From c4e81cef5453dc69db7810fc6b49331076457abe Mon Sep 17 00:00:00 2001
From: Chihiro Adachi <8196725+chihiro-adachi@users.noreply.github.com>
Date: Fri, 16 Nov 2018 10:59:02 +0900
Subject: [PATCH 1/4] =?UTF-8?q?=E7=AE=A1=E7=90=86=E7=94=BB=E9=9D=A2URL?=
 =?UTF-8?q?=E3=81=AE=E8=AD=A6=E5=91=8A=E8=A1=A8=E7=A4=BA=E3=81=AE=E5=AF=BE?=
 =?UTF-8?q?=E5=BF=9C?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/Eccube/Controller/Admin/AdminController.php          | 7 +++++++
 .../Admin/Setting/System/SecurityController.php          | 5 +++++
 src/Eccube/Form/Type/Install/Step3Type.php               | 1 +
 src/Eccube/Resource/locale/message.ja.yml                | 1 +
 src/Eccube/Resource/template/admin/index.twig            | 9 ++++++++-
 tests/Eccube/Tests/Form/Type/Install/Step3TypeTest.php   | 8 ++++++++
 6 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/src/Eccube/Controller/Admin/AdminController.php b/src/Eccube/Controller/Admin/AdminController.php
index aacb93ed80e..1cf831aa7aa 100644
--- a/src/Eccube/Controller/Admin/AdminController.php
+++ b/src/Eccube/Controller/Admin/AdminController.php
@@ -79,6 +79,12 @@ public function index(Application $app, Request $request)
             }
         }
 
+        $is_danger_admin_url = false;
+        // 管理画面URLのチェック
+        if (isset($app['config']['admin_route']) && $app['config']['admin_route'] == 'admin') {
+            $is_danger_admin_url = true;
+        }
+
         // 受注マスター検索用フォーム
         $searchOrderBuilder = $app['form.factory']
             ->createBuilder('admin_search_order');
@@ -188,6 +194,7 @@ public function index(Application $app, Request $request)
             'salesYesterday' => $salesYesterday,
             'countNonStockProducts' => $countNonStockProducts,
             'countCustomers' => $countCustomers,
+            'is_danger_admin_url' => $is_danger_admin_url,
         ));
     }
 
diff --git a/src/Eccube/Controller/Admin/Setting/System/SecurityController.php b/src/Eccube/Controller/Admin/Setting/System/SecurityController.php
index e7c3c9536a5..22edd6b4eec 100644
--- a/src/Eccube/Controller/Admin/Setting/System/SecurityController.php
+++ b/src/Eccube/Controller/Admin/Setting/System/SecurityController.php
@@ -129,6 +129,11 @@ public function index(Application $app, Request $request)
             $form->get('force_ssl')->setData((bool)$app['config']['force_ssl']);
         }
 
+        // 管理画面URLのチェック
+        if (isset($app['config']['admin_route']) && $app['config']['admin_route'] == 'admin') {
+            $app->addWarning('admin.system.security.admin.url.warning', 'admin');
+        }
+
         return $app->render('Setting/System/security.twig', array(
             'form' => $form->createView(),
         ));
diff --git a/src/Eccube/Form/Type/Install/Step3Type.php b/src/Eccube/Form/Type/Install/Step3Type.php
index 52b79d02aa5..0d00d796138 100644
--- a/src/Eccube/Form/Type/Install/Step3Type.php
+++ b/src/Eccube/Form/Type/Install/Step3Type.php
@@ -100,6 +100,7 @@ public function buildForm(FormBuilderInterface $builder, array $options)
                         'max' => $this->app['config']['id_max_len'],
                     )),
                     new Assert\Regex(array('pattern' => '/\A\w+\z/')),
+                    new Assert\NotEqualTo(array('value' => 'admin', 'message' => 'ディレクトリ名に「admin」を使用することはできません。')),
                 ),
             ))
             ->add('admin_force_ssl', 'checkbox', array(
diff --git a/src/Eccube/Resource/locale/message.ja.yml b/src/Eccube/Resource/locale/message.ja.yml
index fd397f60e0e..f49482b6269 100644
--- a/src/Eccube/Resource/locale/message.ja.yml
+++ b/src/Eccube/Resource/locale/message.ja.yml
@@ -177,6 +177,7 @@ admin.content.cache.save.complete: キャッシュを削除しました。
 
 admin.system.security.save.complete: セキュリティ設定を保存しました。
 admin.system.security.route.dir.complete: 管理画面のURLを変更しましたので再ログインをしてください。
+admin.system.security.admin.url.warning: 管理画面URLは、セキュリティのため推測されにくいものを設定してください。
 
 admin.system.authority.save.complete: 権限設定を保存しました。
 
diff --git a/src/Eccube/Resource/template/admin/index.twig b/src/Eccube/Resource/template/admin/index.twig
index 75cff0b529a..510c3a65dd2 100644
--- a/src/Eccube/Resource/template/admin/index.twig
+++ b/src/Eccube/Resource/template/admin/index.twig
@@ -44,7 +44,14 @@ $(function(){
 {% endblock javascript %}
 
 {% block main %}
-
+    {% if is_danger_admin_url %}
+        <div class="row">
+            <div class="alert alert-warning alert-dismissable alert-section">
+                <button type="button" class="close" data-dismiss="alert"><span class="alert-close" aria-hidden="true">×</span></button>
+                <svg class="cb cb-info-circle"> <use xlink:href="#cb-info-circle"></use></svg> 管理画面URLは、セキュリティのため推測されにくいものを設定してください。「<a href="{{ url('admin_setting_system_security') }}">セキュリティ管理</a>」から設定できます。
+            </div>
+        </div>
+    {% endif %}
         <div class="row">
             <div class="col-md-6">
                 <form id="order-state" name="form1" action="{{ url('admin_order') }}" method="post">
diff --git a/tests/Eccube/Tests/Form/Type/Install/Step3TypeTest.php b/tests/Eccube/Tests/Form/Type/Install/Step3TypeTest.php
index 6e04225fa5e..5bf83a83feb 100644
--- a/tests/Eccube/Tests/Form/Type/Install/Step3TypeTest.php
+++ b/tests/Eccube/Tests/Form/Type/Install/Step3TypeTest.php
@@ -272,4 +272,12 @@ public function testValid_MailBackend_Blank()
         $this->form->submit($this->formData);
         $this->assertTrue($this->form->isValid());
     }
+
+    public function testInValid_AdminDir()
+    {
+        $this->formData['admin_dir'] = 'admin';
+
+        $this->form->submit($this->formData);
+        $this->assertFalse($this->form->isValid());
+    }
 }

From e0b3cd661d4aafbf2fc5ff38f5c753f1eb86235a Mon Sep 17 00:00:00 2001
From: Chihiro Adachi <8196725+chihiro-adachi@users.noreply.github.com>
Date: Fri, 16 Nov 2018 11:00:20 +0900
Subject: [PATCH 2/4] =?UTF-8?q?php7.2=E3=81=A7warning=E3=81=8C=E7=99=BA?=
 =?UTF-8?q?=E7=94=9F=E3=81=99=E3=82=8B=E5=95=8F=E9=A1=8C=E3=82=92=E4=BF=AE?=
 =?UTF-8?q?=E6=AD=A3?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/Eccube/Application.php                                      | 2 +-
 .../Controller/Admin/Setting/System/SecurityController.php      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Eccube/Application.php b/src/Eccube/Application.php
index 31b5388a1f1..6610000a389 100644
--- a/src/Eccube/Application.php
+++ b/src/Eccube/Application.php
@@ -319,7 +319,7 @@ public function initRendering()
             if ($app->isAdminRequest()) {
                 // IP制限チェック
                 $allowHost = $app['config']['admin_allow_host'];
-                if (count($allowHost) > 0) {
+                if (is_array($allowHost) && count($allowHost) > 0) {
                     if (array_search($app['request']->getClientIp(), $allowHost) === false) {
                         throw new \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException();
                     }
diff --git a/src/Eccube/Controller/Admin/Setting/System/SecurityController.php b/src/Eccube/Controller/Admin/Setting/System/SecurityController.php
index 22edd6b4eec..ce00e942eaa 100644
--- a/src/Eccube/Controller/Admin/Setting/System/SecurityController.php
+++ b/src/Eccube/Controller/Admin/Setting/System/SecurityController.php
@@ -123,7 +123,7 @@ public function index(Application $app, Request $request)
             // セキュリティ情報の取得
             $form->get('admin_route_dir')->setData($app['config']['admin_route']);
             $allowHost = $app['config']['admin_allow_host'];
-            if (count($allowHost) > 0) {
+            if (is_array($allowHost) && count($allowHost) > 0) {
                 $form->get('admin_allow_host')->setData(Str::convertLineFeed(implode("\n", $allowHost)));
             }
             $form->get('force_ssl')->setData((bool)$app['config']['force_ssl']);

From 622cc6984dbde6d5574deb46e4af89e0cec1b0a8 Mon Sep 17 00:00:00 2001
From: Chihiro Adachi <8196725+chihiro-adachi@users.noreply.github.com>
Date: Fri, 16 Nov 2018 11:00:40 +0900
Subject: [PATCH 3/4] =?UTF-8?q?noindex=E3=82=92=E8=BF=BD=E5=8A=A0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/Eccube/Resource/template/admin/error.twig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Eccube/Resource/template/admin/error.twig b/src/Eccube/Resource/template/admin/error.twig
index 4b7ec71efbc..cb84dd677b1 100644
--- a/src/Eccube/Resource/template/admin/error.twig
+++ b/src/Eccube/Resource/template/admin/error.twig
@@ -28,6 +28,7 @@ Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
     <meta name="description" content="">
     <meta name="author" content="">
     <meta name="viewport" content="width=device-width, initial-scale=1">
+    <meta name="robots" content="noindex,nofollow" />
     <link rel="icon" href="{{ app.config.admin_urlpath }}/assets/img/favicon.ico">
     <link rel="stylesheet" href="{{ app.config.admin_urlpath }}/assets/css/bootstrap.min.css?v={{ constant('Eccube\\Common\\Constant::VERSION') }}">
     <link rel="stylesheet" href="{{ app.config.admin_urlpath }}/assets/css/dashboard.css?v={{ constant('Eccube\\Common\\Constant::VERSION') }}">

From e62bb7a3f8f11b2f4608a82b778190f77a942e5f Mon Sep 17 00:00:00 2001
From: Chihiro Adachi <8196725+chihiro-adachi@users.noreply.github.com>
Date: Fri, 16 Nov 2018 11:00:52 +0900
Subject: [PATCH 4/4] =?UTF-8?q?Basic=E8=AA=8D=E8=A8=BC=E3=81=AE=E3=82=B5?=
 =?UTF-8?q?=E3=83=B3=E3=83=97=E3=83=AB=E3=82=92=E8=BF=BD=E5=8A=A0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .htaccess.sample | 15 +++++++++++++++
 html/.htaccess   | 15 +++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/.htaccess.sample b/.htaccess.sample
index 64b66732271..10102b1c304 100644
--- a/.htaccess.sample
+++ b/.htaccess.sample
@@ -25,3 +25,18 @@ DirectoryIndex index.php index.html .ht
     RewriteCond %{REQUEST_FILENAME} !^(.*)\.(gif|png|jpe?g|css|ico|js|svg)$ [NC]
     RewriteRule ^(.*)$ index.php [QSA,L]
 </IfModule>
+
+# 管理画面へのBasic認証サンプル
+#
+# Satisfy Any
+#
+# AuthType Basic
+# AuthName "Please enter username and password"
+# AuthUserFile /path/to/.htpasswd
+# AuthGroupFile /dev/null
+# require valid-user
+#
+# SetEnvIf Request_URI "^/admin" admin_path  # ^/adminは, 管理画面URLに応じて変更してください
+# Order Allow,Deny
+# Allow from all
+# Deny from env=admin_path
diff --git a/html/.htaccess b/html/.htaccess
index 13ee2b4d25b..635816ceab1 100644
--- a/html/.htaccess
+++ b/html/.htaccess
@@ -21,3 +21,18 @@ allow from all
     RewriteCond %{REQUEST_FILENAME} !^(.*)\.(gif|png|jpe?g|css|ico|js|svg)$ [NC]
     RewriteRule ^(.*)$ index.php [QSA,L]
 </IfModule>
+
+# 管理画面へのBasic認証サンプル
+#
+# Satisfy Any
+#
+# AuthType Basic
+# AuthName "Please enter username and password"
+# AuthUserFile /path/to/.htpasswd
+# AuthGroupFile /dev/null
+# require valid-user
+#
+# SetEnvIf Request_URI "^/admin" admin_path  # ^/adminは, 管理画面URLに応じて変更してください
+# Order Allow,Deny
+# Allow from all
+# Deny from env=admin_path