename = sha1($fullKey);
-		return $this->cacheDir . '/' . substr($filename, 0, 1) . '/' . substr($filename, 1, 2) . '/' . $filename;
+		return $this->cacheDir . '/' . substr($filename, 0, 1) . '/' . substr($filename, 1, 2) . '/' . $filename . '.php';
 	}
 }