From fefd71d82da9e34f319a8e8e83dd29bed5d87b65 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Josu=C3=A9=20Tille?= <josue@tille.ch>
Date: Thu, 4 Jan 2018 10:17:24 +0100
Subject: [PATCH] Fix the issue alias_traversal

---
 conf/app.src       |  4 ++--
 conf/nginx.conf    |  3 ++-
 manifest.json      |  6 +++---
 scripts/_common.sh | 38 ++++++++++++++++++++++++++++++++------
 scripts/change_url | 22 +++++++++++++++++++++-
 scripts/install    |  6 +++---
 scripts/restore    |  4 ++--
 scripts/upgrade    |  2 +-
 8 files changed, 66 insertions(+), 19 deletions(-)

diff --git a/conf/app.src b/conf/app.src
index 61f474e..0ae1234 100644
--- a/conf/app.src
+++ b/conf/app.src
@@ -1,5 +1,5 @@
-SOURCE_URL=https://github.com/vector-im/riot-web/releases/download/v0.13.3/riot-v0.13.3.tar.gz
-SOURCE_SUM=bcd6c2f4be018612ac76a71b58749a5edab1e02de7d145a22d9b9aa6e6a89129
+SOURCE_URL=https://github.com/vector-im/riot-web/releases/download/v0.13.4/riot-v0.13.4.tar.gz
+SOURCE_SUM=222b0a0db690ece590aae0e7f28dfdb98b7cfec865114fdd1c0b44c39517b31b
 # (Optional) Program to check the integrity (sha256sum, md5sum...)
 # default: sha256
 SOURCE_SUM_PRG=sha256sum
diff --git a/conf/nginx.conf b/conf/nginx.conf
index e175cef..f8e858e 100644
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -1,4 +1,5 @@
-location __PATH__ {
+#sub_path_only rewrite ^__PATH__$ __PATH__/ permanent;
+location __PATH__/ {
 	alias __FINALPATH__/;
 
 	if ($scheme = http) {
diff --git a/manifest.json b/manifest.json
index 04c9aa5..74f85cc 100644
--- a/manifest.json
+++ b/manifest.json
@@ -3,13 +3,13 @@
 	"id": "riot",
 	"packaging_format": 1,
 	"requirements": {
-		"yunohost": ">= 2.6.4"
+		"yunohost": ">= 2.7.5"
 	},
 	"description": {
 		"en": "A web client for matrix",
 		"fr": "Un client web pour matrix"
 	},
-	"version": "0.13.3",
+	"version": "0.13.4",
 	"url": "https://riot.im",
 	"license": "Apache-2.0",
 	"maintainer": {
@@ -57,7 +57,7 @@
 					"en": "Is it a public server ?",
 					"fr": "Est-ce un serveur publique ?"
 			},
-				"default": "0"
+				"default": 0
 			}
 		]
 	}
diff --git a/scripts/_common.sh b/scripts/_common.sh
index 1494571..ae280a4 100755
--- a/scripts/_common.sh
+++ b/scripts/_common.sh
@@ -5,13 +5,39 @@ app=$YNH_APP_INSTANCE_NAME
 final_path="/var/www/$app"
 
 config_nginx() {
-	cp ../conf/nginx.conf /etc/nginx/conf.d/$domain.d/$app.conf
-
-	ynh_replace_string __PATH__ $path /etc/nginx/conf.d/$domain.d/$app.conf
-	ynh_replace_string __FINALPATH__ $final_path /etc/nginx/conf.d/$domain.d/$app.conf
+    if [ "$path_url" != "/" ]
+    then
+        ynh_replace_string "^#sub_path_only" "" "../conf/nginx.conf"
+    fi
+    ynh_add_nginx_config
 }
 
 config_riot() {
-	cp ../conf/config.json $final_path/config.json
-	ynh_replace_string __DEFAULT_SERVER__ $default_home_server $final_path/config.json
+    cp ../conf/config.json $final_path/config.json
+    ynh_replace_string __DEFAULT_SERVER__ $default_home_server $final_path/config.json
+    chown www-data -R $final_path/config.json
+    chmod 640 -R $final_path/config.json
+}
+
+# Substitute/replace a string (or expression) by another in a file
+#
+# usage: ynh_replace_string match_string replace_string target_file
+# | arg: match_string - String to be searched and replaced in the file
+# | arg: replace_string - String that will replace matches
+# | arg: target_file - File in which the string will be replaced.
+#
+# As this helper is based on sed command, regular expressions and
+# references to sub-expressions can be used
+# (see sed manual page for more information)
+ynh_replace_string () {
+	local delimit=@
+	local match_string=$1
+	local replace_string=$2
+	local workfile=$3
+
+	# Escape the delimiter if it's in the string.
+	match_string=${match_string//${delimit}/"\\${delimit}"}
+	replace_string=${replace_string//${delimit}/"\\${delimit}"}
+
+	sudo sed --in-place "s${delimit}${match_string}${delimit}${replace_string}${delimit}g" "$workfile"
 }
\ No newline at end of file
diff --git a/scripts/change_url b/scripts/change_url
index 3d32006..f085501 100644
--- a/scripts/change_url
+++ b/scripts/change_url
@@ -42,7 +42,27 @@ nginx_conf_path=/etc/nginx/conf.d/$old_domain.d/$app.conf
 # Change the path in the nginx config file
 if [ $change_path -eq 1 ]
 then
-	ynh_replace_string "location $old_path" "location $new_path" "$nginx_conf_path"
+    # Make a backup of the original nginx config file if modified
+    ynh_backup_if_checksum_is_different "$nginx_conf_path"
+    # Replace locations starting with old_path
+    # Look for every location possible patterns (see https://nginx.org/en/docs/http/ngx_http_core_module.html#location)
+
+    # Move from sub path to root
+    if [ "$new_path" == "/" ]
+    then
+        ynh_replace_string "location\( \(=\|~\|~\*\|\^~\)\)\? $old_path/\?" "location\1 /"  "$nginx_conf_path"
+        ynh_replace_string "\(^.*rewrite.*\^$old_path.* permanent;\)" "#sub_path_only\1" "$nginx_conf_path"
+        ynh_replace_string "\(rewrite *\^\)$old_path\$ $old_path/*" "\1$new_path$ $new_path" "$nginx_conf_path"
+
+    # Move to a sub path
+    else
+        ynh_replace_string "location\( \(=\|~\|~\*\|\^~\)\)\? $old_path/\?" "location\1 $new_path/"  "$nginx_conf_path"
+        ynh_replace_string "^#sub_path_only" "" "$nginx_conf_path"
+        ynh_replace_string "\(rewrite *\^\)$old_path\$ $old_path/*" "\1$new_path$ $new_path/" "$nginx_conf_path"
+    fi
+    
+    # Calculate and store the nginx config file checksum
+    ynh_store_file_checksum "$nginx_conf_path"
 fi
 
 # Change the domain for nginx
diff --git a/scripts/install b/scripts/install
index 7407e56..55addf6 100644
--- a/scripts/install
+++ b/scripts/install
@@ -11,13 +11,13 @@ source ./_common.sh
 
 # Retrieve arguments
 domain=$YNH_APP_ARG_DOMAIN
-path=$(ynh_normalize_url_path $YNH_APP_ARG_PATH)
+path_url=$(ynh_normalize_url_path $YNH_APP_ARG_PATH)
 is_public=$YNH_APP_ARG_IS_PUBLIC
 default_home_server=$YNH_APP_ARG_DEFAULT_HOME_SERVER
 
 # Check domain/path availability
-test $(ynh_webpath_available $domain $path) == 'True' || ynh_die "$domain$path is not available, please use an other domain or path."
-ynh_webpath_register $app $domain $path
+test $(ynh_webpath_available $domain $path_url) == 'True' || ynh_die "$domain$path_url is not available, please use an other domain or path."
+ynh_webpath_register $app $domain $path_url
 
 # Check Final Path availability
 test ! -e "$final_path" || ynh_die "This path already contains a folder"
diff --git a/scripts/restore b/scripts/restore
index 099a68e..ade8a63 100644
--- a/scripts/restore
+++ b/scripts/restore
@@ -11,10 +11,10 @@ source ../settings/scripts/_common.sh
 
 # Retrieve arguments
 domain=$(ynh_app_setting_get $app domain)
-path=$(ynh_app_setting_get $app path)
+path_url=$(ynh_app_setting_get $app path)
 
 # Check domain/path availability
-ynh_webpath_available $domain $path || ynh_die "$domain/$path is not available, please use an other domain or path."
+ynh_webpath_available $domain $path_url || ynh_die "$domain/$path_url is not available, please use an other domain or path."
 
 # Restore all config and data
 ynh_restore
diff --git a/scripts/upgrade b/scripts/upgrade
index d6f5ee6..8263459 100644
--- a/scripts/upgrade
+++ b/scripts/upgrade
@@ -11,7 +11,7 @@ source ./_common.sh
 
 # Retrieve arguments
 domain=$(ynh_app_setting_get $app domain)
-path=$(ynh_normalize_url_path $(ynh_app_setting_get $app path))
+path_url=$(ynh_normalize_url_path $(ynh_app_setting_get $app path))
 is_public=$(ynh_app_setting_get $app is_public)
 final_path=$(ynh_app_setting_get $app final_path)
 default_home_server=$(ynh_app_setting_get $app default_home_server)