From d42c99835a67ad614c0b6ff5595e42c36e9067fd Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Fri, 9 Jun 2023 22:30:32 +0200
Subject: [PATCH] nginx: use /var/www/.well-known folder for ynh diagnosis and
 acme challenge, because /tmp/ could be manipulated by user to serve
 maliciously crafted files

---
 conf/nginx/plain/acme-challenge.conf.inc | 2 +-
 conf/nginx/server.tpl.conf               | 2 +-
 src/certificate.py                       | 4 ++--
 src/diagnosers/21-web.py                 | 6 +++---
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/conf/nginx/plain/acme-challenge.conf.inc b/conf/nginx/plain/acme-challenge.conf.inc
index 35c4b80c2..859aa6817 100644
--- a/conf/nginx/plain/acme-challenge.conf.inc
+++ b/conf/nginx/plain/acme-challenge.conf.inc
@@ -1,6 +1,6 @@
 location ^~ '/.well-known/acme-challenge/'
 {
         default_type "text/plain";
-        alias /tmp/acme-challenge-public/;
+        alias /var/www/.well-known/acme-challenge-public/;
         gzip off;
 }
diff --git a/conf/nginx/server.tpl.conf b/conf/nginx/server.tpl.conf
index d3ff77714..16b5c46c2 100644
--- a/conf/nginx/server.tpl.conf
+++ b/conf/nginx/server.tpl.conf
@@ -13,7 +13,7 @@ server {
     include /etc/nginx/conf.d/acme-challenge.conf.inc;
 
     location ^~ '/.well-known/ynh-diagnosis/' {
-        alias /tmp/.well-known/ynh-diagnosis/;
+        alias /var/www/.well-known/ynh-diagnosis/;
     }
 
     {% if mail_enabled == "True" %}
diff --git a/src/certificate.py b/src/certificate.py
index 52e0d8c1b..76d3f32b7 100644
--- a/src/certificate.py
+++ b/src/certificate.py
@@ -41,8 +41,8 @@ from yunohost.log import OperationLogger
 logger = getActionLogger("yunohost.certmanager")
 
 CERT_FOLDER = "/etc/yunohost/certs/"
-TMP_FOLDER = "/tmp/acme-challenge-private/"
-WEBROOT_FOLDER = "/tmp/acme-challenge-public/"
+TMP_FOLDER = "/var/www/.well-known/acme-challenge-private/"
+WEBROOT_FOLDER = "/var/www/.well-known/acme-challenge-public/"
 
 SELF_CA_FILE = "/etc/ssl/certs/ca-yunohost_crt.pem"
 ACCOUNT_KEY_FILE = "/etc/yunohost/letsencrypt_account.pem"
diff --git a/src/diagnosers/21-web.py b/src/diagnosers/21-web.py
index 2050cd658..ce6de4b17 100644
--- a/src/diagnosers/21-web.py
+++ b/src/diagnosers/21-web.py
@@ -60,9 +60,9 @@ class MyDiagnoser(Diagnoser):
                 domains_to_check.append(domain)
 
         self.nonce = "".join(random.choice("0123456789abcedf") for i in range(16))
-        rm("/tmp/.well-known/ynh-diagnosis/", recursive=True, force=True)
-        mkdir("/tmp/.well-known/ynh-diagnosis/", parents=True)
-        os.system("touch /tmp/.well-known/ynh-diagnosis/%s" % self.nonce)
+        rm("/var/www/.well-known/ynh-diagnosis/", recursive=True, force=True)
+        mkdir("/var/www/.well-known/ynh-diagnosis/", parents=True)
+        os.system("touch /var/www/.well-known/ynh-diagnosis/%s" % self.nonce)
 
         if not domains_to_check:
             return