diff --git a/.htaccess.sample b/.htaccess.sample index 64b66732271..10102b1c304 100644 --- a/.htaccess.sample +++ b/.htaccess.sample @@ -25,3 +25,18 @@ DirectoryIndex index.php index.html .ht RewriteCond %{REQUEST_FILENAME} !^(.*)\.(gif|png|jpe?g|css|ico|js|svg)$ [NC] RewriteRule ^(.*)$ index.php [QSA,L] + +# 管理画面へのBasic認証サンプル +# +# Satisfy Any +# +# AuthType Basic +# AuthName "Please enter username and password" +# AuthUserFile /path/to/.htpasswd +# AuthGroupFile /dev/null +# require valid-user +# +# SetEnvIf Request_URI "^/admin" admin_path # ^/adminは, 管理画面URLに応じて変更してください +# Order Allow,Deny +# Allow from all +# Deny from env=admin_path diff --git a/html/.htaccess b/html/.htaccess index 13ee2b4d25b..635816ceab1 100644 --- a/html/.htaccess +++ b/html/.htaccess @@ -21,3 +21,18 @@ allow from all RewriteCond %{REQUEST_FILENAME} !^(.*)\.(gif|png|jpe?g|css|ico|js|svg)$ [NC] RewriteRule ^(.*)$ index.php [QSA,L] + +# 管理画面へのBasic認証サンプル +# +# Satisfy Any +# +# AuthType Basic +# AuthName "Please enter username and password" +# AuthUserFile /path/to/.htpasswd +# AuthGroupFile /dev/null +# require valid-user +# +# SetEnvIf Request_URI "^/admin" admin_path # ^/adminは, 管理画面URLに応じて変更してください +# Order Allow,Deny +# Allow from all +# Deny from env=admin_path diff --git a/src/Eccube/Application.php b/src/Eccube/Application.php index 31b5388a1f1..6610000a389 100644 --- a/src/Eccube/Application.php +++ b/src/Eccube/Application.php @@ -319,7 +319,7 @@ public function initRendering() if ($app->isAdminRequest()) { // IP制限チェック $allowHost = $app['config']['admin_allow_host']; - if (count($allowHost) > 0) { + if (is_array($allowHost) && count($allowHost) > 0) { if (array_search($app['request']->getClientIp(), $allowHost) === false) { throw new \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException(); } diff --git a/src/Eccube/Controller/Admin/AdminController.php b/src/Eccube/Controller/Admin/AdminController.php index aacb93ed80e..1cf831aa7aa 100644 --- a/src/Eccube/Controller/Admin/AdminController.php +++ b/src/Eccube/Controller/Admin/AdminController.php @@ -79,6 +79,12 @@ public function index(Application $app, Request $request) } } + $is_danger_admin_url = false; + // 管理画面URLのチェック + if (isset($app['config']['admin_route']) && $app['config']['admin_route'] == 'admin') { + $is_danger_admin_url = true; + } + // 受注マスター検索用フォーム $searchOrderBuilder = $app['form.factory'] ->createBuilder('admin_search_order'); @@ -188,6 +194,7 @@ public function index(Application $app, Request $request) 'salesYesterday' => $salesYesterday, 'countNonStockProducts' => $countNonStockProducts, 'countCustomers' => $countCustomers, + 'is_danger_admin_url' => $is_danger_admin_url, )); } diff --git a/src/Eccube/Controller/Admin/Setting/System/SecurityController.php b/src/Eccube/Controller/Admin/Setting/System/SecurityController.php index e7c3c9536a5..ce00e942eaa 100644 --- a/src/Eccube/Controller/Admin/Setting/System/SecurityController.php +++ b/src/Eccube/Controller/Admin/Setting/System/SecurityController.php @@ -123,12 +123,17 @@ public function index(Application $app, Request $request) // セキュリティ情報の取得 $form->get('admin_route_dir')->setData($app['config']['admin_route']); $allowHost = $app['config']['admin_allow_host']; - if (count($allowHost) > 0) { + if (is_array($allowHost) && count($allowHost) > 0) { $form->get('admin_allow_host')->setData(Str::convertLineFeed(implode("\n", $allowHost))); } $form->get('force_ssl')->setData((bool)$app['config']['force_ssl']); } + // 管理画面URLのチェック + if (isset($app['config']['admin_route']) && $app['config']['admin_route'] == 'admin') { + $app->addWarning('admin.system.security.admin.url.warning', 'admin'); + } + return $app->render('Setting/System/security.twig', array( 'form' => $form->createView(), )); diff --git a/src/Eccube/Form/Type/Install/Step3Type.php b/src/Eccube/Form/Type/Install/Step3Type.php index 52b79d02aa5..0d00d796138 100644 --- a/src/Eccube/Form/Type/Install/Step3Type.php +++ b/src/Eccube/Form/Type/Install/Step3Type.php @@ -100,6 +100,7 @@ public function buildForm(FormBuilderInterface $builder, array $options) 'max' => $this->app['config']['id_max_len'], )), new Assert\Regex(array('pattern' => '/\A\w+\z/')), + new Assert\NotEqualTo(array('value' => 'admin', 'message' => 'ディレクトリ名に「admin」を使用することはできません。')), ), )) ->add('admin_force_ssl', 'checkbox', array( diff --git a/src/Eccube/Resource/locale/message.ja.yml b/src/Eccube/Resource/locale/message.ja.yml index fd397f60e0e..f49482b6269 100644 --- a/src/Eccube/Resource/locale/message.ja.yml +++ b/src/Eccube/Resource/locale/message.ja.yml @@ -177,6 +177,7 @@ admin.content.cache.save.complete: キャッシュを削除しました。 admin.system.security.save.complete: セキュリティ設定を保存しました。 admin.system.security.route.dir.complete: 管理画面のURLを変更しましたので再ログインをしてください。 +admin.system.security.admin.url.warning: 管理画面URLは、セキュリティのため推測されにくいものを設定してください。 admin.system.authority.save.complete: 権限設定を保存しました。 diff --git a/src/Eccube/Resource/template/admin/error.twig b/src/Eccube/Resource/template/admin/error.twig index 4b7ec71efbc..cb84dd677b1 100644 --- a/src/Eccube/Resource/template/admin/error.twig +++ b/src/Eccube/Resource/template/admin/error.twig @@ -28,6 +28,7 @@ Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + diff --git a/src/Eccube/Resource/template/admin/index.twig b/src/Eccube/Resource/template/admin/index.twig index 75cff0b529a..510c3a65dd2 100644 --- a/src/Eccube/Resource/template/admin/index.twig +++ b/src/Eccube/Resource/template/admin/index.twig @@ -44,7 +44,14 @@ $(function(){ {% endblock javascript %} {% block main %} - + {% if is_danger_admin_url %} +
+
+ + 管理画面URLは、セキュリティのため推測されにくいものを設定してください。「セキュリティ管理」から設定できます。 +
+
+ {% endif %}
diff --git a/tests/Eccube/Tests/Form/Type/Install/Step3TypeTest.php b/tests/Eccube/Tests/Form/Type/Install/Step3TypeTest.php index 6e04225fa5e..5bf83a83feb 100644 --- a/tests/Eccube/Tests/Form/Type/Install/Step3TypeTest.php +++ b/tests/Eccube/Tests/Form/Type/Install/Step3TypeTest.php @@ -272,4 +272,12 @@ public function testValid_MailBackend_Blank() $this->form->submit($this->formData); $this->assertTrue($this->form->isValid()); } + + public function testInValid_AdminDir() + { + $this->formData['admin_dir'] = 'admin'; + + $this->form->submit($this->formData); + $this->assertFalse($this->form->isValid()); + } }