├── src ├── dir.png ├── file.png ├── favicon.ico ├── spinner.gif ├── logo-sambadav.png ├── composer.json ├── config │ ├── share_extra.inc.php │ ├── share_root.inc.php │ └── config.inc.php ├── lib │ └── SambaDAV │ │ ├── MD5FilterOutput.php │ │ ├── LoginForm.php │ │ ├── Cache │ │ ├── Null.php │ │ └── Filesystem.php │ │ ├── MD5Filter.php │ │ ├── Log │ │ └── Filesystem.php │ │ ├── Config.php │ │ ├── Log.php │ │ ├── MSPropertiesPlugin.php │ │ ├── loginform.html │ │ ├── URI.php │ │ ├── SMBClient │ │ ├── Process.php │ │ └── Parser.php │ │ ├── Cache.php │ │ ├── Propflags.php │ │ ├── LDAP.php │ │ ├── SMB.php │ │ ├── File.php │ │ ├── Auth.php │ │ ├── BrowserPlugin.php │ │ └── Directory.php ├── style.css └── server.php ├── img ├── png │ ├── dir.png │ ├── file.png │ ├── logo.png │ ├── shakers.png │ ├── logo-150px.png │ └── Makefile ├── gif │ ├── spinner.gif │ └── Makefile ├── ico │ ├── favicon.ico │ └── Makefile ├── file.svg ├── dir.svg ├── spinner.svg └── logo.svg ├── ChangeLog ├── README.md └── LICENSE /src/dir.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1afa/sambadav/HEAD/src/dir.png -------------------------------------------------------------------------------- /src/file.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1afa/sambadav/HEAD/src/file.png -------------------------------------------------------------------------------- /img/png/dir.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1afa/sambadav/HEAD/img/png/dir.png -------------------------------------------------------------------------------- /img/png/file.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1afa/sambadav/HEAD/img/png/file.png -------------------------------------------------------------------------------- /img/png/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1afa/sambadav/HEAD/img/png/logo.png -------------------------------------------------------------------------------- /src/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1afa/sambadav/HEAD/src/favicon.ico -------------------------------------------------------------------------------- /src/spinner.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1afa/sambadav/HEAD/src/spinner.gif -------------------------------------------------------------------------------- /img/gif/spinner.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1afa/sambadav/HEAD/img/gif/spinner.gif -------------------------------------------------------------------------------- /img/ico/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1afa/sambadav/HEAD/img/ico/favicon.ico -------------------------------------------------------------------------------- /img/png/shakers.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1afa/sambadav/HEAD/img/png/shakers.png -------------------------------------------------------------------------------- /img/png/logo-150px.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1afa/sambadav/HEAD/img/png/logo-150px.png -------------------------------------------------------------------------------- /src/logo-sambadav.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1afa/sambadav/HEAD/src/logo-sambadav.png -------------------------------------------------------------------------------- /img/ico/Makefile: -------------------------------------------------------------------------------- 1 | favicon.ico: ../logo.svg 2 | inkscape \ 3 | --export-png=tmp.png \ 4 | --export-dpi=360 \ 5 | --export-id=shakers \ 6 | $^ 7 | pngtopnm -alpha \ 8 | < tmp.png \ 9 | | pamscale -width 16 \ 10 | | pnmpad -top 1 -bottom 1 -black \ 11 | > a.pgm 12 | pngtopnm \ 13 | < tmp.png \ 14 | | pamscale -width 16 -filter=sinc \ 15 | | pnmpad -top 1 -bottom 1 -white \ 16 | > n.ppm 17 | ppmtowinicon -andpgms n.ppm a.pgm > $@ 18 | rm tmp.png n.ppm a.pgm 19 | -------------------------------------------------------------------------------- /src/composer.json: -------------------------------------------------------------------------------- 1 | { 2 | "name" : "1afa/sambadav", 3 | "require" : { 4 | "sabre/dav" : "~3.0.5" 5 | }, 6 | "license" : "agpl", 7 | "authors" : [ 8 | { 9 | "name" : "Richard de Vroede", 10 | "email" : "richard@1afa.com", 11 | "role" : "Developer" 12 | }, 13 | { 14 | "name" : "Alfred Klomp", 15 | "email" : "alfred@1afa.com", 16 | "role" : "Initial creator" 17 | } 18 | ], 19 | "autoload" : { 20 | "psr-4" : { 21 | "SambaDAV\\" : "lib/SambaDAV" 22 | } 23 | }, 24 | "minimum-stability" : "stable" 25 | } 26 | -------------------------------------------------------------------------------- /img/gif/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: clean 2 | .INTERMEDIATE: sp1.png sp2.png sp3.png sp4.png sp5.png sp6.png sp7.png sp8.png 3 | 4 | spinner.gif: sp1.png sp2.png sp3.png sp4.png sp5.png sp6.png sp7.png sp8.png 5 | convert $^ $@ 6 | 7 | sp%.png: ../spinner.svg 8 | inkscape \ 9 | --export-png=tmp.png \ 10 | --export-dpi=360 \ 11 | --export-id=frame$* \ 12 | "$^" 13 | pngtopnm -mix -background \#ffffff \ 14 | < tmp.png \ 15 | | pamscale 0.25 \ 16 | | pnmtopng \ 17 | > "$@" 18 | rm tmp.png 19 | 20 | clean: 21 | rm spinner.gif sp*.png 22 | -------------------------------------------------------------------------------- /img/file.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /img/dir.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /src/config/share_extra.inc.php: -------------------------------------------------------------------------------- 1 | array( 20 | // array('SERVERONE', 'data'), 21 | // array('SERVERONE', 'finance'), 22 | // array('SERVERTWO', 'data'), 23 | // array('SERVERTWO', 'finance'), 24 | // ), 25 | // ); 26 | 27 | return array(); 28 | -------------------------------------------------------------------------------- /img/png/Makefile: -------------------------------------------------------------------------------- 1 | IMGS = file.png dir.png logo.png logo-150px.png shakers.png 2 | 3 | all: $(IMGS) 4 | 5 | %.png: ../%.svg 6 | inkscape \ 7 | --export-png=$@ \ 8 | --export-dpi=90 \ 9 | $^ 10 | advpng -z4 $@ 11 | 12 | logo.png: ../logo.svg 13 | inkscape \ 14 | --export-png=tmp.png \ 15 | --export-dpi=360 \ 16 | $^ 17 | pngtopnm -mix -background \#ffffff \ 18 | < tmp.png \ 19 | | pamscale 0.25 \ 20 | | pnmtopng \ 21 | > $@ 22 | advpng -z4 $@ 23 | rm tmp.png 24 | 25 | logo-150px.png: ../logo.svg 26 | inkscape \ 27 | --export-png=tmp.png \ 28 | --export-dpi=360 \ 29 | $^ 30 | pngtopnm -mix -background \#ffffff \ 31 | < tmp.png \ 32 | | pamscale -width 150 -filter=sinc \ 33 | | pnmtopng \ 34 | > $@ 35 | advpng -z4 $@ 36 | rm tmp.png 37 | 38 | shakers.png: ../logo.svg 39 | inkscape \ 40 | --export-png=tmp.png \ 41 | --export-dpi=360 \ 42 | --export-id=shakers \ 43 | $^ 44 | pngtopnm -mix -background \#ffffff \ 45 | < tmp.png \ 46 | | pamscale 0.3 \ 47 | | pnmpad -left 4 -right 4 -top 4 -bottom 4 -white \ 48 | | pnmtopng \ 49 | > $@ 50 | advpng -z4 $@ 51 | rm tmp.png 52 | 53 | clean: 54 | rm $(IMGS) 55 | -------------------------------------------------------------------------------- /src/lib/SambaDAV/MD5FilterOutput.php: -------------------------------------------------------------------------------- 1 | . 17 | # 18 | # Project page: 19 | 20 | namespace SambaDAV; 21 | 22 | // This is a dummy class that does nothing except hold the value of the hash. 23 | // We need this dummy class to save the final value of the hash when the filter 24 | // is done. The caller creates a new instance of this class and passes it as a 25 | // parameter to stream_filter_append. Because objects are passed by reference, 26 | // the filter can update the hash value, and the caller can read out the value 27 | // when the streaming is done. Saves us from using a global variable. 28 | 29 | class MD5FilterOutput 30 | { 31 | public $hash = ''; 32 | } 33 | -------------------------------------------------------------------------------- /src/lib/SambaDAV/LoginForm.php: -------------------------------------------------------------------------------- 1 | . 17 | # 18 | # Project page: 19 | 20 | namespace SambaDAV; 21 | 22 | class LoginForm 23 | { 24 | private $baseuri = null; 25 | 26 | public function 27 | __construct ($baseuri) 28 | { 29 | $this->baseuri = $baseuri; 30 | } 31 | 32 | public function 33 | getBody () 34 | { 35 | $template = __DIR__ . '/loginform.html'; 36 | 37 | // Open the login form template in current dir: 38 | if (!is_readable($template)) { 39 | return null; 40 | } 41 | if (($contents = file_get_contents($template)) === false) { 42 | return null; 43 | } 44 | // Substitute {BASEURI}: 45 | return str_replace('{BASEURI}', $this->baseuri, $contents); 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /src/style.css: -------------------------------------------------------------------------------- 1 | /* SambaDAV: commit 3d48108 @ Thu Mar 14 14:16:21 2019 +0100 */ 2 | 3 | html { 4 | font-family: arial, sans-serif; 5 | font-size: 100%; 6 | } 7 | a { 8 | text-decoration: none; 9 | } 10 | a img { 11 | border: 0px; 12 | } 13 | address { 14 | margin-top: 2em; 15 | font-size: small; 16 | font-style: normal; 17 | color: #909498; 18 | } 19 | table { 20 | background-color: #c4c4cb; 21 | border-spacing: 0px 1px; 22 | border-left: 1px solid #c4c4cb; 23 | border-right: 1px solid #c4c4cb; 24 | width: 100%; 25 | } 26 | h1 { 27 | margin: 0px 0px 0.5em 0px; 28 | padding: 0px; 29 | font-weight: normal; 30 | font-size: 16pt; 31 | } 32 | th { 33 | font-size: 10pt; 34 | text-align: left; 35 | padding: 0.3em 0.5em; 36 | font-weight: bold; 37 | } 38 | td { 39 | font-size: 9pt; 40 | padding: 0.3em 0.5em; 41 | } 42 | tr.dir { 43 | background-color: #d8d8e2; 44 | } 45 | tr.dir:hover { 46 | background-color: #e0e0ee; 47 | } 48 | tr.file { 49 | background-color: #e8e8e8; 50 | } 51 | tr.file:hover { 52 | background-color: #f0f0f0; 53 | } 54 | tr.collection img, tr.file img { 55 | vertical-align: middle; 56 | } 57 | table#actions { 58 | margin: 10px 0px; 59 | width: auto; 60 | } 61 | table#actions td { 62 | background-color: #f0f2f4; 63 | padding: 0.5em; 64 | } 65 | table#actions h3 { 66 | margin-right: 2em; 67 | display: inline; 68 | } 69 | table#actions label { 70 | width: 20px; 71 | } 72 | p#logout { 73 | float: right; 74 | font-size: 12pt; 75 | margin: 0px; 76 | } 77 | p#manual { 78 | float: right; 79 | font-size: 12pt; 80 | margin: 0px 1em 0px 0px; 81 | padding-right: 1em; 82 | border-right: 2px solid #d8d8e2; 83 | } 84 | #sambadav-logo { 85 | float: right; 86 | margin: 5px; 87 | } 88 | -------------------------------------------------------------------------------- /src/lib/SambaDAV/Cache/Null.php: -------------------------------------------------------------------------------- 1 | . 17 | # 18 | # Project page: 19 | 20 | namespace SambaDAV\Cache; 21 | 22 | class Null extends \SambaDAV\Cache 23 | { 24 | // This class does nothing but throw away the cache data; 25 | // it's for when the admin has turned off caching. 26 | 27 | public function 28 | write ($key, $data, $timeout) 29 | { 30 | return true; 31 | } 32 | 33 | public function 34 | read ($key, &$data, $timeout) 35 | { 36 | return false; 37 | } 38 | 39 | public function 40 | delete ($key) 41 | { 42 | return true; 43 | } 44 | 45 | public function 46 | clean () 47 | { 48 | return true; 49 | } 50 | 51 | public function 52 | get ($callable, $args = array(), $auth, $uri, $timeout) 53 | { 54 | return call_user_func_array($callable, $args); 55 | } 56 | 57 | public function 58 | remove ($callable, $auth, $uri) 59 | { 60 | return true; 61 | } 62 | } 63 | -------------------------------------------------------------------------------- /src/lib/SambaDAV/MD5Filter.php: -------------------------------------------------------------------------------- 1 | . 17 | # 18 | # Project page: 19 | 20 | namespace SambaDAV; 21 | 22 | class MD5Filter extends \php_user_filter 23 | { 24 | private $ctx; 25 | 26 | public function 27 | onCreate () 28 | { 29 | $this->ctx = hash_init('md5'); 30 | return true; 31 | } 32 | 33 | public function 34 | onClose () 35 | { 36 | // $this->params points to an instance of MD5FilterOutput, 37 | // owned by caller, that caller will use to read out the hash: 38 | $this->params->hash = hash_final($this->ctx); 39 | return true; 40 | } 41 | 42 | public function 43 | filter ($in, $out, &$consumed, $closing) 44 | { 45 | while ($bucket = stream_bucket_make_writeable($in)) { 46 | hash_update($this->ctx, $bucket->data); 47 | $consumed += $bucket->datalen; 48 | stream_bucket_append($out, $bucket); 49 | } 50 | return PSFS_PASS_ON; 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /src/lib/SambaDAV/Log/Filesystem.php: -------------------------------------------------------------------------------- 1 | . 17 | # 18 | # Project page: 19 | 20 | namespace SambaDAV\Log; 21 | 22 | class Filesystem extends \SambaDAV\Log 23 | { 24 | private $filename = null; 25 | 26 | public function 27 | __construct ($level = parent::WARN, $filename = null) 28 | { 29 | $this->level = $level; 30 | 31 | if (is_null($this->filename = $filename)) { 32 | $this->filename = strftime(dirname(dirname(dirname(dirname(__FILE__)))).'/log/%Y-%m-%d.log'); 33 | } 34 | } 35 | 36 | protected function 37 | commit ($level, $message) 38 | { 39 | if ($fp = $this->fileOpenLockAppend()) { 40 | fwrite($fp, $message); 41 | $this->fileCloseUnlock($fp); 42 | return true; 43 | } 44 | return false; 45 | } 46 | 47 | private function 48 | fileOpenLockAppend () 49 | { 50 | // Open the file for appending, lock it. 51 | // Returns file handle, or false on error. 52 | if (($fd = fopen($this->filename, 'a')) === false) { 53 | return false; 54 | } 55 | if ((flock($fd, LOCK_EX)) === false) { 56 | fclose($fd); 57 | return false; 58 | } 59 | chmod($this->filename, 0600); 60 | return $fd; 61 | } 62 | 63 | private function 64 | fileCloseUnlock ($fd) 65 | { 66 | fflush($fd); 67 | flock($fd, LOCK_UN); 68 | fclose($fd); 69 | } 70 | } 71 | -------------------------------------------------------------------------------- /src/lib/SambaDAV/Config.php: -------------------------------------------------------------------------------- 1 | . 17 | # 18 | # Project page: 19 | 20 | namespace SambaDAV; 21 | 22 | class Config 23 | { 24 | private $keys = array(); 25 | 26 | public function 27 | __get ($name) 28 | { 29 | return (isset($this->keys[$name])) 30 | ? $this->keys[$name] 31 | : null; 32 | } 33 | 34 | public function 35 | __set ($name, $value) 36 | { 37 | $this->keys[$name] = $value; 38 | } 39 | 40 | public function 41 | __isset ($name) 42 | { 43 | return isset($this->keys[$name]); 44 | } 45 | 46 | public function 47 | load ($cfgpath) 48 | { 49 | // Source all php files in the config dir: 50 | if ($dir = opendir($cfgpath)) { 51 | while (($entry = readdir($dir)) !== false) { 52 | if (substr($entry, -4) === '.php') { 53 | $keys = include "{$cfgpath}/{$entry}"; 54 | if (is_array($keys)) { 55 | $this->keys = array_merge($this->keys, $keys); 56 | } 57 | } 58 | } 59 | closedir($dir); 60 | } 61 | // Make sure that share_root and share_extra exist as arrays, 62 | // even if they're empty: 63 | if (!is_array($this->share_root)) { 64 | $this->share_root = array(); 65 | } 66 | if (!is_array($this->share_extra)) { 67 | $this->share_extra = array(); 68 | } 69 | // Merge "archives" keys into the list of root shares: 70 | if (is_array($this->share_archives)) { 71 | $this->share_root = array_merge($this->share_root, $this->share_archives); 72 | } 73 | // Master on/off switch: 74 | $this->enabled = ($this->enable_webfolders === true); 75 | } 76 | } 77 | -------------------------------------------------------------------------------- /src/config/share_root.inc.php: -------------------------------------------------------------------------------- 1 | array( 28 | // array('servername'), // autodiscover all shares on the server 29 | // array('servername', 'sharename'), // ...or hard-code a specific share 30 | // ... 31 | // ), 32 | // ); 33 | // 34 | // Examples: 35 | // 36 | // - Autodiscover the shared disks on server MYSERVER, create toplevel folders 37 | // for each share found: 38 | // 39 | // return array( 40 | // 'share_root' => array( 41 | // array('MYSERVER'), 42 | // ), 43 | // ); 44 | // 45 | // - Or don't autodiscover and show only the following shares on server MYSERVER, 46 | // creating three toplevel directories called 'data', 'archive' and 'finance': 47 | // 48 | // return array( 49 | // 'share_root' => array( 50 | // array('MYSERVER', 'data'), 51 | // array('MYSERVER', 'archive'), 52 | // array('MYSERVER', 'finance'), 53 | // ), 54 | // ); 55 | // 56 | // - Or mix-and-match both approaches (but beware of name clashes between 57 | // shares on different servers: if both have a 'data' share, only the last one 58 | // found will be visible): 59 | // 60 | // return array( 61 | // 'share_root' => array( 62 | // array('MYSERVER', 'data'), 63 | // array('SERVERTWO', 'otherdata'), 64 | // array('SERVERTHREE'), 65 | // ), 66 | // ); 67 | 68 | return array(); 69 | -------------------------------------------------------------------------------- /src/lib/SambaDAV/Log.php: -------------------------------------------------------------------------------- 1 | . 17 | # 18 | # Project page: 19 | 20 | namespace SambaDAV; 21 | 22 | abstract class Log 23 | { 24 | const NONE = 0; 25 | const ERROR = 1; 26 | const WARN = 2; 27 | const INFO = 3; 28 | const DEBUG = 4; 29 | const TRACE = 5; 30 | 31 | private $lnames = 32 | [ self::NONE => 'none' 33 | , self::ERROR => 'error' 34 | , self::WARN => 'warn' 35 | , self::INFO => 'info' 36 | , self::DEBUG => 'debug' 37 | , self::TRACE => 'trace' 38 | ] ; 39 | 40 | public $level; 41 | 42 | // Commit $data to log. Returns true/false. 43 | abstract protected function commit ($level, $message); 44 | 45 | public function 46 | error () 47 | { 48 | $this->log(self::ERROR, func_get_args()); 49 | } 50 | 51 | public function 52 | warn () 53 | { 54 | $this->log(self::WARN, func_get_args()); 55 | } 56 | 57 | public function 58 | info () 59 | { 60 | $this->log(self::INFO, func_get_args()); 61 | } 62 | 63 | public function 64 | debug () 65 | { 66 | $this->log(self::DEBUG, func_get_args()); 67 | } 68 | 69 | public function 70 | trace () 71 | { 72 | $this->log(self::TRACE, func_get_args()); 73 | } 74 | 75 | public function 76 | setLevel ($string) 77 | { 78 | // Try to find string in lnames array: 79 | if (($level = array_search($string, $this->lnames)) === false) { 80 | return false; 81 | } 82 | $this->level = $level; 83 | return true; 84 | } 85 | 86 | private function 87 | log ($level, $args) 88 | { 89 | // Message logged below threshold? 90 | if ($level > $this->level) { 91 | return; 92 | } 93 | $message = strftime('%Y-%m-%d %H:%M:%S: ') . $this->lnames[$level] . ': '; 94 | 95 | // Treat first argument as a sprintf format string, the rest as arguments: 96 | $message .= call_user_func_array('sprintf', $args); 97 | 98 | return $this->commit($level, $message); 99 | } 100 | } 101 | -------------------------------------------------------------------------------- /src/lib/SambaDAV/MSPropertiesPlugin.php: -------------------------------------------------------------------------------- 1 | . 17 | # 18 | # Project page: 19 | 20 | // A plugin to mixin the DAV:ishidden and DAV:isreadonly properties to nodes 21 | // that provide the appropriate methods. 22 | 23 | namespace SambaDAV; 24 | 25 | use Sabre\DAV; 26 | 27 | class MSPropertiesPlugin extends DAV\ServerPlugin 28 | { 29 | protected $server; 30 | 31 | public function 32 | initialize (DAV\Server $server) 33 | { 34 | $this->server = $server; 35 | $this->server->on('propFind', [ $this, 'propFind' ]); 36 | $this->server->on('propPatch', [ $this, 'propPatch' ]); 37 | } 38 | 39 | public function 40 | propFind (DAV\PropFind $propFind, DAV\INode $node) 41 | { 42 | // Add extra Windows properties to the node: 43 | if (method_exists($node, 'getIsHidden')) { 44 | $propFind->set('{DAV:}ishidden', ($node->getIsHidden() ? '1' : '0')); 45 | } 46 | if (method_exists($node, 'getIsReadonly')) { 47 | $propFind->set('{DAV:}isreadonly', ($node->getIsReadonly() ? '1' : '0')); 48 | } 49 | if (method_exists($node, 'getWin32Props')) { 50 | $propFind->set('{urn:schemas-microsoft-com:}Win32FileAttributes', $node->getWin32Props()); 51 | } 52 | } 53 | 54 | public function 55 | propPatch ($path, DAV\PropPatch $propPatch) 56 | { 57 | $node = $this->server->tree->getNodeForPath($path); 58 | 59 | // The File object is the only thing we can change properties on: 60 | if (!($node instanceof \SambaDAV\File)) { 61 | return; 62 | } 63 | // These properties are silently ignored for now; 64 | // smbclient has no 'touch' command; for documentation purposes: 65 | // {urn:schemas-microsoft-com:}Win32CreationTime 66 | // {urn:schemas-microsoft-com:}Win32LastAccessTime 67 | // {urn:schemas-microsoft-com:}Win32LastModifiedTime 68 | 69 | $handled = [ '{DAV:}ishidden' 70 | , '{DAV:}isreadonly' 71 | , '{urn:schemas-microsoft-com:}Win32FileAttributes' 72 | ] ; 73 | 74 | $propPatch->handle($handled, [ $node, 'updateProperties' ]); 75 | } 76 | } 77 | -------------------------------------------------------------------------------- /src/lib/SambaDAV/loginform.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | SambaDAV Login 5 | 6 | 29 | 75 | 76 | 77 |
78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 |
 
92 |
SambaDAV
93 |
94 | 95 | 96 | -------------------------------------------------------------------------------- /img/spinner.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | -------------------------------------------------------------------------------- /img/logo.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | -------------------------------------------------------------------------------- /ChangeLog: -------------------------------------------------------------------------------- 1 | * Fri Nov 20 2015 Richard de Vroede v0.6.0 2 | - Composer: updated authors; 3 | - Composer: set autoload to PSR-4 as PSR-0 is deprecated; 4 | - Composer: require SabreDAV 3.0.5; 5 | - Add support for specifying the port of the LDAP server; 6 | - Browser plugin: added optional delete function; 7 | - Move repo from owner `bokxing-it` to `1afa` for organizational reasons; 8 | - Log: make log level configurable in config file; 9 | 10 | * Tue Dec 30 2014 Alfred Klomp v0.5.0 11 | - Auth: add logger object, log various debug messages; 12 | - Require SabreDAV 2.1; 13 | - Browser plugin: hide logout link if anonymous_only is active; 14 | - Add pattern engine for userhome, LDAP and Samba usernames/domains; 15 | 16 | * Mon Sep 22 2014 Alfred Klomp v0.4.1 17 | - Fix LDAP escaping bug, and use of undefined variable; 18 | - Don't include test suite in release tarballs; 19 | 20 | * Tue Sep 09 2014 Alfred Klomp v0.4.0 21 | - README.md: update with information about the new config system. 22 | - Config system: replace old globals-based config system with a system 23 | based on supplying array keys; 24 | - LDAP: add options to choose between AD bind and simple bind mechanisms; 25 | 26 | * Mon Aug 11 2014 Alfred Klomp v0.3.1 27 | - Travis CI: add jobfile for automated testing; 28 | - Cache: add unit tests; 29 | - Cache: no longer static, and split in base class and implementors; 30 | - Directory: fix typo in logging code; 31 | - Cache: password also contributes to cache file name; 32 | - Auth: make this class the maintainer of the 'is anonymous' flag; 33 | 34 | * Wed Aug 06 2014 Alfred Klomp v0.3.0 35 | - Auth: add this class to provide centralized auth handling; 36 | - Config: load all PHP files from config dir, not just the "well known" ones; 37 | - Implement getLastModified for directories; 38 | - Deleting nonempty folders now works; first delete children recursively; 39 | - smbclient: honor the 'N' flag when encountered for NORMAL files; 40 | - Show actual server and share in title of Browser plugin, not webserver path; 41 | - Use new URI class for handling URI's, remove manual string manipulations; 42 | - Move all of SambaDAV to a PSR-0 compliant dir structure; 43 | - Implement own Browser plugin; remove patch dir; 44 | - MD5 streamfilter: place in own class, avoid global variable; 45 | - Login form: generate from template file in its own class; 46 | - Use Composer to install SabreDAV and other dependencies; 47 | - Rework all global logging functions into a static Log class; 48 | - Rework all loose smb_ functions into a static SMB class; 49 | - Put all cache functions into static class; 50 | - Factor smbclient output parser into its own class; 51 | - Change FALSE() and FALSE to comparisons with 'false', which is more standard. 52 | 53 | * Thu Nov 07 2013 Alfred Klomp v0.2.1 54 | - Print a simple login form when basic authentication fails; this login form 55 | uses JavaScript to load the credentials into the browser's authentication 56 | cache, thereby hopefully keeping the user logged in. 57 | - Add spinner animation for later use; 58 | - No longer fail to login a user when the userhome LDAP attribute is not found, 59 | but steam on without setting a user dir. (Less fragile/surprising behaviour.) 60 | 61 | * Thu Oct 17 2013 Alfred Klomp v0.2 62 | - Incorporate LDAP-based home directories; 63 | - Add logo image to file listing; 64 | - Add logo images; 65 | - Move LDAP auth logic into separate class; 66 | - Place Propflags, Directory and File classes in proper \SambaDAV\ namespace; 67 | - Simplify the way in which a Node finds its parent (parent passes a reference 68 | to itself in getChild() instead of a lookup based on the parent's path). 69 | - Add Propflags class: split off the logic surrounding file/dir flags into a 70 | separate class. Makes sense since the logic is the same for files and 71 | directories. Also provides a better location for win32 propstring de/encoding 72 | than common.inc.php. 73 | - Add SMBCLIENT_EXTRA_OPTS config variable, to pass extra options to smbclient; 74 | - SMBFile::updateProperties(): update flags on files by calling the `setmode` 75 | command of smbclient. Add a decoder function for the Win32 property string, 76 | because Win32 passes its file flags in that form. Unfortunately, files appear 77 | to only support setting the Hidden flag, and flags on directories cannot be 78 | set at all. 79 | - Config files: change remaining references to the old internal 'Webfolders' 80 | name to the new name for the open-source project, 'SambaDAV'. 81 | 82 | * Wed Jul 24 2013 Alfred Klomp v0.1 83 | - Adapt the `webfolders` internal project into a standalone project called 84 | SambaDAV, to be open-sourced and hosted on GitHub. 85 | -------------------------------------------------------------------------------- /src/lib/SambaDAV/URI.php: -------------------------------------------------------------------------------- 1 | . 17 | # 18 | # Project page: 19 | 20 | namespace SambaDAV; 21 | 22 | class URI 23 | { 24 | // An URI consists of multiple parts, the first being the server, 25 | // the second the share, and the rest forming the path on the share: 26 | private $parts = []; 27 | 28 | public function 29 | __construct () 30 | { 31 | // Allow a variable number of string arguments: 32 | foreach (func_get_args() as $arg) { 33 | $this->addParts($arg); 34 | } 35 | } 36 | 37 | public function 38 | __toString () 39 | { 40 | return $this->uriFull(); 41 | } 42 | 43 | public function 44 | uriFull () 45 | { 46 | // Get full path from all parts: 47 | return '//'.implode('/', $this->parts); 48 | } 49 | 50 | public function 51 | uriServer () 52 | { 53 | if (!isset($this->parts[0])) { 54 | return '//'; 55 | } 56 | return "//{$this->parts[0]}"; 57 | } 58 | 59 | public function 60 | uriServerShare () 61 | { 62 | // Get just server and share: 63 | if (!isset($this->parts[0])) { 64 | return '//'; 65 | } 66 | if (!isset($this->parts[1])) { 67 | return "//{$this->parts[0]}"; 68 | } 69 | return "//{$this->parts[0]}/{$this->parts[1]}"; 70 | } 71 | 72 | public function 73 | server () 74 | { 75 | return (isset($this->parts[0])) 76 | ? $this->parts[0] 77 | : null; 78 | } 79 | 80 | public function 81 | share () 82 | { 83 | return (isset($this->parts[1])) 84 | ? $this->parts[1] 85 | : null; 86 | } 87 | 88 | public function 89 | path () 90 | { 91 | // Get just the path part: 92 | return (isset($this->parts[2])) 93 | ? '/'.implode('/', array_slice($this->parts, 2)) 94 | : '/'; 95 | } 96 | 97 | public function 98 | parentDir () 99 | { 100 | // Get the dir name leading up to the last path part: 101 | $parts = array_slice($this->parts, 2, count($this->parts) - 3); 102 | return '/'.implode('/', $parts); 103 | } 104 | 105 | public function 106 | name () 107 | { 108 | // Get the last path part: 109 | if (($count = count($this->parts)) === 0) { 110 | return ''; 111 | } 112 | return $this->parts[$count - 1]; 113 | } 114 | 115 | public function 116 | rename ($name) 117 | { 118 | // Remove the last filename part from the stack: 119 | array_pop($this->parts); 120 | $this->addParts($name); 121 | } 122 | 123 | public function 124 | addString ($parts) 125 | { 126 | if (!is_string($parts)) { 127 | return; 128 | } 129 | // Translate backslashes to slashes, 130 | // handle strings of the form '\\server\share': 131 | $parts = strtr($parts, '\\', '/'); 132 | 133 | // Add new parts: 134 | foreach (explode('/', $parts) as $part) { 135 | if ($part !== '') { 136 | $this->parts[] = $part; 137 | } 138 | } 139 | } 140 | 141 | public function 142 | addParts ($parts) 143 | { 144 | if (is_string($parts)) { 145 | $this->addString($parts); 146 | return; 147 | } 148 | if (is_array($parts)) { 149 | foreach ($parts as $part) { 150 | $this->addString($part); 151 | } 152 | } 153 | } 154 | 155 | public function 156 | isGlobalRoot () 157 | { 158 | // Global root: not even on a specific server: 159 | return (!isset($this->parts[0])); 160 | } 161 | 162 | public function 163 | isServerRoot () 164 | { 165 | // Server root: on a server, but not on a share: 166 | return (isset($this->parts[0]) && !isset($this->parts[1])); 167 | } 168 | 169 | public function 170 | isWinSafe () 171 | { 172 | // Windows filenames cannot contain " * : < > ? \ / | 173 | // or characters 1..31. Also exclude \0 as a matter of course. 174 | // We need a sanitizer, because smbclient can be tricked into 175 | // running local shell commands by feeding it a command 176 | // starting with '!'. Ensure pathnames do not contain newlines 177 | // and other special chars (ironically, '!' itself is allowed): 178 | $bad = sprintf( 179 | '"*:<>?\/|%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c', 180 | 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 181 | 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 182 | 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 183 | 30, 31 184 | ); 185 | foreach ($this->parts as $part) { 186 | if (strpbrk($part, $bad)) { 187 | return false; 188 | } 189 | } 190 | return true; 191 | } 192 | } 193 | -------------------------------------------------------------------------------- /src/server.php: -------------------------------------------------------------------------------- 1 | . 17 | # 18 | # Project page: 19 | 20 | namespace SambaDAV; 21 | 22 | ini_set('display_errors', false); 23 | 24 | use Sabre\DAV; 25 | use Sabre\HTTP; 26 | 27 | include __DIR__ . '/vendor/autoload.php'; 28 | 29 | // Load config files: 30 | $config = new Config(); 31 | $config->load(__DIR__ . '/config'); 32 | 33 | // if this variable is not unambiguously true, bail out immediately: 34 | if ($config->enabled !== true) { 35 | $response = new HTTP\Response(404); 36 | HTTP\Sapi::sendResponse($response); 37 | return; 38 | } 39 | 40 | // The base URI is the SambaDAV root dir location on the server. 41 | // Check if the request was rewritten: 42 | $baseuri = (strpos($_SERVER['REQUEST_URI'], $config->server_basedir) === 0) ? $config->server_basedir : '/'; 43 | 44 | // Create central Log object: 45 | $log = new Log\Filesystem(); 46 | $log->setLevel($config->log_level); 47 | 48 | $auth = new Auth($config, $log, $baseuri); 49 | 50 | // Run the authentication routines: 51 | if ($auth->exec() === false) { 52 | return; 53 | } 54 | 55 | // Create cache object: 56 | $cache = ($config->cache_use) 57 | ? new Cache\Filesystem($config->cache_dir) 58 | : new Cache\Null(); 59 | 60 | // Clean stale cache files every once in a blue moon: 61 | // Time-based throttling to prevent too-frequent rechecking; 62 | // Random-based throttling to prevent contention in the "available" second: 63 | if ((time() % 5) == 0 && rand(0, 9) == 8) { 64 | $cache->clean(); 65 | } 66 | // Create SMB command class: 67 | $smb = new SMB($auth, $config, $log); 68 | 69 | // No server, share and path known in root dir: 70 | $rootDir = new Directory($auth, $config, $cache, $log, $smb, new URI(), null, 'D', null); 71 | 72 | // Add userhome to root dir: 73 | $rootDir->setUserhome($auth->getUserhome()); 74 | 75 | // The object tree needs in turn to be passed to the server class: 76 | $server = new DAV\Server($rootDir); 77 | $server->setBaseUri($baseuri); 78 | 79 | // Also make sure there is a 'data' directory, writable by the server. 80 | // This directory is used to store information about locks: 81 | $lockBackend = new DAV\Locks\Backend\File('data/locks.dat'); 82 | $lockPlugin = new DAV\Locks\Plugin($lockBackend); 83 | $server->addPlugin($lockPlugin); 84 | 85 | // Browser plugin, for plain directory listings: 86 | $plugin = new BrowserPlugin($config); 87 | $server->addPlugin($plugin); 88 | 89 | // Content-type plugin: 90 | $plugin = new \Sabre\DAV\Browser\GuessContentType(); 91 | 92 | // Define some custom types, the default list is really short: 93 | $plugin->extensionMap['gz'] = 'application/x-gzip'; 94 | $plugin->extensionMap['bmp'] = 'image/bmp'; 95 | $plugin->extensionMap['bz2'] = 'application/x-bzip2'; 96 | $plugin->extensionMap['doc'] = 'application/msword'; 97 | $plugin->extensionMap['dot'] = 'application/msword'; 98 | $plugin->extensionMap['dvi'] = 'application/x-dvi'; 99 | $plugin->extensionMap['eps'] = 'application/postscript'; 100 | $plugin->extensionMap['htm'] = 'text/html'; 101 | $plugin->extensionMap['pdf'] = 'application/pdf'; 102 | $plugin->extensionMap['pot'] = 'application/vnd.ms-powerpoint'; 103 | $plugin->extensionMap['ppt'] = 'application/vnd.ms-powerpoint'; 104 | $plugin->extensionMap['mp3'] = 'audio/mpeg'; 105 | $plugin->extensionMap['tgz'] = 'application/x-compressed'; 106 | $plugin->extensionMap['tif'] = 'image/tiff'; 107 | $plugin->extensionMap['wav'] = 'audio/wav'; 108 | $plugin->extensionMap['xla'] = 'application/excel'; 109 | $plugin->extensionMap['xlc'] = 'application/excel'; 110 | $plugin->extensionMap['xls'] = 'application/excel'; 111 | $plugin->extensionMap['xlt'] = 'application/excel'; 112 | $plugin->extensionMap['xlw'] = 'application/excel'; 113 | $plugin->extensionMap['zip'] = 'application/zip'; 114 | $plugin->extensionMap['docx'] = 'application/msword'; 115 | $plugin->extensionMap['html'] = 'text/html'; 116 | $plugin->extensionMap['mpeg'] = 'video/mpeg'; 117 | 118 | $server->addPlugin($plugin); 119 | 120 | // Compatibility fix for Microsoft Word 2003, 121 | // Otherwise harmless, according to http://sabre.io/dav/clients/msoffice: 122 | \Sabre\DAV\Xml\Property\LockDiscovery::$hideLockRoot = true; 123 | 124 | // Custom plugin to add the nonstandard DAV:ishidden and DAV:isreadonly flags: 125 | $server->addPlugin(new MSPropertiesPlugin()); 126 | 127 | // And off we go! 128 | $server->exec(); 129 | -------------------------------------------------------------------------------- /src/lib/SambaDAV/SMBClient/Process.php: -------------------------------------------------------------------------------- 1 | . 17 | # 18 | # Project page: 19 | 20 | namespace SambaDAV\SMBClient; 21 | 22 | class Process 23 | { 24 | public $fd = false; 25 | private $proc = false; 26 | private $auth = false; 27 | private $config; 28 | private $log; 29 | 30 | public function 31 | __construct ($auth, $config, $log) 32 | { 33 | $this->auth = $auth; 34 | $this->config = $config; 35 | $this->log = $log; 36 | } 37 | 38 | public function 39 | open ($args, $smbcmd) 40 | { 41 | $this->log->trace("%s: '%s', '%s'\n", __METHOD__, $args, $smbcmd); 42 | 43 | // $args is assumed to have been shell-escaped by caller; 44 | // append any extra smbclient options if specified: 45 | if (isset($this->config->smbclient_extra_opts) && is_string($this->config->smbclient_extra_opts)) { 46 | $args .= ' '.$this->config->smbclient_extra_opts; 47 | } 48 | $pipes = array 49 | ( 0 => array('pipe', 'r') // child reads from stdin 50 | , 1 => array('pipe', 'w') // child writes to stdout 51 | , 2 => array('pipe', 'w') // child writes to stderr 52 | , 3 => array('pipe', 'r') // child reads from fd#3 53 | , 4 => array('pipe', 'r') // child reads from fd#4 54 | , 5 => array('pipe', 'w') // child writes to fd#5 55 | ) ; 56 | 57 | $env = array 58 | ( 'HOME' => '/dev/null' // Nice restrictive environment 59 | , 'SHELL' => '/bin/false' 60 | // smbclient outputs filenames in utf8, also needs support in the environment 61 | // (with an ASCII locale you only get the lower bytes): 62 | , 'LC_ALL' => 'en_US.UTF-8' 63 | ) ; 64 | 65 | $cmd = ($this->auth->anonymous) 66 | ? sprintf('%s --debuglevel=0 --no-pass %s', $this->config->smbclient_path, $args) 67 | : sprintf('%s --debuglevel=0 --authentication-file=/proc/self/fd/3 %s', $this->config->smbclient_path, $args); 68 | 69 | $this->log->info("proc_open(%s, ...)\n", $cmd); 70 | 71 | if (!($this->proc = proc_open($cmd, $pipes, $this->fd, '/', $env))) { 72 | $this->log->error("proc_open failed: %s\n", $cmd); 73 | return false; 74 | } 75 | if (!is_resource($this->proc)) { 76 | $this->log->error("proc_open did not return valid resource\n"); 77 | return false; 78 | } 79 | if (!$this->writeAuthFile()) { 80 | return false; 81 | } 82 | if (!$this->writeCommand($smbcmd)) { 83 | return false; 84 | } 85 | return true; 86 | } 87 | 88 | public function 89 | getStdoutHandle () 90 | { 91 | // Return the file handle corresponding to stdout: 92 | return $this->fd[1]; 93 | } 94 | 95 | public function 96 | getOutputStreamHandle () 97 | { 98 | // Return the file handle corresponding to the program's 99 | // write pipe: 100 | return $this->fd[5]; 101 | } 102 | 103 | public function 104 | getStdinHandle () 105 | { 106 | // Separate getter for test mocking purposes: 107 | return $this->fd[0]; 108 | } 109 | 110 | public function 111 | closeStdinHandle () 112 | { 113 | fclose($this->getStdinHandle()); 114 | } 115 | 116 | public function 117 | getAuthFileHandle () 118 | { 119 | // Separate getter for test mocking purposes: 120 | return $this->fd[3]; 121 | } 122 | 123 | public function 124 | closeAuthFileHandle () 125 | { 126 | fclose($this->getAuthFileHandle()); 127 | } 128 | 129 | public function 130 | writeAuthFile () 131 | { 132 | $this->log->trace("%s\n", __METHOD__); 133 | 134 | if ($this->auth->anonymous === false) 135 | { 136 | $creds = array(); 137 | 138 | if (is_string($user = $this->auth->sambaUsername())) { 139 | $creds[] = "username=$user"; 140 | } 141 | if (is_string($pass = $this->auth->pass)) { 142 | $creds[] = "password=$pass"; 143 | } 144 | if (is_string($domain = $this->auth->sambaDomain())) { 145 | $creds[] = "domain=$domain"; 146 | } 147 | if (fwrite($this->getAuthFileHandle(), implode("\n", $creds)) === false) { 148 | $this->log->error("fwrite to auth file failed\n"); 149 | $this->closeAuthFileHandle(); 150 | return false; 151 | } 152 | } 153 | $this->closeAuthFileHandle(); 154 | return true; 155 | } 156 | 157 | public function 158 | writeCommand ($smbcmd) 159 | { 160 | $this->log->trace("%s\n", __METHOD__); 161 | 162 | if ($smbcmd !== false) { 163 | if (fwrite($this->getStdinHandle(), $smbcmd) === false) { 164 | $this->log->error("fwrite to stdin failed\n"); 165 | $this->closeStdinHandle(); 166 | return false; 167 | } 168 | } 169 | $this->closeStdinHandle(); 170 | return true; 171 | } 172 | 173 | public function 174 | __destruct () 175 | { 176 | if (is_array($this->fd)) { 177 | foreach ($this->fd as $fd) { 178 | if (is_resource($fd)) { 179 | fclose($fd); 180 | } 181 | } 182 | } 183 | if (is_resource($this->proc)) { 184 | proc_close($this->proc); 185 | } 186 | } 187 | } 188 | -------------------------------------------------------------------------------- /src/config/config.inc.php: -------------------------------------------------------------------------------- 1 | . 17 | # 18 | # Project page: 19 | 20 | return array( 21 | 22 | // This variable MUST be set to true for SambaDAV to work; server.php will exit 23 | // with a 404 error if this variable has any other value than true. Rationale 24 | // is to have a single master on/off switch for the SambaDAV service: 25 | 'enable_webfolders' => true, 26 | 27 | // Base directory on webserver (the root URL): 28 | 'server_basedir' => '/webfolders/', 29 | 30 | // Full path to the smbclient utility: 31 | 'smbclient_path' => '/usr/bin/smbclient', 32 | 33 | // Extra options to smbclient, pasted verbatim on commandline if not false; 34 | // see manpage for smbclient; example: '--port 6789 -O TCP_NODELAY' 35 | 'smbclient_extra_opts' => false, 36 | 37 | // Allow anonymous logins/browsing (no username/pass): 38 | 'anonymous_allow' => false, 39 | 40 | // Allow *only* anonymous logins: this disables the password prompt; implies 'anonymous_allow': 41 | 'anonymous_only' => false, 42 | 43 | // Don't procure eTags for files larger than this size (bytes): 44 | // NB: calculating the eTag is very resource-intensive, because the file must 45 | // be streamed through smbclient and md5summed. The (limited) utility of eTags 46 | // doesn't really justify the significant processing overhead. 47 | 'etag_size_limit' => -1, 48 | 49 | // Set to true to use disk cache in /dev/shm/webfolders, false to disable: 50 | 'cache_use' => true, 51 | 52 | // Dir to use for cache files; preferably keep this in /dev/shm for speed; 53 | // the lowest-level directory is created if not exists: 54 | 'cache_dir' => '/dev/shm/webfolders', 55 | 56 | // Use LDAP authentication on top of smbclient authentication? 57 | 'ldap_auth' => false, 58 | 59 | // Hostname and basedn to use; string, or null to look them up in /etc/ldap.conf: 60 | 'ldap_host' => null, 61 | 'ldap_basedn' => null, 62 | 63 | // Port the LDAP server listens on. Default is 389. 64 | 'ldap_port' => 389, 65 | 66 | // LDAP bind method, 'bind' for an AD style bind, 'fastbind' for a user bind: 67 | 'ldap_method' => 'fastbind', 68 | 69 | // Auth DN and password for an AD style bind: 70 | 'ldap_authdn' => null, 71 | 'ldap_authpass' => null, 72 | 73 | // Array of LDAP group(s) that the user must be a member of, false for bind-only check: 74 | 'ldap_groups' => false, 75 | 76 | // If you set this variable to the name of the server that contains the 77 | // userhomes, SambaDAV will add the user's home directory to the topmost list 78 | // of directories. For example, if your server is called 'JUPITER', setting 79 | // $share_userhomes to the string 'JUPITER' and logging in with user 'john' 80 | // will auto-add the share 'john' on 'JUPITER' to the list of shares. 81 | 'share_userhomes' => false, 82 | 83 | // If this variable is set to the name of a LDAP property, then that property 84 | // will be queried for the location of the user's home. Example: if every user 85 | // has an LDAP property called 'sambaHomePath', then by setting the variable 86 | // below to 'sambaHomePath', SambaDAV will read the value of that property and 87 | // use it as the home directory. Currently, the value in LDAP must look like: 88 | // \\servername (will be expanded to \\servername\username) 89 | // \\servername\sharename 90 | 'share_userhome_ldap' => false, 91 | 92 | // The username that a user logs in with can be dissected as follows: 93 | // workgroup\username@domain 94 | // %w = workgroup 95 | // %u = username 96 | // %d = domain 97 | // 98 | // The %w, %u and %d placeholders can be used in pattern strings. 99 | // The username is always available by definition, unless anonymous 100 | // login is allowed. The other two placeholders can be undefined if the 101 | // user didn't enter them. If you specify a pattern that can't be 102 | // filled from the user's input, the application will abort the 103 | // request. 104 | 105 | // Pattern for the userhomes. If defined, this will override 'share_userhomes'. 106 | // Example: '//SERVER/%u': 107 | 'userhome_pattern' => null, 108 | 109 | // Pattern to create the username with that's used for LDAP authentication: 110 | // Example: '%u-%w' 111 | 'ldap_username_pattern' => '%u', 112 | 113 | // Pattern to create the username with that's passed to Samba for authentication: 114 | // Example: '%w\\%u' 115 | 'samba_username_pattern' => '%u', 116 | 117 | // Pattern to create the domain with that's passed to Samba for authentication: 118 | 'samba_domain_pattern' => null, 119 | 120 | // Log level: can be 'none', 'error', 'warn', 'info', 'debug' or 'trace', 121 | // in order of verboseness from least to most: 122 | 'log_level' => 'warn', 123 | 124 | // Set to true to enable delete buttons in web interface 125 | 'browserplugin_enable_delete' => false, 126 | ); 127 | -------------------------------------------------------------------------------- /src/lib/SambaDAV/Cache.php: -------------------------------------------------------------------------------- 1 | . 17 | # 18 | # Project page: 19 | 20 | namespace SambaDAV; 21 | 22 | abstract class Cache 23 | { 24 | // Write $data to cache as $key, good for $timeout seconds. 25 | // Returns true/false. 26 | abstract protected function write ($key, $data, $timeout); 27 | 28 | // Read $data from cache as $key, if younger than timeout. 29 | // Returns true/false. 30 | abstract protected function read ($key, &$data, $timeout); 31 | 32 | // Delete data under $key from cache: 33 | abstract protected function delete ($key); 34 | 35 | // Run a cleaning pass on the cache: 36 | abstract protected function clean (); 37 | 38 | private function 39 | key ($auth, $callableName, $uri) 40 | { 41 | // Key is unique for function, URI, username and password. 42 | // Include password here to avoid decode errors when someone 43 | // logs in with a valid username and wrong password. If the 44 | // password would not contribute to the filename, we would try 45 | // to open the existing cache file and get a decode error: 46 | return sha1($auth->user . $auth->pass . $callableName . $uri->uriFull(), false); 47 | } 48 | 49 | public function 50 | serialize ($data, &$raw, $iv_size, $user_key) 51 | { 52 | // Serialize the raw data: 53 | if (($ser = serialize($data)) === false) { 54 | return false; 55 | } 56 | // Compress: 57 | if (($com = gzcompress($ser)) === false) { 58 | return false; 59 | } 60 | // Encrypt: 61 | if (($raw = $this->encrypt($com, $iv_size, $user_key)) === false) { 62 | return false; 63 | } 64 | return true; 65 | } 66 | 67 | public function 68 | unserialize (&$data, $raw, $iv_size, $user_key) 69 | { 70 | // Decode: 71 | if (($dec = $this->decrypt($raw, $iv_size, $user_key)) === false) { 72 | return false; 73 | } 74 | // Uncompress: 75 | if (($unc = gzuncompress($dec)) === false) { 76 | return false; 77 | } 78 | // Unserialize to get plain data: 79 | if (($data = unserialize($unc)) === false) { 80 | return false; 81 | } 82 | return true; 83 | } 84 | 85 | public function 86 | encrypt ($data, $iv_size, $user_key) 87 | { 88 | if (($iv = mcrypt_create_iv($iv_size, MCRYPT_RAND)) === false) { 89 | return false; 90 | } 91 | // The key is a salted hash of the user's password; 92 | // this salt is not very random, but "good enough"; 93 | // MD5-hash it to a binary value so its length is constant and known: 16 bytes: 94 | $salt = md5(uniqid('', true), true); 95 | $key = sha1($salt . $user_key . 'webfolders', true) . substr($salt, 0, 4); // 24 bytes 96 | 97 | // Prepend the IV and the password salt to the data; both are not secret: 98 | return $iv . $salt . mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $data, MCRYPT_MODE_CBC, $iv); 99 | } 100 | 101 | public function 102 | decrypt ($data, $iv_size, $user_key) 103 | { 104 | // Binary MD5 hash is 16 bytes long: 105 | $salt_size = 16; 106 | 107 | // Get the IV and the salt from the front of the encrypted data: 108 | if (strlen($data) < $iv_size + $salt_size) { 109 | return false; 110 | } 111 | $iv = substr($data, 0, $iv_size); 112 | $salt = substr($data, $iv_size, $salt_size); 113 | $key = sha1($salt . $user_key . 'webfolders', true) . substr($salt, 0, 4); 114 | 115 | return mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, substr($data, $iv_size + $salt_size), MCRYPT_MODE_CBC, $iv); 116 | } 117 | 118 | public function 119 | get ($callable, $args = array(), $auth, $uri, $timeout) 120 | { 121 | if (extension_loaded('mcrypt') === false) { 122 | return call_user_func_array($callable, $args); 123 | } 124 | if (($iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC)) === false) { 125 | return call_user_func_array($callable, $args); 126 | } 127 | if (is_callable($callable, false, $callableName) === false) { 128 | return call_user_func_array($callable, $args); 129 | } 130 | $key = $this->key($auth, $callableName, $uri); 131 | 132 | // The key we use to encrypt the data: 133 | $user_key = $auth->pass . $callableName . $uri->uriFull(); 134 | 135 | // First try to get the data from the cache: 136 | if ($this->read($key, $raw, $timeout)) { 137 | if ($this->unserialize($data, $raw, $iv_size, $user_key)) { 138 | return $data; 139 | } 140 | } 141 | // If that failed, run the function, store the result: 142 | $data = call_user_func_array($callable, $args); 143 | 144 | // Serialize the data, try to store it: 145 | if ($this->serialize($data, $raw, $iv_size, $user_key) !== false) { 146 | $this->write($key, $raw, $timeout); 147 | } 148 | return $data; 149 | } 150 | 151 | public function 152 | remove ($callable, $auth, $uri) 153 | { 154 | if (is_callable($callable, false, $callableName) === false) { 155 | return false; 156 | } 157 | return $this->delete($this->key($auth, $callableName, $uri)); 158 | } 159 | } 160 | -------------------------------------------------------------------------------- /src/lib/SambaDAV/Propflags.php: -------------------------------------------------------------------------------- 1 | . 17 | # 18 | # Project page: 19 | 20 | namespace SambaDAV; 21 | 22 | class Propflags 23 | { 24 | // These flag letters are taken from /source3/client/client.c in the 25 | // Samba source tarball, function attr_str(). These are the flags we 26 | // can theoretically expect to see in smbclient's `ls` output. 27 | // NB: the 'N' flag occurs twice in the smbclient source, but we 28 | // interpret 'N' to always stand for NORMAL, based on actual listings. 29 | private $flags = array 30 | ( 'R' => false // FILE_ATTRIBUTE_READONLY 31 | , 'H' => false // FILE_ATTRIBUTE_HIDDEN 32 | , 'S' => false // FILE_ATTRIBUTE_SYSTEM 33 | , 'D' => false // FILE_ATTRIBUTE_DIRECTORY 34 | , 'A' => false // FILE_ATTRIBUTE_ARCHIVE 35 | , 'N' => false // FILE_ATTRIBUTE_NORMAL 36 | , 'T' => false // FILE_ATTRIBUTE_TEMPORARY 37 | , 's' => false // FILE_ATTRIBUTE_SPARSE 38 | , 'r' => false // FILE_ATTRIBUTE_REPARSE_POINT 39 | , 'C' => false // FILE_ATTRIBUTE_COMPRESSED 40 | , 'O' => false // FILE_ATTRIBUTE_OFFLINE 41 | // , 'N' => false // FILE_ATTRIBUTE_NONINDEXED 42 | , 'E' => false // FILE_ATTRIBUTE_ENCRYPTED 43 | ) ; 44 | 45 | // These values are from /libcli/smb/smb_constants.h in the Samba 46 | // source tarball, they are the bitmask values for the Win32 property string: 47 | private $bitmask = array 48 | ( 'R' => 0x0001 49 | , 'H' => 0x0002 50 | , 'S' => 0x0004 51 | , 'D' => 0x0010 52 | , 'A' => 0x0020 53 | , 'N' => 0x0080 54 | , 'T' => 0x0100 55 | , 's' => 0x0200 56 | , 'r' => 0x0400 57 | , 'C' => 0x0800 58 | , 'O' => 0x1000 59 | // , 'N' => 0x2000 // Skip the NONINDEXED flag: if we see an N, it always stands for NORMAL. 60 | , 'E' => 0x4000 61 | ) ; 62 | 63 | private $init = false; 64 | 65 | public function 66 | __construct ($smbflags = null) 67 | { 68 | if ($smbflags !== null) $this->fromSmbflags($smbflags); 69 | } 70 | 71 | public function 72 | fromWin32 ($msflags) 73 | { 74 | if (strlen($msflags) !== 8 75 | || sscanf($msflags, '%08x', $flags) !== 1) { 76 | return $this->init = false; 77 | } 78 | foreach (array_keys($this->flags) as $flag) { 79 | $this->flags[$flag] = (bool)($flags & $this->bitmask[$flag]); 80 | } 81 | $this->updateNormal(); 82 | return $this->init = true; 83 | } 84 | 85 | public function 86 | toWin32 () 87 | { 88 | if ($this->init === false) return false; 89 | 90 | $msflags = 0; 91 | 92 | // This is the string returned in the proprietary 93 | // '{urn:schemas-microsoft-com:}Win32FileAttributes' DAV property, 94 | // used by the DAV client in Windows. 95 | foreach (array_keys($this->flags) as $flag) { 96 | if ($this->flags[$flag]) { 97 | $msflags |= $this->bitmask[$flag]; 98 | } 99 | } 100 | return sprintf('%08x', $msflags); 101 | } 102 | 103 | public function 104 | diff ($that) 105 | { 106 | // Returns an array with zero, one or two strings: the strings 107 | // needed to go from flags in $this to $that, in `smbclient 108 | // setmode` format, so '+-shar'. These are the only flags that 109 | // smbclient supports for toggling, so ignore the rest. 110 | 111 | $ret = []; 112 | $on = $off = ''; 113 | 114 | if (!$this->init || !$that->init) { 115 | return $ret; 116 | } 117 | foreach (['S','H','A','R'] as $flag) 118 | { 119 | // Flags that are on in ours and off in theirs must be turned off: 120 | if ($this->flags[$flag] && !$that->flags[$flag]) { 121 | $off .= strtolower($flag); 122 | } 123 | // Flags that are on in theirs and off in ours must be turned on: 124 | if ($that->flags[$flag] && !$this->flags[$flag]) { 125 | $on .= strtolower($flag); 126 | } 127 | } 128 | if (strlen($off)) $ret[] = '-'.$off; 129 | if (strlen($on)) $ret[] = '+'.$on; 130 | 131 | return $ret; 132 | } 133 | 134 | public function 135 | set ($flag, $val) 136 | { 137 | $this->flags[$flag] = $val; 138 | $this->updateNormal(); 139 | $this->init = true; 140 | } 141 | 142 | public function 143 | get ($flag) 144 | { 145 | return ($this->init) ? $this->flags[$flag] : false; 146 | } 147 | 148 | private function 149 | fromSmbflags ($smbflags) 150 | { 151 | // The 'smbflags' are the ones found in the output of 152 | // smbclient's `ls` command. They are case-sensitive. 153 | foreach (array_keys($this->flags) as $flag) { 154 | $this->flags[$flag] = (strpos($smbflags, $flag) !== false); 155 | } 156 | $this->updateNormal(); 157 | $this->init = true; 158 | } 159 | 160 | private function 161 | updateNormal () 162 | { 163 | // The N (NORMAL) flag can only be set if no other flags are set: 164 | if ($this->flags['N']) { 165 | foreach ($this->flags as $flag => $value) { 166 | if ($flag !== 'N' && $value) { 167 | $this->flags['N'] = false; 168 | break; 169 | } 170 | } 171 | return; 172 | } 173 | // If no flags are set, ensure that N is set: 174 | foreach ($this->flags as $flag => $value) { 175 | if ($value) { 176 | return; 177 | } 178 | } 179 | $this->flags['N'] = true; 180 | } 181 | } 182 | -------------------------------------------------------------------------------- /src/lib/SambaDAV/Cache/Filesystem.php: -------------------------------------------------------------------------------- 1 | . 17 | # 18 | # Project page: 19 | 20 | namespace SambaDAV\Cache; 21 | 22 | class Filesystem extends \SambaDAV\Cache 23 | { 24 | private $basedir = '/dev/shm/webfolders'; 25 | 26 | // Create all files -rw------ 27 | private $umask = 0177; 28 | 29 | // This file is used as a lockfile and timestamp for the cache cleanup process, 30 | // so that no cache writes can be done during a cleanup, and vice versa: 31 | private $semaphore = null; 32 | 33 | // The maximal age in seconds that a cache file can reach before being 34 | // eligible for reaping (and also the minimal age the semaphore file 35 | // must have before starting cleanup): 36 | const MAX_AGE = 60; 37 | 38 | public function 39 | __construct ($basedir = null, $umask = null) 40 | { 41 | if ($basedir !== null) { 42 | $this->basedir = $basedir; 43 | } 44 | if ($umask !== null) { 45 | $this->umask = $umask; 46 | } 47 | // Make directory if not exists: 48 | if (is_dir($this->basedir) === false) { 49 | mkdir($this->basedir, 0700, false); 50 | } 51 | $this->semaphore = "{$this->basedir}/last_cleaned"; 52 | } 53 | 54 | public function 55 | write ($key, $data, $timeout) 56 | { 57 | umask($this->umask); 58 | 59 | // There is a slight race condition here with the cache cleanup 60 | // processes: if we fopen() a stale file, the cleanup process could 61 | // unlink it before we manage to modify its mtime by calling 62 | // ftruncate(). The worst that can happen is a potential cache miss on 63 | // the next lookup. That's not worth serializing cache access for. 64 | if (($fd = fopen($this->filename($key), 'a')) === false) { 65 | return false; 66 | } 67 | if (flock($fd, LOCK_EX) === false) { 68 | fclose($fd); 69 | return false; 70 | } 71 | $result = $this->writefd($fd, $data); 72 | 73 | flock($fd, LOCK_UN); 74 | fclose($fd); 75 | 76 | return true; 77 | } 78 | 79 | public function 80 | read ($key, &$data, $timeout) 81 | { 82 | if (($fd = @fopen($this->filename($key), 'r')) === false) { 83 | return false; 84 | } 85 | if (flock($fd, LOCK_SH) === false) { 86 | fclose($fd); 87 | return false; 88 | } 89 | // Try to read into $data: 90 | $result = $this->readfd($fd, $data, $timeout); 91 | 92 | flock($fd, LOCK_UN); 93 | fclose($fd); 94 | 95 | return $result; 96 | } 97 | 98 | public function 99 | delete ($key) 100 | { 101 | // Try to get blocking lock on cache clean semaphore file: 102 | // If this call fails, just steam ahead regardless: 103 | $fd = $this->semaphoreOpen(true); 104 | @unlink($this->filename($key)); 105 | if ($fd) $this->semaphoreClose($fd); 106 | } 107 | 108 | public function 109 | clean () 110 | { 111 | // Must acquire the cache clean semaphore, else assume 112 | // that another cleanup thread is already running: 113 | if (($fd = $this->semaphoreGet()) === false) { 114 | return false; 115 | } 116 | // Remove files older than self::MAX_AGE seconds: 117 | if (($dir = opendir($this->basedir)) === false) { 118 | $this->semaphoreClose($fd); 119 | return false; 120 | } 121 | while (($entry = readdir($dir)) !== false) { 122 | if ($entry === '.' || $entry === '..' || $entry === 'last_cleaned') { 123 | continue; 124 | } 125 | $file = "{$this->basedir}/$entry"; 126 | if ((time() - filemtime($file)) > self::MAX_AGE) { 127 | unlink($file); 128 | } 129 | } 130 | closedir($dir); 131 | 132 | // ftruncate() updates the mtime on the semaphore file: 133 | ftruncate($fd, 0); 134 | $this->semaphoreClose($fd); 135 | return true; 136 | } 137 | 138 | private function 139 | filename ($key) 140 | { 141 | return "{$this->basedir}/$key"; 142 | } 143 | 144 | private function 145 | writefd ($fd, $raw) 146 | { 147 | // Discard data, place file pointer at offset 0: 148 | if (ftruncate($fd, 0) === false) { 149 | return false; 150 | } 151 | // Write to file: 152 | if (fwrite($fd, $raw) === false) { 153 | return false; 154 | } 155 | fflush($fd); 156 | return true; 157 | } 158 | 159 | private function 160 | readfd ($fd, &$data, $timeout) 161 | { 162 | // Get file stats: 163 | if (($stat = fstat($fd)) === false) { 164 | return false; 165 | } 166 | // If file is too old, data is stale: 167 | if (time() - $stat['mtime'] > $timeout) { 168 | return false; 169 | } 170 | // If file is empty, data is invalid: 171 | if ($stat['size'] === 0) { 172 | return false; 173 | } 174 | // Read file contents: 175 | if (($data = fread($fd, $stat['size'])) === false) { 176 | return false; 177 | } 178 | return true; 179 | } 180 | 181 | private function 182 | semaphoreGet () 183 | { 184 | // Returns false if we are not eligible to clean (semaphore 185 | // file is locked, or timestamp too recent), else returns fd 186 | // of semaphore file. 187 | if (($fd = $this->semaphoreOpen(false)) === false) { 188 | return false; 189 | } 190 | // Get last modification time: 191 | if (($stat = fstat($fd)) === false) { 192 | $this->semaphoreClose($fd); 193 | return false; 194 | } 195 | // File modification time too recent? 196 | if ((time() - $stat['mtime']) < self::MAX_AGE) { 197 | $this->semaphoreClose($fd); 198 | return false; 199 | } 200 | return $fd; 201 | } 202 | 203 | private function 204 | semaphoreOpen ($block) 205 | { 206 | // Returns the fd of the semaphore file in locked state if we 207 | // were able to acquire it, else false. 208 | 209 | // Try to open the semaphore file in append mode. 210 | // This can fail if there is no cache directory, in which case 211 | // we don't need to do cleanup anyway. 212 | if (($fd = @fopen($this->semaphore, 'a')) === false) { 213 | return false; 214 | } 215 | // In blocking mode, try to obtain exclusive lock: 216 | if ($block && flock($fd, LOCK_EX)) { 217 | return $fd; 218 | } 219 | // In non-blocking mode, try to obtain exclusive lock: 220 | if (flock($fd, LOCK_EX | LOCK_NB, $wouldblock) && !$wouldblock) { 221 | return $fd; 222 | } 223 | // Could not lock file, return unsuccessfully: 224 | fclose($fd); 225 | return false; 226 | } 227 | 228 | private function 229 | semaphoreClose ($fd) 230 | { 231 | flock($fd, LOCK_UN); 232 | fclose($fd); 233 | } 234 | } 235 | -------------------------------------------------------------------------------- /src/lib/SambaDAV/SMBClient/Parser.php: -------------------------------------------------------------------------------- 1 | . 17 | # 18 | # Project page: 19 | 20 | namespace SambaDAV\SMBClient; 21 | 22 | use \SambaDAV\SMB; 23 | 24 | class Parser 25 | { 26 | private $fd = false; 27 | private $nline = 0; 28 | 29 | public function 30 | __construct ($data) 31 | { 32 | if ($data instanceof Process) { 33 | // Use the process's stdout handle for reading: 34 | $this->fd = $data->getStdoutHandle(); 35 | } 36 | else { 37 | // Assume that $data is a file handle: 38 | $this->fd = $data; 39 | } 40 | } 41 | 42 | private function 43 | getResources () 44 | { 45 | $resources = array(); 46 | while (($line = $this->getLine()) !== false) { 47 | if (is_array($line)) { 48 | return $line[0]; 49 | } 50 | $resources[] = $line; 51 | } 52 | return $resources; 53 | } 54 | 55 | public function 56 | getShares () 57 | { 58 | // if $resources is not an array, it's an error code: 59 | if (!is_array($resources = $this->getResources())) { 60 | return $resources; 61 | } 62 | $shares = Array(); 63 | foreach ($resources as $line) { 64 | if (strpos($line, 'Disk|') !== 0) { 65 | continue; 66 | } 67 | if (($term = strpos($line, '|', 5)) === false || $term === 5) { 68 | continue; 69 | } 70 | $name = substr($line, 5, $term - 5); 71 | // "Special" shares have a name ending with '$', discard those: 72 | if (substr($name, -1, 1) === '$') { 73 | continue; 74 | } 75 | $shares[] = $name; 76 | } 77 | return $shares; 78 | } 79 | 80 | public function 81 | getDiskUsage () 82 | { 83 | // The 'du' command only gives a global total for the entire share; 84 | // the Unix 'du' can do a tally for a subdir, but this one can't. 85 | while (($line = $this->getLine()) !== false) { 86 | if (is_array($line)) { 87 | return $line[0]; 88 | } 89 | if (preg_match('/([0-9]+) blocks of size ([0-9]+)\. ([0-9]+) blocks available/', $line, $matches) === 0) { 90 | continue; 91 | } 92 | return Array( 93 | $matches[2] * ($matches[1] - $matches[3]), // used space (bytes) 94 | $matches[2] * $matches[3] // available space (bytes) 95 | ); 96 | } 97 | return false; 98 | } 99 | 100 | public function 101 | getStatus () 102 | { 103 | // Parses the smbclient output on stdout, returns SMB::STATUS_OK 104 | // if everything could be read without encountering errors 105 | // (as parsed by getLine), else it returns the error code. 106 | while (($line = $this->getLine()) !== false) { 107 | if (is_array($line)) { 108 | return $line[0]; 109 | } 110 | } 111 | return SMB::STATUS_OK; 112 | } 113 | 114 | public function 115 | getListing () 116 | { 117 | $ret = Array(); 118 | while (($line = $this->getLine()) !== false) { 119 | if (is_array($line)) { 120 | return $line[0]; 121 | } 122 | if (($parsed = $this->parseFileLine($line)) !== false) { 123 | $ret[] = $parsed; 124 | } 125 | } 126 | return $ret; 127 | } 128 | 129 | private function 130 | getLine () 131 | { 132 | // Returns false if no more lines; 133 | // Returns Array(errorcode) if error found; 134 | // Returns the line as a string if all is well. 135 | 136 | if (!is_resource($this->fd)) { 137 | return false; 138 | } 139 | while (($line = fgets($this->fd)) !== false) 140 | { 141 | // If this is not the first or second line of output, 142 | // return it verbatim: 143 | if ($this->nline++ >= 2) { 144 | return $line; 145 | } 146 | // In lines 1 and 2, check if we can match an error code; 147 | // if not, return the line verbatim: 148 | if (preg_match('/(NT_STATUS_[A-Z0-9_]*)/', $line, $matches) !== 1) { 149 | return $line; 150 | } 151 | // Translate the error code: 152 | switch ($matches[1]) 153 | { 154 | // This is the only status we consider 155 | // acceptable; continue with next line: 156 | case 'NT_STATUS_OK': 157 | continue; 158 | 159 | case 'NT_STATUS_LOGON_FAILURE': 160 | case 'NT_STATUS_ACCESS_DENIED': // TODO: this can also mean "not writable" 161 | return Array(SMB::STATUS_UNAUTHENTICATED); 162 | 163 | case 'NT_STATUS_NO_SUCH_FILE': 164 | case 'NT_STATUS_BAD_NETWORK_NAME': 165 | case 'NT_STATUS_OBJECT_PATH_NOT_FOUND': 166 | case 'NT_STATUS_OBJECT_NAME_NOT_FOUND': 167 | return Array(SMB::STATUS_NOTFOUND); 168 | 169 | // All other statuses, assume unauthenticated: 170 | default: 171 | return Array(SMB::STATUS_UNAUTHENTICATED); 172 | } 173 | } 174 | return false; 175 | } 176 | 177 | private function 178 | parseFileLine ($line) 179 | { 180 | // Parses a line of smbclient's ls output and returns an array with the following fields: 181 | // 0 - filename; 182 | // 1 - flags; 183 | // 2 - size; 184 | // 3 - Unix timestamp. 185 | 186 | // The printf format that smbclient uses to print the file data can be 187 | // found in ./source3/client/client.c, line 549 or thereabouts. 188 | // 189 | // d_printf(" %-30s%7.7s %8.0f %s", 190 | // finfo->name, 191 | // attrib_string(finfo->mode), 192 | // (double)finfo->size, 193 | // time_to_asc(t)); 194 | // 195 | // So the string looks like this: 196 | // - two spaces; 197 | // - at least 30 characters of space-padded filename; 198 | // - exactly 7 characters of flags/spaces; 199 | // - a space; 200 | // - at least 8 characters of file length; 201 | // - two spaces; 202 | // - time string. 203 | // The time string is its own can of worms, but fairly deterministic-looking. 204 | // Match from right to left: 205 | 206 | // Name Flags Size Mon Mar 8 13:00:07 2010 207 | if (preg_match("/^ (.*)([A-Za-z ]{7}) ([0-9]{8,}|[0-9 ]{8}) (.*)$/", rtrim($line), $matches) === 0) { 208 | return false; 209 | } 210 | $output['name'] = rtrim($matches[1]); 211 | $output['flags'] = trim($matches[2]); 212 | $output['size'] = (int)$matches[3]; 213 | 214 | // Create Unix timestamp from freeform date string: 215 | $date = date_parse($matches[4]); 216 | 217 | if ($date === false) { 218 | $output['mtime'] = null; 219 | } 220 | else { 221 | $output['mtime'] = mktime 222 | ( $date['hour'], $date['minute'], $date['second'] 223 | , $date['month'], $date['day'], $date['year'] 224 | ) ; 225 | } 226 | return $output; 227 | } 228 | } 229 | -------------------------------------------------------------------------------- /src/lib/SambaDAV/LDAP.php: -------------------------------------------------------------------------------- 1 | . 17 | # 18 | # Project page: 19 | 20 | namespace SambaDAV; 21 | 22 | class LDAP 23 | { 24 | public $method = null; 25 | public $host = null; 26 | public $port = null; 27 | public $basedn = null; 28 | public $userhome = null; 29 | 30 | public $authdn = null; 31 | public $authpass = null; 32 | 33 | private $conn = null; 34 | 35 | const METHOD_FASTBIND = 1; 36 | const METHOD_BIND = 2; 37 | const CONFIG_FILE = '/etc/ldap.conf'; 38 | 39 | public function 40 | __construct ($method = self::METHOD_FASTBIND, $host = null, $basedn = null, $authdn = null, $authpass = null, $port = 389) 41 | { 42 | $this->method = $method; 43 | $this->host = $host; 44 | $this->port = $port; 45 | $this->basedn = $basedn; 46 | $this->authdn = $authdn; 47 | $this->authpass = $authpass; 48 | } 49 | 50 | public function 51 | __destruct () 52 | { 53 | if (is_resource($this->conn)) { 54 | ldap_close($this->conn); 55 | } 56 | } 57 | 58 | public function 59 | connect () 60 | { 61 | if ($this->getParams() === false) { 62 | return false; 63 | } 64 | if (($this->conn = ldap_connect($this->host, $this->port)) === false) { 65 | return false; 66 | } 67 | if (ldap_set_option($this->conn, LDAP_OPT_PROTOCOL_VERSION, 3) === false) { 68 | ldap_close($this->conn); 69 | return false; 70 | } 71 | if ($this->method === self::METHOD_BIND) { 72 | // To search on Active Directory, we must set this option or we 73 | // get an "Operations error": 74 | ldap_set_option($this->conn, LDAP_OPT_REFERRALS, 0); 75 | } 76 | return true; 77 | } 78 | 79 | public function 80 | verify ($user, $pass, $ldap_groups = null, $prop_userhome = null) 81 | { 82 | if ($user === false || $user === '' 83 | || $pass === false || $pass === '') { 84 | return false; 85 | } 86 | if ($this->connect() === false) { 87 | return false; 88 | } 89 | if ($this->method === self::METHOD_FASTBIND) { 90 | $ret = $this->verify_fastbind($user, $pass, $ldap_groups, $prop_userhome); 91 | ldap_close($this->conn); 92 | return $ret; 93 | } 94 | if ($this->method === self::METHOD_BIND) { 95 | $ret = $this->verify_bind($user, $pass, $ldap_groups, $prop_userhome); 96 | ldap_close($this->conn); 97 | return $ret; 98 | } 99 | ldap_close($this->conn); 100 | return false; 101 | } 102 | 103 | private function 104 | verify_fastbind ($user, $pass, $ldap_groups, $prop_userhome) 105 | { 106 | // Suppress errors with the @ prefix because a bind error is *expected* 107 | // in case of a failed login; no need to pollute the error log: 108 | $searchdn = sprintf('ou=Users,%s', $this->escape($this->basedn)); 109 | 110 | if (@ldap_bind($this->conn, sprintf('uid=%s,%s', $this->escape($user), $searchdn), $pass) === false) { 111 | return false; 112 | } 113 | if ($this->groupSearch($user, $ldap_groups) === false) { 114 | return false; 115 | } 116 | // Find the userhome share: 117 | $filter = sprintf('(&(objectclass=posixAccount)(uid=%s))', $this->escape($user)); 118 | $this->userhomeSearch($user, $searchdn, $filter, $prop_userhome); 119 | 120 | return true; 121 | } 122 | 123 | private function 124 | verify_bind ($user, $pass, $ldap_groups, $prop_userhome) 125 | { 126 | // Start by binding with the auth account: 127 | if (@ldap_bind($this->conn, $this->authdn, $this->authpass) === false) { 128 | return false; 129 | } 130 | // We are now bound under the auth account; lookup the user's DN: 131 | $userfilter = sprintf('(&(objectclass=USER)(SAMACCOUNTNAME=%s))', $this->escape($user)); 132 | 133 | if (($result = ldap_search($this->conn, $this->basedn, $userfilter)) === false) { 134 | return false; 135 | } 136 | if (($entry = ldap_first_entry($this->conn, $result)) === false) { 137 | return false; 138 | } 139 | if (($userdn = ldap_get_dn($this->conn, $entry)) === false) { 140 | return false; 141 | } 142 | // $userdn now contains the user's actual DN. 143 | // Now we do a fastbind with this userdn: 144 | 145 | if (@ldap_bind($this->conn, $userdn, $pass) === false) { 146 | return false; 147 | } 148 | // Check that the user is a member of the given group(s): 149 | if (is_array($ldap_groups)) { 150 | $esc = array(); 151 | foreach ($ldap_groups as $group) { 152 | $esc[] = sprintf('(&(objectclass=GROUP)(SAMACCOUNTNAME=%s))', $this->escape($group)); 153 | } 154 | $groupfilter = sprintf('(&(|%s)(member=%s))', implode($esc), $userdn); 155 | } 156 | else if (is_string($ldap_groups)) { 157 | $groupfilter = sprintf('(&(&(objectclass=GROUP)(SAMACCOUNTNAME=%s))(member=%s))', $this->escape($ldap_groups), $userdn); 158 | } 159 | else { 160 | // No groups specified? Find userhome: 161 | $this->userhomeSearch($user, $userdn, $userfilter, $prop_userhome); 162 | return true; 163 | } 164 | if (($result = ldap_search($this->conn, $this->basedn, $groupfilter, array('member'), 1)) === false) { 165 | return false; 166 | } 167 | if (ldap_first_entry($this->conn, $result) === false) { 168 | return false; 169 | } 170 | // Find the userhome share: 171 | $this->userhomeSearch($user, $userdn, $userfilter, $prop_userhome); 172 | return true; 173 | } 174 | 175 | public function 176 | getParams () 177 | { 178 | if ($this->host !== null && $this->basedn !== null) { 179 | return true; 180 | } 181 | if (($fp = fopen(self::CONFIG_FILE, 'r')) === false) { 182 | return false; 183 | } 184 | while (($line = fgets($fp)) !== false) { 185 | if ($this->host === null) { 186 | if (preg_match('/^[Hh][Oo][Ss][Tt]\s+(\S*)\s*$/', $line, $matches) && isset($matches[1])) { 187 | $this->host = $matches[1]; 188 | } 189 | } 190 | if ($this->basedn === null) { 191 | if (preg_match('/^[Bb][Aa][Ss][Ee]\s+(\S*)\s*$/', $line, $matches) && isset($matches[1])) { 192 | $this->basedn = $matches[1]; 193 | } 194 | } 195 | if ($this->host !== null && $this->basedn !== null) { 196 | fclose($fp); 197 | return true; 198 | } 199 | } 200 | fclose($fp); 201 | return false; 202 | } 203 | 204 | private function 205 | groupSearch ($user, $groups) 206 | { 207 | // For Fastbind: 208 | if ($groups === null) { 209 | return true; 210 | } 211 | $searchdn = sprintf('ou=Groups,%s', $this->escape($this->basedn)); 212 | $filter = sprintf('(&(memberUid=%s)(objectclass=posixGroup)%s)', $this->escape($user), $this->groupCNs($groups)); 213 | 214 | if (($result = ldap_search($this->conn, $searchdn, $filter, array('memberUid'), 1)) === false) { 215 | return false; 216 | } 217 | return (ldap_first_entry($this->conn, $result) !== false); 218 | } 219 | 220 | private function 221 | userhomeSearch ($user, $searchdn, $filter, $prop_userhome) 222 | { 223 | if ($prop_userhome === null) { 224 | return; 225 | } 226 | // If $prop_userhome is set, try to find the given property; 227 | // e..g. if $prop_userhome is 'sambaHomePath', search for that entry: 228 | if (($result = ldap_search($this->conn, $searchdn, $filter, array($prop_userhome), 0)) === false) { 229 | return; 230 | } 231 | if (($entry = ldap_first_entry($this->conn, $result)) === false) { 232 | return; 233 | } 234 | if (($value = ldap_get_values($this->conn, $entry, $prop_userhome)) === false) { 235 | return; 236 | } 237 | if (!isset($value['count']) || $value['count'] == 0 || !isset($value[0]) || $value[0] === '') { 238 | return; 239 | } 240 | $this->userhome = $value[0]; 241 | } 242 | 243 | public function 244 | groupCNs ($groups) 245 | { 246 | // For Fastbind: 247 | if (is_string($groups)) { 248 | return sprintf('(cn=%s)', $this->escape($groups)); 249 | } 250 | $esc = array(); 251 | foreach ($groups as $group) { 252 | array_push($esc, sprintf('(cn=%s)', $this->escape($group))); 253 | } 254 | return '(|'.implode($esc).')'; 255 | } 256 | 257 | private function 258 | escape ($str) 259 | { 260 | $bad = array('\\', '*', '(', ')', chr(0)); 261 | $esc = array(); 262 | foreach ($bad as $val) { 263 | $esc[] = sprintf('\\%02x', ord($val)); 264 | } 265 | return str_replace($bad, $esc, $str); 266 | } 267 | } 268 | -------------------------------------------------------------------------------- /src/lib/SambaDAV/SMB.php: -------------------------------------------------------------------------------- 1 | . 17 | # 18 | # Project page: 19 | 20 | namespace SambaDAV; 21 | 22 | class SMB 23 | { 24 | const STATUS_OK = 0; 25 | const STATUS_NOTFOUND = 1; 26 | const STATUS_UNAUTHENTICATED = 2; 27 | const STATUS_INVALID_NAME = 3; 28 | const STATUS_SMBCLIENT_ERROR = 4; 29 | 30 | private $auth; 31 | private $config; 32 | private $log; 33 | 34 | public function 35 | __construct ($auth, $config, $log) 36 | { 37 | $this->auth = $auth; 38 | $this->config = $config; 39 | $this->log = $log; 40 | } 41 | 42 | public function 43 | getShares ($uri, $proc = null) 44 | { 45 | $this->log->trace("%s: '%s'\n", __METHOD__, $uri->uriFull()); 46 | $args = sprintf('--grepable --list %s', escapeshellarg($uri->uriServer())); 47 | 48 | if (is_null($proc)) { 49 | $proc = new \SambaDAV\SMBClient\Process($this->auth, $this->config, $this->log); 50 | } 51 | if ($proc->open($args, false) === false) { 52 | return self::STATUS_SMBCLIENT_ERROR; 53 | } 54 | $parser = new \SambaDAV\SMBClient\Parser($proc); 55 | return $parser->getShares(); 56 | } 57 | 58 | public function 59 | ls ($uri, $proc = null) 60 | { 61 | $this->log->trace("%s: '%s'\n", __METHOD__, $uri->uriFull()); 62 | 63 | if ($uri->isWinSafe() === false) { 64 | return self::STATUS_INVALID_NAME; 65 | } 66 | $args = escapeshellarg($uri->uriServerShare()); 67 | $scmd = $this->makeCmd($uri->path(), 'ls'); 68 | 69 | // Allow injection of a proc object for testing: 70 | if (is_null($proc)) { 71 | $proc = new \SambaDAV\SMBClient\Process($this->auth, $this->config, $this->log); 72 | } 73 | if ($proc->open($args, $scmd) === false) { 74 | return self::STATUS_SMBCLIENT_ERROR; 75 | } 76 | $parser = new \SambaDAV\SMBClient\Parser($proc); 77 | return $parser->getListing(); 78 | } 79 | 80 | public function 81 | du ($uri, $proc = null) 82 | { 83 | $this->log->trace("%s: '%s'\n", __METHOD__, $uri->uriFull()); 84 | 85 | $args = escapeshellarg($uri->uriServerShare()); 86 | $scmd = $this->makeCmd($uri->path(), 'du'); 87 | 88 | if (is_null($proc)) { 89 | $proc = new \SambaDAV\SMBClient\Process($this->auth, $this->config, $this->log); 90 | } 91 | if ($proc->open($args, $scmd) === false) { 92 | return self::STATUS_SMBCLIENT_ERROR; 93 | } 94 | $parser = new \SambaDAV\SMBClient\Parser($proc); 95 | return $parser->getDiskUsage(); 96 | } 97 | 98 | public function 99 | get ($uri, $proc) 100 | { 101 | $this->log->trace("%s: '%s'\n", __METHOD__, $uri->uriFull()); 102 | 103 | if ($uri->isWinSafe() === false) { 104 | return self::STATUS_INVALID_NAME; 105 | } 106 | $args = escapeshellarg($uri->uriServerShare()); 107 | $scmd = $this->makeCmd($uri->parentDir(), sprintf('get "%s" /proc/self/fd/5', $uri->name())); 108 | 109 | // NB: because we want to return an open file handle, the caller needs 110 | // to supply the Process class. Otherwise the proc and the fds are 111 | // local to this function and are garbage collected upon return: 112 | if ($proc->open($args, $scmd) === false) { 113 | return self::STATUS_SMBCLIENT_ERROR; 114 | } 115 | if (is_resource($proc->fd[1])) fclose($proc->fd[1]); 116 | if (is_resource($proc->fd[2])) fclose($proc->fd[2]); 117 | if (is_resource($proc->fd[4])) fclose($proc->fd[4]); 118 | return self::STATUS_OK; 119 | } 120 | 121 | public function 122 | put ($uri, $data, &$md5, $proc = null) 123 | { 124 | $this->log->trace("%s: '%s'\n", __METHOD__, $uri->uriFull()); 125 | 126 | if ($uri->isWinSafe() === false) { 127 | return self::STATUS_INVALID_NAME; 128 | } 129 | $args = escapeshellarg($uri->uriServerShare()); 130 | $scmd = $this->makeCmd($uri->parentDir(), sprintf('put /proc/self/fd/4 "%s"', $uri->name())); 131 | 132 | if (is_null($proc)) { 133 | $proc = new \SambaDAV\SMBClient\Process($this->auth, $this->config, $this->log); 134 | } 135 | if ($proc->open($args, $scmd) === false) { 136 | return self::STATUS_SMBCLIENT_ERROR; 137 | } 138 | // If an error occurs, the error message will be on stdout before we 139 | // even have a chance to upload; but otherwise there won't be anything 140 | // until we've finished uploading. We can't really use stream_select() 141 | // here to check if there's already output on stdout, because the 142 | // process probably hasn't had enough time to talk to the server. We 143 | // could use a loop to check stream_select(), but at that point you're 144 | // putting a lot of machinery in place for an exceptional event. 145 | 146 | // $data can be a string or a resource; must deal with both: 147 | if (is_resource($data)) { 148 | // Append md5summing streamfilter to input stream: 149 | $filterOutput = new MD5FilterOutput(); 150 | stream_filter_register('md5sum', '\SambaDAV\MD5Filter'); 151 | $filter = stream_filter_append($data, 'md5sum', STREAM_FILTER_READ, $filterOutput); 152 | stream_copy_to_stream($data, $proc->fd[4]); 153 | stream_filter_remove($filter); 154 | $md5 = $filterOutput->hash; 155 | } 156 | else { 157 | if (fwrite($proc->fd[4], $data) === false) { 158 | return self::STATUS_SMBCLIENT_ERROR; 159 | } 160 | $md5 = md5($data); 161 | } 162 | fclose($proc->fd[4]); 163 | $parser = new \SambaDAV\SMBClient\Parser($proc); 164 | return $parser->getStatus(); 165 | } 166 | 167 | private function 168 | cmdSimple ($uri, $path, $cmd) 169 | { 170 | // A helper function that sends a simple (silent) 171 | // command to smbclient and reports the result status. 172 | 173 | $this->log->trace("%s: '%s' '%s'\n", __METHOD__, $cmd, $path); 174 | 175 | if ($uri->isWinSafe() === false) { 176 | return self::STATUS_INVALID_NAME; 177 | } 178 | $args = escapeshellarg($uri->uriServerShare()); 179 | $scmd = $this->makeCmd($path, $cmd); 180 | $proc = new \SambaDAV\SMBClient\Process($this->auth, $this->config, $this->log); 181 | 182 | if ($proc->open($args, $scmd) === false) { 183 | return self::STATUS_SMBCLIENT_ERROR; 184 | } 185 | $parser = new \SambaDAV\SMBClient\Parser($proc); 186 | return $parser->getStatus(); 187 | } 188 | 189 | private function 190 | makeCmd ($path, $cmd) 191 | { 192 | // First cd to the path, then run the command. 193 | // There's a reason we create a two-part command with a 'cd' to reach 194 | // the destination directory instead of using the more obvious 195 | // '--directory' switch. This method allows arbitrarily long directory 196 | // names, does not leak the directory information to the process table, 197 | // and avoids the pitfalls associated with shell escaping. The code 198 | // paths taken internally by smbclient are virtually identical anyway. 199 | 200 | return sprintf("cd \"%s\"\n%s", $path, $cmd); 201 | } 202 | 203 | public function 204 | rm ($uri) 205 | { 206 | // $uri is the URI of the file to remove: 207 | return $this->cmdSimple($uri, $uri->parentDir(), 208 | sprintf('rm "%s"', $uri->name())); 209 | } 210 | 211 | public function 212 | rename ($uri, $newname) 213 | { 214 | // $uri is the URI of the file or dir to rename: 215 | $newuri = clone $uri; 216 | $newuri->rename($newname); 217 | if ($newuri->isWinSafe() === false) { 218 | return self::STATUS_INVALID_NAME; 219 | } 220 | return $this->cmdSimple($uri, $uri->parentDir(), 221 | sprintf('rename "%s" "%s"', $uri->name(), $newname)); 222 | } 223 | 224 | public function 225 | mkdir ($uri, $dirname) 226 | { 227 | // $uri is the URI of the dir in which to make the new dir: 228 | $newuri = clone $uri; 229 | $newuri->addParts($dirname); 230 | if ($newuri->isWinSafe() === false) { 231 | return self::STATUS_INVALID_NAME; 232 | } 233 | return $this->cmdSimple($uri, $uri->path(), 234 | sprintf('mkdir "%s"', $dirname)); 235 | } 236 | 237 | public function 238 | rmdir ($uri) 239 | { 240 | // $uri is the URI of the dir to remove: 241 | return $this->cmdSimple($uri, $uri->parentDir(), 242 | sprintf('rmdir "%s"', $uri->name())); 243 | } 244 | 245 | public function 246 | setMode ($uri, $modeflags) 247 | { 248 | // $uri is the URI of the file to process: 249 | return $this->cmdSimple($uri, $uri->parentDir(), 250 | sprintf('setmode "%s" "%s"', $uri->name(), $modeflags)); 251 | } 252 | } 253 | -------------------------------------------------------------------------------- /src/lib/SambaDAV/File.php: -------------------------------------------------------------------------------- 1 | . 17 | # 18 | # Project page: 19 | 20 | namespace SambaDAV; 21 | 22 | use Sabre\DAV; 23 | 24 | class File extends DAV\FSExt\File 25 | { 26 | private $etag = null; 27 | private $proc = null; // Global storage, so that this object does not go out of scope when get() returns 28 | 29 | public function 30 | __construct ($auth, $config, $log, $smb, $uri, $parent, $size, $smbflags, $mtime) 31 | { 32 | $this->auth = $auth; // Auth object 33 | $this->config = $config; // Config object 34 | $this->log = $log; // Log object 35 | $this->smb = $smb; // SMB object 36 | $this->uri = $uri; // URI object of this resource 37 | $this->flags = new Propflags($smbflags); // SMB flags 38 | $this->size = $size; // File size (bytes) 39 | $this->mtime = $mtime; // Modification time (Unix timestamp) 40 | $this->parent = $parent; // Directory object of parent 41 | } 42 | 43 | public function 44 | getName () 45 | { 46 | return $this->uri->name(); 47 | } 48 | 49 | public function 50 | setName ($name) 51 | { 52 | $this->log->trace("%s: '%s' -> '%s'\n", __METHOD__, $this->uri->uriFull(), $name); 53 | switch ($this->smb->rename($this->uri, $name)) { 54 | case SMB::STATUS_OK: 55 | $this->invalidate_parent(); 56 | $this->uri->rename($name); 57 | return true; 58 | 59 | case SMB::STATUS_NOTFOUND: $this->exc_notfound(); 60 | case SMB::STATUS_SMBCLIENT_ERROR: $this->exc_smbclient(); 61 | case SMB::STATUS_UNAUTHENTICATED: $this->exc_unauthenticated(); 62 | case SMB::STATUS_INVALID_NAME: $this->exc_forbidden(); 63 | } 64 | } 65 | 66 | public function 67 | get () 68 | { 69 | // NB: because we return a file resource, we must ensure that 70 | // the proc object stays alive after we leave this function. 71 | // So we use a global class variable to store it. 72 | // It's not pretty, but it makes real streaming possible. 73 | $this->log->trace("%s: '%s'\n", __METHOD__, $this->uri->uriFull()); 74 | 75 | $this->proc = new \SambaDAV\SMBClient\Process($this->auth, $this->config, $this->log); 76 | 77 | switch ($this->smb->get($this->uri, $this->proc)) { 78 | case SMB::STATUS_OK: return $this->proc->getOutputStreamHandle(); 79 | case SMB::STATUS_NOTFOUND: $this->proc = null; $this->exc_notfound(); 80 | case SMB::STATUS_SMBCLIENT_ERROR: $this->proc = null; $this->exc_smbclient(); 81 | case SMB::STATUS_UNAUTHENTICATED: $this->proc = null; $this->exc_unauthenticated(); 82 | case SMB::STATUS_INVALID_NAME: $this->proc = null; $this->exc_forbidden(); 83 | } 84 | } 85 | 86 | public function 87 | put ($data) 88 | { 89 | $this->log->trace("%s: '%s'\n", __METHOD__, $this->uri->uriFull()); 90 | switch ($this->smb->put($this->uri, $data, $md5)) { 91 | case SMB::STATUS_OK: 92 | $this->invalidate_parent(); 93 | $this->etag = ($md5 === null) ? null : "\"$md5\""; 94 | return $this->etag; 95 | 96 | case SMB::STATUS_NOTFOUND: $this->exc_notfound(); 97 | case SMB::STATUS_SMBCLIENT_ERROR: $this->exc_smbclient(); 98 | case SMB::STATUS_UNAUTHENTICATED: $this->exc_unauthenticated(); 99 | case SMB::STATUS_INVALID_NAME: $this->exc_forbidden(); 100 | } 101 | } 102 | 103 | public function 104 | putRange ($data, $offset) 105 | { 106 | // Sorry bro, smbclient is not that advanced: 107 | // Override the inherited method from the base class: 108 | $this->log->trace('EXCEPTION: putRange "'.$this->uri->uriFull()."\" not implemented\n"); 109 | throw new DAV\Exception\NotImplemented("PutRange() not available due to limitations of smbclient"); 110 | } 111 | 112 | public function 113 | getETag () 114 | { 115 | $this->log->trace("%s: '%s'\n", __METHOD__, $this->uri->uriFull()); 116 | 117 | if ($this->etag !== null) { 118 | return $this->etag; 119 | } 120 | // Don't bother if the file is too large: 121 | if (isset($this->config->etag_size_limit)) { 122 | if ($this->size > $this->config->etag_size_limit) { 123 | return null; 124 | } 125 | } 126 | // Create a process in $this->proc, use its read fd: 127 | if (!is_resource($fd = $this->get())) { 128 | return $this->proc = null; 129 | } 130 | // Get the eTag by streaming the file and inserting an md5 streamfilter: 131 | $filterOutput = new MD5FilterOutput(); 132 | stream_filter_register('md5sum', '\SambaDAV\MD5Filter'); 133 | $filter = stream_filter_append($fd, 'md5sum', STREAM_FILTER_READ, $filterOutput); 134 | while (fread($fd, 5000000)); 135 | stream_filter_remove($filter); 136 | $this->proc = null; 137 | $this->etag = sprintf('"%s"', $filterOutput->hash); 138 | return $this->etag; 139 | } 140 | 141 | public function 142 | getContentType () 143 | { 144 | return null; 145 | } 146 | 147 | public function 148 | getSize () 149 | { 150 | return $this->size; 151 | } 152 | 153 | public function 154 | getLastModified () 155 | { 156 | return $this->mtime; 157 | } 158 | 159 | public function 160 | getIsHidden () 161 | { 162 | return $this->flags->get('H'); 163 | } 164 | 165 | public function 166 | getIsReadonly () 167 | { 168 | return $this->flags->get('R'); 169 | } 170 | 171 | public function 172 | getWin32Props () 173 | { 174 | return $this->flags->toWin32(); 175 | } 176 | 177 | public function 178 | updateProperties ($mutations) 179 | { 180 | $this->log->trace("%s: '%s'\n", __METHOD__, $this->uri->uriFull()); 181 | 182 | $new_flags = clone $this->flags; 183 | $invalidate = false; 184 | 185 | foreach ($mutations as $key => $value) { 186 | switch ($key) { 187 | case '{urn:schemas-microsoft-com:}Win32FileAttributes': 188 | // ex. '00000000', '00000020' 189 | // Decode into array of flags: 190 | $new_flags->fromWin32($value); 191 | break; 192 | 193 | case '{DAV:}ishidden': 194 | $new_flags->set('H', (bool)$value); 195 | break; 196 | 197 | case '{DAV:}isreadonly': 198 | $new_flags->set('R', (bool)$value); 199 | break; 200 | } 201 | } 202 | // ->diff() returns an array with zero, one or two strings: the 203 | // modeflags necessary to set and unset the proper flags with 204 | // smbclient's setmode command: 205 | foreach ($this->flags->diff($new_flags) as $modeflag) { 206 | switch ($this->smb->setMode($this->uri, $modeflag)) { 207 | case SMB::STATUS_OK: 208 | $invalidate = true; 209 | continue; 210 | 211 | case SMB::STATUS_NOTFOUND: $this->exc_notfound(); 212 | case SMB::STATUS_SMBCLIENT_ERROR: $this->exc_smbclient(); 213 | case SMB::STATUS_UNAUTHENTICATED: $this->exc_unauthenticated(); 214 | case SMB::STATUS_INVALID_NAME: $this->exc_forbidden(); 215 | } 216 | } 217 | if ($invalidate) { 218 | // Parent must do a new 'ls' to refresh flags: 219 | $this->invalidate_parent(); 220 | $this->flags = $new_flags; 221 | } 222 | return true; 223 | } 224 | 225 | public function 226 | delete () 227 | { 228 | $this->log->trace("%s: '%s'\n", __METHOD__, $this->uri->uriFull()); 229 | switch ($this->smb->rm($this->uri)) { 230 | case SMB::STATUS_OK: 231 | $this->invalidate_parent(); 232 | return true; 233 | 234 | case SMB::STATUS_NOTFOUND: $this->exc_notfound(); 235 | case SMB::STATUS_SMBCLIENT_ERROR: $this->exc_smbclient(); 236 | case SMB::STATUS_UNAUTHENTICATED: $this->exc_unauthenticated(); 237 | case SMB::STATUS_INVALID_NAME: $this->exc_forbidden(); 238 | } 239 | } 240 | 241 | private function 242 | invalidate_parent () 243 | { 244 | if (!is_null($this->parent)) { 245 | $this->parent->cache_destroy(); 246 | } 247 | } 248 | 249 | private function 250 | exc_forbidden () 251 | { 252 | // Only one type of Forbidden error right now: invalid filename or pathname 253 | $m = 'Forbidden: invalid pathname or filename'; 254 | $this->log->warn("EXCEPTION: $m\n"); 255 | throw new DAV\Exception\Forbidden($m); 256 | } 257 | 258 | private function 259 | exc_notfound () 260 | { 261 | $m = sprintf("Not found: '%s'", $this->uri->uriFull()); 262 | $this->log->warn("EXCEPTION: $m\n"); 263 | throw new DAV\Exception\NotFound($m); 264 | } 265 | 266 | private function 267 | exc_smbclient () 268 | { 269 | $this->log->warn("EXCEPTION: '%s': smbclient error\n", $this->uri->uriFull()); 270 | throw new DAV\Exception('smbclient error'); 271 | } 272 | 273 | private function 274 | exc_unauthenticated () 275 | { 276 | $m = sprintf("'%s' not authenticated for '%s'", $this->auth->user, $this->uri->uriFull()); 277 | $this->log->warn("EXCEPTION: $m\n"); 278 | throw new DAV\Exception\NotAuthenticated($m); 279 | } 280 | } 281 | -------------------------------------------------------------------------------- /src/lib/SambaDAV/Auth.php: -------------------------------------------------------------------------------- 1 | . 17 | # 18 | # Project page: 19 | 20 | namespace SambaDAV; 21 | 22 | use Sabre\HTTP; 23 | 24 | class Auth 25 | { 26 | public $user = null; 27 | public $pass = null; 28 | public $anonymous = false; 29 | 30 | private $userhome = null; // An URI instance 31 | private $samba_username = null; 32 | private $samba_domain = null; 33 | 34 | public function 35 | __construct ($config, $log, $baseuri = '/') 36 | { 37 | $this->config = $config; 38 | $this->log = $log; 39 | $this->baseuri = $baseuri; 40 | } 41 | 42 | public function 43 | exec () 44 | { 45 | // If ANONYMOUS_ONLY is set to true in the config, don't require credentials; 46 | // also the 'logout' action makes no sense for an anonymous server: 47 | if ($this->config->anonymous_only) { 48 | $this->log->info("anonymous login accepted\n"); 49 | $this->anonymous = true; 50 | return true; 51 | } 52 | $sapi = new HTTP\Sapi(); 53 | $response = new HTTP\Response(); 54 | $request = $sapi->getRequest(); 55 | 56 | $auth = new HTTP\Auth\Basic('Web Folders', $request, $response); 57 | 58 | // If no basic auth creds set, but the variables "user" and "pass" were 59 | // posted to the page (e.g. from a/the login form), substitute those: 60 | if (!isset($_SERVER['PHP_AUTH_USER']) && !isset($_SERVER['PHP_AUTH_PW'])) { 61 | if (isset($_POST) && isset($_POST['user']) && isset($_POST['pass'])) { 62 | $_SERVER['PHP_AUTH_USER'] = $_POST['user']; 63 | $_SERVER['PHP_AUTH_PW'] = $_POST['pass']; 64 | 65 | // HACK: dynamically change the request method to GET, because 66 | // otherwise SambaDAV will throw an exception because there is 67 | // no POST handler installed. This change causes SabreDAV to 68 | // process this request just like any other basic auth login: 69 | $_SERVER['REQUEST_METHOD'] = 'GET'; 70 | } 71 | } 72 | list($this->user, $this->pass) = $auth->getCredentials(); 73 | 74 | if ($this->user === false || $this->user === '') $this->user = null; 75 | if ($this->pass === false || $this->pass === '') $this->pass = null; 76 | 77 | if (isset($_GET['logout'])) 78 | { 79 | // If you're tagged with 'logout' but you're not passing a 80 | // username/pass, redirect to plain index: 81 | if ($this->user === null || $this->pass === null) { 82 | header("Location: {$this->baseuri}"); 83 | return false; 84 | } 85 | // Otherwise, if you're tagged with 'logout', make sure 86 | // the authentication is refused, to make the browser 87 | // flush its cache: 88 | $this->showLoginForm($auth, $response); 89 | return false; 90 | } 91 | if ($this->checkAuth() === false) { 92 | sleep(2); 93 | $this->showLoginForm($auth, $response); 94 | return false; 95 | } 96 | $this->log->info("login accepted for '%s'\n", (is_null($this->user) ? '(none)' : $this->user)); 97 | 98 | return true; 99 | } 100 | 101 | public function 102 | checkAuth () 103 | { 104 | // If we did not get all creds, check whether that's okay or not: 105 | if ($this->user === null || $this->pass === null) { 106 | if ($this->config->anonymous_allow) { 107 | $this->log->debug("allowing anonymous login\n"); 108 | $this->anonymous = true; 109 | return true; 110 | } 111 | $this->log->info("anonymous login denied by config\n"); 112 | return false; 113 | } 114 | // Check if the Samba patterns can be filled: 115 | // These are the only patterns that are not exercised during this call: 116 | if ($this->checkSambaPatterns() === false) { 117 | return false; 118 | } 119 | // Set userhome to userhome pattern if defined: 120 | if ($this->user !== null) { 121 | if (is_string($this->config->userhome_pattern)) 122 | { 123 | // Failed to fill the pattern? 124 | if (($filled = $this->fillPattern($this->config->userhome_pattern)) === false) { 125 | return false; 126 | } 127 | $this->userhome = new URI($filled); 128 | } 129 | else if (is_string($this->config->share_userhomes)) { 130 | $this->userhome = new URI($this->config->share_userhomes, $this->user); 131 | } 132 | } 133 | if ($this->checkLdap() === false) { 134 | return false; 135 | } 136 | return true; 137 | } 138 | 139 | private function 140 | checkLdap () 141 | { 142 | // Check LDAP for group membership: 143 | // $ldap_groups is sourced from config/config.inc.php: 144 | if ($this->config->ldap_auth !== true) { 145 | $this->log->debug("skipping LDAP authentication\n"); 146 | return true; 147 | } 148 | // Should we do an AD-style bind or a fast bind? 149 | $method = ($this->config->ldap_method === 'bind') 150 | ? LDAP::METHOD_BIND 151 | : LDAP::METHOD_FASTBIND; 152 | 153 | $ldap = new LDAP($method, $this->config->ldap_host, $this->config->ldap_basedn, $this->config->ldap_authdn, $this->config->ldap_authpass, $this->config->ldap_port); 154 | 155 | if (($username = $this->ldapUsername()) === false) { 156 | $this->log->info("LDAP username not found\n"); 157 | return false; 158 | } 159 | if ($ldap->verify($username, $this->pass, $this->config->ldap_groups, $this->config->share_userhome_ldap) === false) { 160 | $this->log->info("failed to verify credentials in LDAP with username '%s'\n", $username); 161 | return false; 162 | } 163 | if ($ldap->userhome !== null) { 164 | $this->userhome = new URI($ldap->userhome); 165 | $this->log->debug("LDAP userhome found: '%s'\n", $this->userhome); 166 | } 167 | return true; 168 | } 169 | 170 | public function 171 | checkSambaPatterns () 172 | { 173 | $this->samba_username = $this->user; 174 | $this->samba_domain = null; 175 | 176 | // Check if the Samba username pattern, if given, can be satisfied: 177 | if (is_string($this->config->samba_username_pattern)) { 178 | if (($filled = $this->fillPattern($this->config->samba_username_pattern)) === false) { 179 | $this->log->info("failed to fill Samba username pattern\n"); 180 | return false; 181 | } 182 | $this->samba_username = $filled; 183 | } 184 | if (is_string($this->config->samba_domain_pattern)) { 185 | if (($filled = $this->fillPattern($this->config->samba_domain_pattern)) === false) { 186 | $this->log->info("failed to fill Samba domain pattern\n"); 187 | return false; 188 | } 189 | $this->samba_domain = $filled; 190 | } 191 | return true; 192 | } 193 | 194 | private function 195 | showLoginForm ($auth, $response) 196 | { 197 | $auth->requireLogin(); 198 | $loginForm = new LoginForm($this->baseuri); 199 | $response->setBody($loginForm->getBody()); 200 | HTTP\Sapi::sendResponse($response); 201 | } 202 | 203 | public function 204 | ldapUsername () 205 | { 206 | if (is_string($this->config->ldap_username_pattern)) { 207 | return $this->fillPattern($this->config->ldap_username_pattern); 208 | } 209 | return $this->user; 210 | } 211 | 212 | public function 213 | sambaUsername () 214 | { 215 | return $this->samba_username; 216 | } 217 | 218 | public function 219 | sambaDomain () 220 | { 221 | return $this->samba_domain; 222 | } 223 | 224 | public function 225 | getUserhome () 226 | { 227 | return $this->userhome; 228 | } 229 | 230 | public function 231 | fillPattern ($pattern) 232 | { 233 | // Username can be split up as follows: 234 | // workgroup\username@domain 235 | // %w = workgroup 236 | // %u = username 237 | // %d = domain 238 | 239 | if (($slashPos = strpos($this->user, '\\')) === false) { 240 | $atPos = strpos($this->user, '@'); 241 | } 242 | else { 243 | if (($atPos = strpos(substr($this->user, $slashPos), '@')) !== false) { 244 | $atPos += $slashPos; 245 | } 246 | } 247 | $workgroup = ($slashPos === false) 248 | ? '' 249 | : substr($this->user, 0, $slashPos); 250 | 251 | $userStart = ($slashPos === false) ? 0 : $slashPos + 1; 252 | $userEnd = ($atPos === false) ? strlen($this->user) - 1 : $atPos - 1; 253 | 254 | $username = substr($this->user, $userStart, $userEnd - $userStart + 1); 255 | 256 | $domain = ($atPos === false) 257 | ? '' 258 | : substr($this->user, $atPos + 1); 259 | 260 | $subst = array 261 | ( '%w' => $workgroup 262 | , '%u' => $username 263 | , '%d' => $domain 264 | ) ; 265 | 266 | // Check if all the placeholders specified in the string are 267 | // available, else return false: 268 | foreach ($subst as $repl => $str) { 269 | if (strpos($pattern, $repl) === false) { 270 | continue; 271 | } 272 | if ($str === '') { 273 | $this->log->debug("pattern '%s' could not be filled\n", $repl); 274 | return false; 275 | } 276 | } 277 | return str_replace(array_keys($subst), array_values($subst), $pattern); 278 | } 279 | } 280 | -------------------------------------------------------------------------------- /src/lib/SambaDAV/BrowserPlugin.php: -------------------------------------------------------------------------------- 1 | . 17 | # 18 | # Project page: 19 | 20 | namespace SambaDAV; 21 | 22 | use Sabre\DAV, 23 | Sabre\HTTP\URLUtil, 24 | Sabre\HTTP\RequestInterface, 25 | Sabre\HTTP\ResponseInterface; 26 | 27 | class BrowserPlugin extends DAV\Browser\Plugin 28 | { 29 | 30 | public function 31 | __construct ($config) 32 | { 33 | parent::__construct(); 34 | $this->config = $config; 35 | } 36 | 37 | public function 38 | initialize(DAV\Server $server) 39 | { 40 | parent::initialize($server); 41 | $this->server = $server; 42 | if ($this->enablePost) $this->server->on('method:POST', [$this,'httpPOSTExtra']); 43 | } 44 | 45 | 46 | /** 47 | * Handles POST requests for tree operations not handled in the SabreDAV parent clas 48 | * 49 | * @param RequestInterface $request 50 | * @param ResponseInterface $response 51 | * @return bool 52 | */ 53 | public function 54 | httpPOSTExtra(RequestInterface $request, ResponseInterface $response) 55 | { 56 | 57 | $contentType = $request->getHeader('Content-Type'); 58 | list($contentType) = explode(';', $contentType); 59 | if ($contentType !== 'application/x-www-form-urlencoded' && 60 | $contentType !== 'multipart/form-data') { 61 | return; 62 | } 63 | 64 | $postVars = $request->getPostData(); 65 | 66 | if (!isset($postVars['sabreActionExtra'])) 67 | return; 68 | 69 | $uri = $request->getPath(); 70 | 71 | switch($postVars['sabreActionExtra']) { 72 | case 'del': 73 | if (isset($postVars['path'])) { 74 | // Using basename() because we won't allow slashes 75 | list(, $Name) = \Sabre\HTTP\URLUtil::splitPath(trim($postVars['path'])); 76 | if(!empty($Name) && $this->config->browserplugin_enable_delete === true) { 77 | $this->server->tree->delete($uri . '/' . $Name); 78 | } 79 | } 80 | break; 81 | } 82 | 83 | $response->setHeader('Location', $request->getUrl()); 84 | $response->setStatus(302); 85 | return false; 86 | } 87 | 88 | public function 89 | generateDirectoryIndex ($path) 90 | { 91 | $version = (DAV\Server::$exposeVersion) 92 | ? DAV\Version::VERSION 93 | : ''; 94 | 95 | $node = $this->server->tree->getNodeForPath($path); 96 | 97 | $html = << 99 | 100 | 101 | 102 | Index for {$this->escapeHTML($path)}/ - SambaDAV 103 | 104 | 105 | 106 | 107 | 108 | HTML; 109 | if ($this->config->anonymous_only === false) { 110 | $html .= " 111 |

switch user (logout)

"; 112 | } 113 | 114 | $html .= <<{$this->escapeHTML($node->uri->uriFull())} 116 | 117 | 118 | 119 | HTML; 120 | $output = ''; 121 | if ($this->enablePost) { 122 | $this->server->emit('onHTMLActionsPanel', [$node, &$output]); 123 | } 124 | if ($output) { 125 | $html .= $output; 126 | } 127 | $html .= << 129 |
130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | HTML; 146 | if ($this->config->browserplugin_enable_delete === true) { $html .= ""; } 147 | $html .= << 149 | 150 | 151 | 152 | HTML; 153 | 154 | // If path is empty, there is no parent: 155 | if ($path) { 156 | list($parentUri) = URLUtil::splitPath($path); 157 | $fullPath = URLUtil::encodePath($this->server->getBaseUri() . $parentUri); 158 | $html .= << 160 | 161 | 162 | 163 | 164 | 165 | HTML; 166 | if ($this->config->browserplugin_enable_delete === true) { $html .= ""; } 167 | $html .= << 169 | 170 | HTML; 171 | } 172 | if ($node instanceof DAV\ICollection) { 173 | $subNodes = $this->server->getPropertiesForChildren($path, [ 174 | '{DAV:}displayname', 175 | '{DAV:}resourcetype', 176 | '{DAV:}getcontenttype', 177 | '{DAV:}getcontentlength', 178 | '{DAV:}getlastmodified', 179 | ]); 180 | foreach ($subNodes as $subPath => $subProps) 181 | { 182 | $subNode = $this->server->tree->getNodeForPath($subPath); 183 | $fullPath = URLUtil::encodePath($this->server->getBaseUri() . $subPath); 184 | list(, $displayPath) = URLUtil::splitPath($subPath); 185 | 186 | $subNodes[$subPath]['subNode'] = $subNode; 187 | $subNodes[$subPath]['fullPath'] = $fullPath; 188 | $subNodes[$subPath]['displayPath'] = $displayPath; 189 | } 190 | uasort($subNodes, [$this, 'compareNodes']); 191 | 192 | foreach ($subNodes as $subProps) 193 | { 194 | $size = (isset($subProps['{DAV:}getcontentlength'])) 195 | ? $subProps['{DAV:}getcontentlength'] 196 | : ''; 197 | 198 | $lastmodified = (isset($subProps['{DAV:}getlastmodified'])) 199 | ? $subProps['{DAV:}getlastmodified']->getTime()->format('F j, Y, H:i:s') 200 | : ''; 201 | 202 | $fullPath_decoded = URLUtil::decodePath($subProps['fullPath']); 203 | $fullPath = $this->escapeHTML($subProps['fullPath']); 204 | 205 | if (isset($subProps['{DAV:}resourcetype']) && in_array('{DAV:}collection', $subProps['{DAV:}resourcetype']->getValue())) { 206 | $trclass = 'class="dir"'; 207 | $icon = 'dir.png'; 208 | $type = 'Directory'; 209 | } 210 | else { 211 | $trclass = 'class="file"'; 212 | $icon = 'file.png'; 213 | $type = (isset($subProps['{DAV:}getcontenttype'])) 214 | ? $subProps['{DAV:}getcontenttype'] 215 | : 'Unknown'; 216 | } 217 | $html .= " \n"; 218 | $html .= " \n"; 219 | $html .= " \n"; 220 | $html .= " \n"; 221 | $html .= " \n"; 222 | $html .= " \n"; 223 | 224 | if ($this->config->browserplugin_enable_delete === true) { 225 | $html .= " \n"; 232 | } 233 | $html .= " \n"; 234 | } 235 | } 236 | $html .= << 238 |
NameTypeSizeLast modifiedDelete
Parent..[parent]
server->getBaseUri()}$icon\" alt=\"\"/>{$subProps['displayPath']}$type$size$lastmodified\n"; 226 | $html .= "
\n"; 227 | $html .= " \n"; 228 | $html .= " \n"; 229 | $html .= " \n"; 230 | $html .= "
\n"; 231 | $html .= "
239 |
Generated by SabreDAV $version
240 | 241 | 242 | HTML; 243 | 244 | $this->server->httpResponse->setHeader('Content-Security-Policy', "img-src 'self'; style-src 'self';"); 245 | 246 | return $html; 247 | } 248 | 249 | public function 250 | htmlActionsPanel (DAV\INode $node, &$output) 251 | { 252 | if (!$node instanceof DAV\ICollection) { 253 | return; 254 | } 255 | 256 | $output .= <<
258 |

New folder

259 | 260 | 261 | 262 |
263 | 264 |
265 |

Upload file

266 | 267 | 268 | 269 | 270 | 271 |
272 | HTML; 273 | 274 | } 275 | 276 | } 277 | -------------------------------------------------------------------------------- /src/lib/SambaDAV/Directory.php: -------------------------------------------------------------------------------- 1 | . 17 | # 18 | # Project page: 19 | 20 | namespace SambaDAV; 21 | 22 | use Sabre\DAV; 23 | 24 | class Directory extends DAV\FSExt\Directory 25 | { 26 | private $entries = null; 27 | private $userhome = null; 28 | 29 | public function 30 | __construct ($auth, $config, $cache, $log, $smb, URI $uri, $parent, $smbflags, $mtime) 31 | { 32 | $this->uri = $uri; 33 | $this->auth = $auth; 34 | $this->flags = new Propflags($smbflags); 35 | $this->mtime = $mtime; 36 | $this->parent = $parent; 37 | $this->config = $config; 38 | $this->cache = $cache; 39 | $this->log = $log; 40 | $this->smb = $smb; 41 | } 42 | 43 | public function 44 | getChildren () 45 | { 46 | $this->log->trace("%s: '%s'\n", __METHOD__, $this->uri->uriFull()); 47 | 48 | $children = array(); 49 | 50 | // If in root folder, show master shares list: 51 | if ($this->uri->isGlobalRoot()) { 52 | foreach ($this->global_root_entries() as $entry) { 53 | $children[] = new Directory($this->auth, $this->config, $this->cache, $this->log, $this->smb, new URI($entry[0], $entry[1]), $this, 'D', null); 54 | } 55 | return $children; 56 | } 57 | // If in root folder for given server, fetch all allowed shares for that server: 58 | if ($this->uri->isServerRoot()) { 59 | foreach ($this->server_root_entries() as $entry) { 60 | $uri = clone $this->uri; 61 | $uri->addParts($entry); 62 | $children[] = new Directory($this->auth, $this->config, $this->cache, $this->log, $this->smb, $uri, $this, 'D', null); 63 | } 64 | return $children; 65 | } 66 | // Else, open share, produce listing: 67 | if (is_null($this->entries)) { 68 | $this->get_entries(); 69 | } 70 | if (is_array($this->entries)) { 71 | foreach ($this->entries as $entry) { 72 | if ($entry['name'] === '..' || $entry['name'] === '.') { 73 | continue; 74 | } 75 | $children[] = $this->getChild($entry['name']); 76 | } 77 | } 78 | return $children; 79 | } 80 | 81 | public function 82 | getChild ($name) 83 | { 84 | $this->log->trace("%s: '%s' '%s'\n", __METHOD__, $this->uri->uriFull(), $name); 85 | 86 | // Are we a folder in the root dir? 87 | if ($this->uri->isGlobalRoot()) { 88 | foreach ($this->global_root_entries() as $displayname => $entry) { 89 | if ($name === $displayname) { 90 | return new Directory($this->auth, $this->config, $this->cache, $this->log, $this->smb, new URI($entry[0], $entry[1]), $this, 'D', null); 91 | } 92 | } 93 | $this->exc_notfound($name); 94 | return false; 95 | } 96 | // We have a server, but do we have a share? 97 | if ($this->uri->isServerRoot()) { 98 | if (in_array($name, $this->server_root_entries())) { 99 | $uri = clone $this->uri; 100 | $uri->addParts($name); 101 | return new Directory($this->auth, $this->config, $this->cache, $this->log, $this->smb, $uri, $this, 'D', null); 102 | } 103 | $this->exc_notfound($name); 104 | return false; 105 | } 106 | // We have a server and a share, get entries: 107 | if (is_null($this->entries)) { 108 | $this->get_entries(); 109 | } 110 | if (is_array($this->entries)) { 111 | foreach ($this->entries as $entry) { 112 | if ($entry['name'] !== $name) { 113 | continue; 114 | } 115 | $uri = clone $this->uri; 116 | $uri->addParts($entry['name']); 117 | 118 | if (strpos($entry['flags'], 'D') === false) { 119 | return new File($this->auth, $this->config, $this->log, $this->smb, $uri, $this, $entry['size'], $entry['flags'], $entry['mtime']); 120 | } 121 | return new Directory($this->auth, $this->config, $this->cache, $this->log, $this->smb, $uri, $this, $entry['flags'], $entry['mtime']); 122 | } 123 | } 124 | $uri = clone $this->uri; 125 | $uri->addParts($name); 126 | $this->exc_notfound($uri->uriFull()); 127 | return false; 128 | } 129 | 130 | public function 131 | createDirectory ($name) 132 | { 133 | $this->log->trace("%s: '%s' '%s'\n", __METHOD__, $this->uri->uriFull(), $name); 134 | 135 | // Cannot create directories in the root: 136 | if ($this->uri->isGlobalRoot() || $this->uri->isServerRoot()) { 137 | $this->exc_forbidden('Cannot create shares in root'); 138 | } 139 | switch ($this->smb->mkdir($this->uri, $name)) { 140 | case SMB::STATUS_OK: 141 | // Invalidate entries cache: 142 | $this->cache_destroy(); 143 | return true; 144 | 145 | case SMB::STATUS_NOTFOUND: $this->exc_notfound($this->uri->uriFull()); 146 | case SMB::STATUS_SMBCLIENT_ERROR: $this->exc_smbclient(); 147 | case SMB::STATUS_UNAUTHENTICATED: $this->exc_unauthenticated(); 148 | case SMB::STATUS_INVALID_NAME: $this->exc_forbidden('invalid pathname or filename'); 149 | } 150 | } 151 | 152 | public function 153 | createFile ($name, $data = null) 154 | { 155 | $uri = clone $this->uri; 156 | $uri->addParts($name); 157 | 158 | $this->log->trace("%s: '%s'\n", __METHOD__, $uri->uriFull()); 159 | 160 | if ($this->uri->isGlobalRoot()) { 161 | $this->exc_forbidden('Cannot create files in global root'); 162 | } 163 | if ($this->uri->isServerRoot()) { 164 | $this->exc_forbidden('Cannot create files in server root'); 165 | } 166 | switch ($this->smb->put($uri, $data, $md5)) { 167 | case SMB::STATUS_OK: 168 | // Invalidate entries cache: 169 | $this->cache_destroy(); 170 | return ($md5 === null) ? null : "\"$md5\""; 171 | 172 | case SMB::STATUS_NOTFOUND: $this->exc_notfound($this->uri->uriFull()); 173 | case SMB::STATUS_SMBCLIENT_ERROR: $this->exc_smbclient(); 174 | case SMB::STATUS_UNAUTHENTICATED: $this->exc_unauthenticated(); 175 | case SMB::STATUS_INVALID_NAME: $this->exc_forbidden('invalid pathname or filename'); 176 | } 177 | } 178 | 179 | public function 180 | childExists ($name) 181 | { 182 | // Are we the global root? 183 | if ($this->uri->isGlobalRoot()) { 184 | foreach ($this->global_root_entries() as $displayname => $entry) { 185 | if ($name === $displayname) { 186 | return true; 187 | } 188 | } 189 | return false; 190 | } 191 | // Are we a server root? 192 | if ($this->uri->isServerRoot()) { 193 | return (in_array($name, $this->server_root_entries())); 194 | } 195 | if (is_null($this->entries)) { 196 | $this->get_entries(); 197 | } 198 | if (is_array($this->entries)) { 199 | foreach ($this->entries as $entry) { 200 | if ($name === $entry['name']) { 201 | return true; 202 | } 203 | } 204 | } 205 | return false; 206 | } 207 | 208 | public function 209 | getName () 210 | { 211 | return $this->uri->name(); 212 | } 213 | 214 | public function 215 | setName ($name) 216 | { 217 | $this->log->trace("%s: '%s' -> '%s'\n", __METHOD__, $this->uri->uriFull(), $name); 218 | 219 | if ($this->uri->isGlobalRoot() || $this->uri->isServerRoot()) { 220 | $this->exc_forbidden('cannot rename root folders'); 221 | } 222 | switch ($this->smb->rename($this->uri, $name)) { 223 | case SMB::STATUS_OK: 224 | $this->cache_destroy(); 225 | $this->invalidate_parent(); 226 | $this->uri->rename($name); 227 | return true; 228 | 229 | case SMB::STATUS_NOTFOUND: $this->exc_notfound($this->uri->uriFull()); 230 | case SMB::STATUS_SMBCLIENT_ERROR: $this->exc_smbclient(); 231 | case SMB::STATUS_UNAUTHENTICATED: $this->exc_unauthenticated(); 232 | case SMB::STATUS_INVALID_NAME: $this->exc_forbidden('invalid pathname or filename'); 233 | } 234 | } 235 | 236 | public function 237 | getLastModified () 238 | { 239 | return $this->mtime; 240 | } 241 | 242 | public function 243 | getIsHidden () 244 | { 245 | return $this->flags->get('H'); 246 | } 247 | 248 | public function 249 | getIsReadonly () 250 | { 251 | return $this->flags->get('R'); 252 | } 253 | 254 | public function 255 | getWin32Props () 256 | { 257 | return $this->flags->toWin32(); 258 | } 259 | 260 | public function 261 | getQuotaInfo () 262 | { 263 | $this->log->trace("%s: '%s'\n", __METHOD__, $this->uri->uriFull()); 264 | 265 | // NB: Windows 7 uses/needs this method. Must return array. 266 | // We refuse to do the actual lookup, because: 267 | // - smbclient `du` can only give us per-share numbers, not 268 | // per-directory as this function requires; 269 | // - Windows 7 makes a LOT of these calls, and honoring them 270 | // slows things down enormously; 271 | // - Windows 7 appears to use a recursive ls to determine 272 | // disk usage if it can't get direct quota numbers; 273 | // - Windows 7 does not appear to actually *use* the quota 274 | // numbers for printing usage pie charts and things. 275 | static $quota = null; 276 | 277 | // Can we return a cached value? 278 | if ($quota !== null) { 279 | return $quota; 280 | } 281 | // If we're a subdir, make SabreDAV query the root: 282 | if ($this->uri->isGlobalRoot() || !$this->uri->isServerRoot()) { 283 | return ($quota = false); 284 | } 285 | // Get results from disk cache if available and fresh: 286 | $quota = $this->cache->get(array($this->smb, 'du'), array($this->uri), $this->auth, $this->uri, 20); 287 | if (is_array($quota)) { 288 | return $quota; 289 | } 290 | switch ($quota) { 291 | case SMB::STATUS_NOTFOUND: $this->exc_notfound($this->uri->uriFull()); 292 | case SMB::STATUS_SMBCLIENT_ERROR: $this->exc_smbclient(); 293 | case SMB::STATUS_UNAUTHENTICATED: $this->exc_unauthenticated(); 294 | } 295 | return false; 296 | } 297 | 298 | public function 299 | delete () 300 | { 301 | $this->log->trace("%s: '%s'\n", __METHOD__, $this->uri->uriFull()); 302 | 303 | if ($this->uri->isGlobalRoot() || $this->uri->isServerRoot()) { 304 | $this->exc_forbidden('cannot delete root folders'); 305 | } 306 | // Delete all children: 307 | foreach ($this->getChildren() as $child) { 308 | $child->delete(); 309 | } 310 | // Delete ourselves: 311 | switch ($this->smb->rmdir($this->uri)) { 312 | case SMB::STATUS_OK: 313 | $this->cache_destroy(); 314 | $this->invalidate_parent(); 315 | return true; 316 | 317 | case SMB::STATUS_NOTFOUND: $this->exc_notfound($this->uri->uriFull()); 318 | case SMB::STATUS_SMBCLIENT_ERROR: $this->exc_smbclient(); 319 | case SMB::STATUS_UNAUTHENTICATED: $this->exc_unauthenticated(); 320 | case SMB::STATUS_INVALID_NAME: $this->exc_forbidden('invalid pathname or filename'); 321 | } 322 | } 323 | 324 | public function 325 | updateProperties ($mutations) 326 | { 327 | // Stub function, see \SambaDAV\File::updateProperties() for 328 | // more details. 329 | // By default, Sabre wants to save these properties in a file 330 | // in the root called .sabredav, but that location is not 331 | // writable in our setup. Silently ignore for now. 332 | 333 | // In \SambaDAV\File::updateProperties(), we use smbclient's 334 | // `setmode` command to set file flags. Unfortunately, that 335 | // command only appears to work for files, not directories. So 336 | // even though we know how to decipher the Win32 propstring 337 | // we're given, we have no way of setting the flags in the 338 | // backend. 339 | 340 | return true; 341 | } 342 | 343 | public function 344 | cache_destroy () 345 | { 346 | $this->cache->remove(array($this->smb, 'ls'), $this->auth, $this->uri); 347 | $this->entries = null; 348 | } 349 | 350 | public function 351 | setUserhome ($uri) 352 | { 353 | $this->userhome = $uri; 354 | } 355 | 356 | private function 357 | get_entries () 358 | { 359 | // Get listing from disk cache if available and fresh: 360 | $this->entries = $this->cache->get(array($this->smb, 'ls'), array($this->uri), $this->auth, $this->uri, 5); 361 | if (is_array($this->entries)) { 362 | return; 363 | } 364 | switch ($this->entries) { 365 | case SMB::STATUS_NOTFOUND: $this->exc_notfound($this->uri->uriFull()); 366 | case SMB::STATUS_SMBCLIENT_ERROR: $this->exc_smbclient(); 367 | case SMB::STATUS_UNAUTHENTICATED: $this->exc_unauthenticated(); 368 | case SMB::STATUS_INVALID_NAME: $this->exc_forbidden('invalid pathname or filename'); 369 | } 370 | } 371 | 372 | private function 373 | invalidate_parent () 374 | { 375 | if ($this->parent !== null) { 376 | $this->parent->cache_destroy(); 377 | } 378 | } 379 | 380 | private function 381 | global_root_entries () 382 | { 383 | // structure: 384 | // $entries = array('name-of-root-folder' => array('server', 'share-on-that-server')) 385 | $entries = array(); 386 | 387 | foreach ($this->config->share_root as $entry) 388 | { 389 | $server = (isset($entry[0])) ? $entry[0] : false; 390 | $share = (isset($entry[1])) ? $entry[1] : false; 391 | 392 | if ($server === false) { 393 | continue; 394 | } 395 | if ($share !== false && $share !== null && $share !== '') { 396 | $entries[$share] = array($server, $share); 397 | continue; 398 | } 399 | // Just the server name given; autodiscover all shares on this server: 400 | if (!is_array($shares = $this->cache->get(array($this->smb, 'getShares'), array(new URI($server)), $this->auth, $this->uri, 15))) { 401 | // TODO: throw an exception? 402 | // switch ($shares) { 403 | // case SMB::STATUS_NOTFOUND: $this->exc_notfound($this->uri->uriFull()); 404 | // case SMB::STATUS_SMBCLIENT_ERROR: $this->exc_smbclient(); 405 | // case SMB::STATUS_UNAUTHENTICATED: $this->exc_unauthenticated(); 406 | // } 407 | continue; 408 | } 409 | foreach ($shares as $share) { 410 | $entries[$share] = array($server, $share); 411 | } 412 | } 413 | // Servers from $shares_extra get a folder with the name of the *server*: 414 | foreach ($this->config->share_extra as $entry) { 415 | $entries[$entry[0]] = array($entry[0], false); 416 | } 417 | // The user's home directory gets a folder with the name of the *user*: 418 | if ($this->auth->anonymous === false && $this->userhome !== null) { 419 | if ($this->userhome->isServerRoot()) { 420 | $entries[$this->auth->user] = array($this->userhome->server(), $this->auth->user); 421 | } 422 | else { 423 | $entries[$this->userhome->share()] = array($this->userhome->server(), $this->userhome->share()); 424 | } 425 | } 426 | return $entries; 427 | } 428 | 429 | private function 430 | server_root_entries () 431 | { 432 | $entries = array(); 433 | 434 | // Shares in the global root belonging to this server 435 | // also show up in the server's own subdir: 436 | foreach ($this->config->share_root as $entry) { 437 | $server = (isset($entry[0])) ? $entry[0] : null; 438 | $share = (isset($entry[1])) ? $entry[1] : null; 439 | if ($server != $this->uri->server()) { 440 | continue; 441 | } 442 | if ($share === false || $share === null || $share === '') { 443 | continue; 444 | } 445 | $entries[$share] = true; 446 | } 447 | foreach ($this->config->share_extra as $entry) { 448 | $server = (isset($entry[0])) ? $entry[0] : null; 449 | $share = (isset($entry[1])) ? $entry[1] : null; 450 | if ($server != $this->uri->server()) { 451 | continue; 452 | } 453 | if ($share !== false && $share !== null && $share !== '') { 454 | $entries[$share] = true; 455 | continue; 456 | } 457 | // Only our server name given in $share_extra; 458 | // this means: autodiscover and use all the shares on this server: 459 | if (!is_array($shares = $this->cache->get(array($this->smb, 'getShares'), array($this->uri), $this->auth, $this->uri, 15))) { 460 | // TODO: throw an exception? 461 | // switch ($shares) { 462 | // case SMB::STATUS_NOTFOUND: $this->exc_notfound($this->uri->uriFull()); 463 | // case SMB::STATUS_SMBCLIENT_ERROR: $this->exc_smbclient(); 464 | // case SMB::STATUS_UNAUTHENTICATED: $this->exc_unauthenticated(); 465 | // } 466 | continue; 467 | } 468 | foreach ($shares as $share) { 469 | $entries[$share] = true; 470 | } 471 | } 472 | // User's home share is on this server? 473 | if ($this->auth->anonymous === false && $this->userhome !== null) { 474 | if ($this->userhome->server() === $this->uri->server()) { 475 | if ($this->userhome->isServerRoot() === null) { 476 | $entries[$this->auth->user] = true; 477 | } 478 | else { 479 | $entries[$this->userhome->share()] = true; 480 | } 481 | } 482 | } 483 | return array_keys($entries); 484 | } 485 | 486 | private function 487 | exc_smbclient () 488 | { 489 | $m = 'smbclient error'; 490 | $this->log->error("EXCEPTION: '%s': smbclient error\n", $this->uri->uriFull()); 491 | throw new DAV\Exception($m); 492 | } 493 | 494 | private function 495 | exc_forbidden ($msg) 496 | { 497 | $m = "Forbidden: $msg"; 498 | $this->log->warn("EXCEPTION: '%s': %s\n", $this->uri->uriFull(), $m); 499 | throw new DAV\Exception\Forbidden($m); 500 | } 501 | 502 | private function 503 | exc_notfound ($name) 504 | { 505 | $m = "Not found: \"$name\""; 506 | $this->log->warn("EXCEPTION: $m\n"); 507 | throw new DAV\Exception\NotFound($m); 508 | } 509 | 510 | private function 511 | exc_unauthenticated () 512 | { 513 | $m = sprintf("'%s' not authenticated for '%s'", $this->auth->user, $this->uri->uriFull()); 514 | $this->log->warn("EXCEPTION: $m\n"); 515 | throw new DAV\Exception\NotAuthenticated($m); 516 | } 517 | 518 | private function 519 | exc_notimplemented ($msg) 520 | { 521 | $m = "Not implemented: $msg"; 522 | $this->log->warn("EXCEPTION: '%s': %s\n", $this->uri->uriFull(), $m); 523 | throw new DAV\Exception\NotImplemented($m); 524 | } 525 | } 526 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | **Note:** There are now many enterprise-grade 2 | solutions available, like [Nextcloud](https://nextcloud.com/). Therefor 3 | this repository is no longer maintained. 4 | 5 | ![SambaDAV](https://raw.github.com/1afa/sambadav/master/img/png/logo.png) 6 | 7 | # SambaDAV 8 | 9 | SambaDAV is an SMB-to-WebDAV bridge, written in PHP and running as a web 10 | application on Linux servers. It acts as the glue between Windows Samba/CIFS 11 | filesharing and WebDAV internet file access, to provide: 12 | 13 | - Secure, worldwide access to your shares and files through any web browser. 14 | Upload and download files over nothing more than standard HTTPS without the 15 | need to setup a VPN. 16 | 17 | - Access to your remote shares directly on your computer as network drives. 18 | Open and edit your files and shares as if they were on a local network drive, 19 | from any location and with any device that supports WebDAV. 20 | 21 | SambaDAV provides the advantages of the cloud (access to your files from 22 | anywhere), while leaving control over your data and your security entirely with 23 | you. You can host your Windows network shares as your own "private cloud" over 24 | standard and secure HTTPS. 25 | 26 | Release tarballs can be downloaded [here](https://github.com/1afa/sambadav/releases). 27 | 28 | After installing and configuring SambaDAV, a WebDAV-aware service listens for 29 | requests at an entrypoint URL such as `https://www.example.com/webfolders`. If 30 | you visit this URL in a browser, you get a password box where you enter your 31 | username and password. This will open a web page with a directory and file 32 | listing. You can walk through the file tree, create directories, and download 33 | or upload files. 34 | 35 | As useful as this is, the real power of SambaDAV is in its WebDAV support. If 36 | you enter the entrypoint URL into Windows' "Map Network Drive" dialog, or Mac 37 | OS X's "connect to server" dialog, you can mount your shares as a fully 38 | functional network disk with its own drive letter. Fully functional here means 39 | that you can edit, copy, move, delete and rename files and directories just 40 | like they were on a local network share. All this over simple HTTPS and without 41 | setting up a VPN. 42 | 43 | [![Build Status](https://travis-ci.org/1afa/sambadav.svg)](https://travis-ci.org/1afa/sambadav) 44 | 45 | ## How does it work? 46 | 47 | In the background, SambaDAV executes SMB commands on the user's behalf through 48 | `smbclient`, a commandline utility distributed with 49 | [Samba](http://www.samba.org), to issue requests to SMB/CIFS (i.e. Windows) 50 | fileservers. Currently, only Samba 3.x is supported; the version of `smbclient` 51 | bundled with Samba 4.x was completely rewritten and supports a different range 52 | of options. 53 | 54 | When the user requests a file, SambaDAV will spawn an `smbclient` child process 55 | to retrieve the file and pass it through to the user as a bytestream. User 56 | authentication and all the actual Samba calls are handled by `smbclient` just 57 | as if the request was done on the command line. The resulting output (or 58 | bytestream) is parsed by SambaDAV to a WebDAV response (such as "here's the 59 | file", "file not found", or "could not authenticate") and sent back to the 60 | user. The WebDAV protocol is handled by 61 | [SabreDAV](http://sabre.io/dav), a WebDAV server library written in PHP. 62 | 63 | SambaDAV is glue code, which: 64 | 65 | - translates WebDAV requests to `smbclient` calls; 66 | 67 | - runs `smbclient` on behalf of the user; 68 | 69 | - captures and parsing the output, and: 70 | 71 | - sends the output back as a WebDAV response. 72 | 73 | This may seem like a bit of a hack, but it's actually remarkably reliable, 74 | resilient and performant for what it is. Some features: 75 | 76 | - File uploading/downloading is all fully streaming through the use of PHP 77 | streams and Unix pipes. No temporary files are created on the server. In 78 | practice you can read and write gigabyte-sized files at many tens of 79 | megabytes per second. 80 | 81 | - Supports UTF-8 filenames. 82 | 83 | - Supports read-only and hidden attribute flags. 84 | 85 | - Supports Windows XP (but you'll need a valid SSL certificate and some 86 | registry hacks, see elsewhere). 87 | 88 | - Robust decoding of the `smbclient` output (as buttoned-down and mistrusting 89 | as possible, using hints derived from the `smbclient` source code). 90 | 91 | - Caches lookups and responses in memory (using a filesystem-based cache in 92 | /dev/shm, shared memory) and properly invalidates the cache when a resource 93 | changes. 94 | 95 | - Supports multiple servers, multiple shares, and dynamic userhomes based on 96 | the username or the value of an LDAP property. 97 | 98 | - Supports anonymous (guest) logins if you enable it. 99 | 100 | - Passes the username and password to `smbclient` through an unnamed pipe (an 101 | anonymous file descriptor), which makes this sensitive data fairly hard to 102 | intercept (and invisible in the process table). 103 | 104 | - Supports group-based LDAP authentication as an cheap extra authentication 105 | check before making expensive calls to `smbclient`. 106 | 107 | 108 | ## History and provenance 109 | 110 | SambaDAV was originally written by [Bokxing IT BV](http://www.bokxing-it.nl), 111 | Delft, the Netherlands, to supplement a line of SME servers. It was released 112 | because this software was found useful and fills a need, and to give something 113 | back to the open-source community. There are other projects that offer something 114 | similar, such as [Davenport](http://davenport.sourceforge.net) and smbwebclient.php, 115 | but SambaDAV was written because those projects show their age and did not fit our 116 | needs. 117 | 118 | At the start of 2015 the project was transferred to the company developing the 119 | aforementioned line of SME servers, [1A First Alternative](http://www.1afa.com). 120 | 121 | ## License 122 | 123 | SambaDAV is licensed under the terms of the GNU Affero GPL version 3. Please 124 | refer to the 125 | [LICENSE](https://github.com/1afa/sambadav/blob/master/LICENSE) file in 126 | the project root. Please contact the authors if you have any licensing 127 | questions or requests. 128 | 129 | 130 | ## Installation 131 | 132 | SambaDAV only works on Linux servers, since among other things, it uses the 133 | Unix concept of unnamed pipes to communicate with and control `smbclient`. 134 | 135 | We assume you have installed and configured your Samba server, and can do 136 | commandline lookups with `smbclient`: 137 | 138 | ```sh 139 | # This should print a list of shares on your Samba server: 140 | smbclient -N -L //yourserver 141 | ``` 142 | 143 | Download a SambaDAV release tarball 144 | [here](https://github.com/1afa/sambadav/releases). Unpack it in some 145 | directory, we'll assume `/tmp` for convenience: 146 | 147 | ```sh 148 | cd /tmp 149 | tar xvf /path/to/sambadav-version.tar.gz 150 | ``` 151 | 152 | Copy the application source to a directory on on the web server. We'll assume 153 | that the application directory is `/var/www/htdocs/webfolders`: 154 | 155 | ```sh 156 | cp -ar /tmp/sambadav-version/src /var/www/htdocs/webfolders 157 | ``` 158 | 159 | Install [SabreDAV](http://sabre.io/dav) using [Composer](http://getcomposer.org): 160 | 161 | ```sh 162 | cd /var/www/htdocs/webfolders 163 | composer --optimize-autoloader install 164 | ``` 165 | 166 | The following directories should be made writable for the webserver: 167 | 168 | - `log`: tracelogs are written here; 169 | - `data`: the place where SabreDAV keeps lockfiles. 170 | 171 | If your webserver runs as the user `apache`: 172 | 173 | ```sh 174 | chown apache:root /var/www/htdocs/webfolders/{log,data} 175 | chmod 0750 /var/www/htdocs/webfolders/{log,data} 176 | ``` 177 | 178 | At this point all the files are in the right place, all that's left is 179 | to configure the webserver and SambaDAV. 180 | 181 | 182 | ## Webserver configuration 183 | 184 | We assume that you're running your web server on the standard port 443 (because 185 | you're using SSL!) and want to serve SambaDAV from a subdirectory. In the 186 | browser, SambaDAV will be available via `https://example.com/webfolders`. For 187 | native WebDAV clients we'll do one better and allow them to connect straight to 188 | `http://example.com/`, by redirecting them in two steps to the proper location. 189 | This is more than just fancy: it's the only way the internal Windows XP WebDAV 190 | client will connect to a subfolder over SSL at all. 191 | 192 | The webserver configuration is fairly involved because we want to support as 193 | wide a range of clients as possible. Support for Windows XP's built-in WebDAV 194 | client in particular is tricky to set up. The Windows XP client always connects 195 | to the root of the domain at port 80. In order to get it to use SSL at port 443 196 | and use `/webfolders`, we must take the following steps: 197 | 198 | 1. Detect that a Windows XP client is trying to connect to port 80 at the 199 | root of the domain by sniffing the user agent string; 200 | 201 | 2. In the Apache config for the server at port 80, add a rewrite rule to send 202 | the Windows XP client to the same location but at port 443, using a 302 203 | Redirect response which the Windows XP client will honor while upgrading 204 | to SSL; 205 | 206 | 3. In the Apache config for the server at port 443, add a second set of rewrite 207 | rules that match only the Windows XP client and transparently proxy a 208 | request of the form `/`, to `/webfolders/` internally 209 | without telling the client. 210 | 211 | After these three steps, connecting with the Windows XP WebDAV client to 212 | `http://www.example.com/` will properly redirect to 213 | `https://www.example.com/webfolders/`. 214 | 215 | Because this trick is convenient for everyone who uses a native WebDAV client, 216 | we've expanded the list of eligible user agents from just the Windows XP 217 | internal one to a full range. This goes in the virtual host section for your 218 | plain HTTP server on port 80: 219 | 220 | ```apache 221 | # Workaround for the builtin WinXP WebDAV client: it can only connect to the 222 | # server root (/), over plain HTTP, port 80. Fortunately, it *does* honor 302 223 | # redirect responses, and *even* upgrades to SSL if asked! So we use browser 224 | # string matching to redirect the WinXP client to the root of our SSL server, 225 | # from where it will be redirected once more to the actual location. 226 | # This enables driveletter mapping in Windows XP. 227 | # It's also useful for other clients, so we also catch the most popular ones: 228 | RewriteCond %{HTTP_USER_AGENT} "^Microsoft-WebDAV-MiniRedir" [OR] 229 | RewriteCond %{HTTP_USER_AGENT} "^(DAV|Dav|dav)" [OR] 230 | RewriteCond %{HTTP_USER_AGENT} "^WebDAV" [OR] 231 | RewriteCond %{HTTP_USER_AGENT} "^Microsoft Data Access Internet Publishing Provider" [OR] 232 | RewriteCond %{HTTP_USER_AGENT} "^Microsoft Office" [OR] 233 | RewriteCond %{HTTP_USER_AGENT} "^WebDrive" [OR] 234 | RewriteCond %{HTTP_USER_AGENT} "^iWorkHTTPKit" [OR] 235 | RewriteCond %{HTTP_USER_AGENT} "^gnome-vfs" [OR] 236 | RewriteCond %{HTTP_USER_AGENT} "^Dreamweaver-WebDAV-SCM1" [OR] 237 | RewriteCond %{HTTP_USER_AGENT} "^BitKinex/" [OR] 238 | RewriteCond %{HTTP_USER_AGENT} "^cadaver/" [OR] 239 | RewriteCond %{HTTP_USER_AGENT} "^neon/" [OR] 240 | RewriteCond %{HTTP_USER_AGENT} "^Cyberduck/" [OR] 241 | RewriteCond %{HTTP_USER_AGENT} "^gvfs/" [OR] 242 | RewriteCond %{HTTP_USER_AGENT} "^Transmit" 243 | RewriteRule ^/(.*) https://%{HTTP_HOST}:443/$1 [R] 244 | 245 | # Other clients are upgraded to SSL: 246 | RewriteRule ^/webfolders(.*) https://%{HTTP_HOST}/webfolders$1 [R] 247 | ``` 248 | 249 | Since, for the sake of this manual, we are using the `/webfolders` 250 | subdirectory, we also want to transparently redirect WebDAV clients who arrive 251 | at the root of the server to `/webfolders`. Clients who reach this point always 252 | do so over SSL (since otherwise they would have been caught by the snippet 253 | above), so the following goes in the virtual host configuration for the SSL 254 | server on port 443: 255 | 256 | ```apache 257 | # Special rule for the WinXP driveletter mounter; 258 | # it will connect to the server root, and must be transparently 259 | # proxied to the actual location: 260 | # Also useful for other DAV clients: 261 | # Exception: when client requests //server/webfolders, he should not be 262 | # rewritten to /webfolders/webfolders, but end up in /webfolders. 263 | RewriteCond %{HTTP_USER_AGENT} "^Microsoft-WebDAV-MiniRedir" [OR] 264 | RewriteCond %{HTTP_USER_AGENT} "^(DAV|Dav|dav)" [OR] 265 | RewriteCond %{HTTP_USER_AGENT} "^WebDAV" [OR] 266 | RewriteCond %{HTTP_USER_AGENT} "^Microsoft Data Access Internet Publishing Provider" [OR] 267 | RewriteCond %{HTTP_USER_AGENT} "^Microsoft Office" [OR] 268 | RewriteCond %{HTTP_USER_AGENT} "^WebDrive" [OR] 269 | RewriteCond %{HTTP_USER_AGENT} "^iWorkHTTPKit" [OR] 270 | RewriteCond %{HTTP_USER_AGENT} "^gnome-vfs" [OR] 271 | RewriteCond %{HTTP_USER_AGENT} "^Dreamweaver-WebDAV-SCM1" [OR] 272 | RewriteCond %{HTTP_USER_AGENT} "^BitKinex/" [OR] 273 | RewriteCond %{HTTP_USER_AGENT} "^cadaver/" [OR] 274 | RewriteCond %{HTTP_USER_AGENT} "^neon/" [OR] 275 | RewriteCond %{HTTP_USER_AGENT} "^Cyberduck/" [OR] 276 | RewriteCond %{HTTP_USER_AGENT} "^gvfs/" [OR] 277 | RewriteCond %{HTTP_USER_AGENT} "^Transmit" 278 | RewriteCond %{REQUEST_URI} !^/webfolders$ 279 | RewriteCond %{REQUEST_URI} !^/webfolders/ 280 | RewriteRule ^/(.*) /webfolders/$1 [PT] 281 | 282 | RewriteRule ^/webfolders$ /webfolders/ [R] 283 | Alias /webfolders/ /var/www/htdocs/webfolders/ 284 | ``` 285 | 286 | Clients who arrive at the server root over port 80 will now be untransparently 287 | redirected to SSL over port 443, and transparently redirected from `/` to 288 | `/webfolders/`. 289 | 290 | Next comes the directory configuration. In the virtual host section of your 291 | port 443 SSL server, put something along the following lines: 292 | 293 | ```apache 294 | 295 | 296 | # As our "cloud solution", this should be available from anywhere: 297 | Order allow,deny 298 | Allow from all 299 | 300 | AddDefaultCharset utf-8 301 | AddType application/x-httpd-php php php5 302 | DirectoryIndex server.php 303 | 304 | # Reroute all requests to subdirectories, or things that are not 305 | # physical files in the root directory, through server.php, which 306 | # happens to be a physical file in the root directory and thus exempt. 307 | # This also hides physical app directories like /data and /lib 308 | # from view. 309 | RewriteEngine On 310 | RewriteBase /webfolders 311 | RewriteCond %{REQUEST_URI} ^/webfolders/.*/.*$ [OR] 312 | RewriteCond %{REQUEST_FILENAME} !-f 313 | RewriteRule ^.*$ /webfolders/server.php 314 | 315 | 316 | ``` 317 | 318 | The rewrite rules tell the server to send all requests to `server.php` that 319 | contain two or more slashes (so are guaranteed to be virtual), and those not 320 | referencing real files on disk, to `server.php` for processing. Since 321 | `server.php` is itself a real file on disk, this breaks the loop and avoids 322 | recursion. Resources such as `style.css` and `dir.png` also happen to be plain 323 | files in the SambaDAV root, and are available normally. 324 | 325 | 326 | ## SambaDAV configuration 327 | 328 | At startup, SambaDAV reads all PHP files in the `/config` directory. Each file 329 | should return an array with config keys, like so: 330 | 331 | ```php 332 | 'config_value', 336 | ); 337 | ``` 338 | 339 | The order and number of files doesn't matter as long as the right keys are set, 340 | but for convenience we supply four example config files. 341 | 342 | The main configuration file is `/config/config.inc.php`. Please refer to the 343 | comments in the file itself for more information. Some notes: 344 | 345 | - `enable_webfolders` is the "master switch" for the whole SambaDAV suite. If 346 | this variable is not available *and* does not have the explicit value of 347 | `true`, then `server.php` does an early exit with a '404 Not found' error. 348 | The idea behind this is to create a single on/off switch for SambaDAV, 349 | through which administrators can centrally enable or disable the service. 350 | 351 | - `server_basedir` is used by `server.php` to check whether the request was 352 | transparently rewritten from the root of the server. If the given URI does 353 | not start with `server_basedir`, `server.php` appends it during the setup of 354 | the SabreDAV server. 355 | 356 | - `smbclient_extra_opts` is an optional string containing extra arguments to 357 | pass to `smbclient`. For example, you can specify a nonstandard port by 358 | adding `--port 6789`. The option string is pasted verbatim and unescaped at 359 | the end of the `smbclient` invocation. 360 | 361 | - `anonymous_only` allows _only_ anonymous logins, and consequently bypasses 362 | the whole basic authentication logic, because credentials are no longer 363 | necessary. This setting is for people who allow guest access to their shares. 364 | 365 | - `anonymous_allow` means that empty usernames and passwords are not rejected 366 | as they would normally be, but converted into an anonymous (guest) request. 367 | 368 | `anonymous_allow` causes seemingly strange behaviour when visiting SambaDAV 369 | in the browser. You might expect to get a password box, but instead you find 370 | that you're always logged in automatically as the anonymous user. That 371 | happens because the password box normally only appears after an initial 372 | unauthenticated request is countered by the server's 'authentication 373 | required' response. This instructs the browser to retry with a username and 374 | password. However, if anonymous logins are permitted, the server cannot tell 375 | the difference between someone attempting a true anonymous login and someone 376 | who should be sent an 'authentication required' response. So in the browser 377 | you always become the anonymous (guest) user. 378 | 379 | With a "real" WebDAV client, you can pass a username and password in the very 380 | first request and get authenticated access that way. 381 | 382 | - `cache_use` enables the disk cache. If you set this to `false`, nothing will be 383 | cached and performance will be rather slow (everything's an expensive call to 384 | `smbclient`). Note that file contents are never cached, only metadata such as 385 | directory listings. 386 | 387 | - `cache_dir` is the directory to use for caching. The default is 388 | `/dev/shm/webfolders`, which is a directory in `/dev/shm`, a filesystem in 389 | shared memory. The cache code will create this cache directory at runtime if 390 | it doesn't exist (and set the permissons correctly), so you don't have to 391 | create the directory first. See [this section](#caching) for more. 392 | 393 | - `share_userhomes` is a bit of a misnomer, it's not a share but the name of 394 | the server on which the userhomes can be found. If this variable is not 395 | defined or is `false`, no userhome lookup is done. However, if it's set to 396 | the name of a server, then the share `//server/username` is added, where 397 | `username` is the name of the logged-in user. This userhome will appear in 398 | the SambaDAV root as a folder with the name of the logged-in user. 399 | 400 | - `share_userhome_ldap` can be set to the name of a LDAP property containing 401 | the URL for the user's home share. The value of this property must be of the 402 | form `\\server` (which is interpreted as `\\server\username` for the 403 | currently logged-in user), or `\\server\share`. For instance, if all your 404 | LDAP users have a property called `sambaHomePath`, then its value will be 405 | used for the home share. This setting overrides `share_userhomes`, and only 406 | works with LDAP authentication. 407 | 408 | The username that a user logs in with can be dissected as follows: 409 | 410 | workgroup\username@domain 411 | 412 | %w = workgroup 413 | %u = username 414 | %d = domain 415 | 416 | The `%w`, `%u` and `%d` placeholders can be used in pattern strings. The 417 | username is always available by definition, unless anonymous logins are 418 | allowed. The other two placeholders can be undefined if the user didn't enter 419 | them. If you specify a pattern that can't be filled from the user's input, the 420 | application will abort the request. Patterns can be set to `null` or left 421 | unspecified to use the default values. 422 | 423 | - `userhome_pattern` contains a pattern to use for the userhomes. Example: 424 | `'//SERVER/%u'`. Defaults to `null` (no userhome derived from a pattern). 425 | 426 | - `ldap_username_pattern` contains the pattern to use for the LDAP bind 427 | operation. Defaults to the (stripped) username for backwards compatibility. 428 | 429 | - `samba_username_pattern` and `samba_domain_pattern` contain patterns to use 430 | for logging in to `smbclient`. They default to the username and `null`, 431 | respectively. 432 | 433 | - `log_level`: set the log verbosity. Defaults to 'warn' when omitted. Can be 434 | set to the values 'none', 'error', 'warn', 'info', 'debug' or 'trace' in 435 | order of verboseness from least to most. 436 | 437 | The other two config files are: 438 | 439 | - `share_root.inc.php`: defines server/share pairs that show up in the server 440 | root under the name of the share; 441 | 442 | - `share_extra.inc.php`: defines server/share pairs that show up in the server 443 | root as a folder with the name of the server(s), containing folders named 444 | after the share(s) on that server; 445 | 446 | See the files themselves for specific examples and syntax. 447 | 448 | An example of what `share_root.inc.php` can look like: 449 | 450 | ```php 451 | array( 454 | array('server1'), 455 | array('server2','share1'), 456 | array('server2','share2'), 457 | ), 458 | ); 459 | ``` 460 | 461 | `share_root` is an array of arrays. Each child array consists of one or two 462 | strings. The first string is the name of a server, the second string is 463 | optional and is the name of a share on that server. If you don't specify a 464 | share name, SambaDAV will use a `smbclient -L` call to automatically retrieve a 465 | list of available shares on that server (which may or may not be accessible to 466 | the user). 467 | 468 | `share_root` is so called because the shares that you specify here are placed 469 | directly in the root as folders with the name of the *share*. In the example 470 | above, the root folder would have multiple subfolders: a folder for each share 471 | found on `server1`, and the folders `share1` and `share2`. 472 | 473 | `share_extra` is like `share_root`, but shares and servers that you define in 474 | that array are always placed in the SambaDAV root in a folder with the name of 475 | the *server*, containing subfolders named after the shares. 476 | 477 | ```php 478 | array( 481 | array('server5'), 482 | array('server6','share6'). 483 | ), 484 | ); 485 | ``` 486 | 487 | In the example above, this would create two folders in the root named `server5` 488 | and `server6`, with `server5` containing folders for all the autodiscovered 489 | shares on that server, and `server6` containing a single subfolder called `share6`. 490 | 491 | Further customization of the shares listing can be done by configuring Samba to 492 | produce the required list of shares. SambaDAV is kept simple on purpose. 493 | 494 | 495 | # User authentication 496 | 497 | SambaDAV supports three methods of user authentication: 498 | 499 | 1. Anonymous access only; 500 | 501 | 2. Access through HTTP Basic authentication; 502 | 503 | 3. Access through HTTP Basic authentication, with an extra check against an 504 | LDAP server to see if the user is known and is allowed to access SambaDAV. 505 | 506 | It is not possible to use Digest authentication, because SambaDAV needs the 507 | user's plaintext username and password to pass on to `smbclient`. Using Basic 508 | authentication is only secure over a HTTPS connection, so always make sure your 509 | connection is properly encrypted! 510 | 511 | SambaDAV does not have a user database of its own; it relies completely on 512 | `smbclient` to authenticate and authorize the user. SambaDAV passes through 513 | anything the user enters to `smbclient` for actual inspection. Smbclient is free 514 | to accept or reject the login attempt according to its internal processes, and 515 | SambaDAV will faithfully pass on the response. 516 | 517 | The extra check against the LDAP server was written specially for the original 518 | deployment environment, and might be too specific for general use. Since 519 | version 0.4.0, SambaDAV supports two kinds of binds: the AD kind and the 520 | regular kind, here called "fastbind". If the ldap host and basedn are not 521 | provided in the config file, the code will try to get them from 522 | `/etc/ldap.conf`. 523 | 524 | In the fastbind scenario, the LDAP code will check whether the username and 525 | password are valid by attempting to bind as the given user. If that succeeds, 526 | and the config variable `ldap_groups` is not `false`, it checks whether the 527 | user is a member of the given Posix group(s). If either condition fails, the 528 | user is rejected. 529 | 530 | In the AD bind scenario, the code will first bind with an auth DN, fetch the DN 531 | for the user, and rebind as that user. It also optionally checks group 532 | memberships. 533 | 534 | There are three reasons for having LDAP support. Firstly, to put a lightweight 535 | authentication service in front of the relatively heavyweight `smbclient` 536 | method of authentication (spawning a process, interpreting the results and so 537 | on). Secondly, to provide some form of access control. In this setup, only the 538 | users who are members of a certain group can use SambaDAV. Thirdly, there is 539 | the option to fetch the location of a user's home directory from an LDAP 540 | property. 541 | 542 | 543 | ## Caching 544 | 545 | Though the cache can be turned off in the config, you may find that the 546 | performance becomes unacceptably slow, especially under Mac OS X. SambaDAV can 547 | cache directory listings, file properties and other metadata on disk for 548 | improved performance. The default cache location, changeable in the config, is 549 | a directory in shared memory, under `/dev/shm`. SambaDAV will create this 550 | directory with proper ownerships and permissions if it doesn't exist. 551 | 552 | File *contents* are never cached. Only metadata such as directory listings are 553 | cached. Metadata is first serialized, then zipped, then encrypted with a key 554 | derived from the user's password. 555 | 556 | The cache is automatically cleaned at certain intervals. A semaphore file is 557 | used to avoid pulling the rug out from under active lookups. It should always 558 | be safe to delete all the cache files (but hopefully unnecessary, since the 559 | cache is self-cleaning). 560 | 561 | 562 | ## Logging 563 | 564 | SambaDAV has a simple built-in logging mechanism that traces out the flow 565 | through the program. The granularity is currently not great: trace logging can 566 | be turned either 'off' or 'on'. The setting is in `/include/function.log.php`, 567 | the `$trace_log` variable. Feel free to add `log_trace` statements wherever you 568 | need them. Logging may become more pervasive in future releases. 569 | 570 | 571 | ## Client support 572 | 573 | See also the SabreDAV documentation for details. Client support is mostly 574 | something between the client and SabreDAV, not something that SambaDAV has 575 | much influence on. However, there are some tips for getting WebDAV clients 576 | running: 577 | 578 | - All clients should connect over SSL as a matter of principle. Don't use an 579 | unencrypted connection, or you will expose passwords and file contents to the 580 | whole world. 581 | 582 | - Windows XP needs a valid certificate. If the Network Drive mapper is not 583 | working, try surfing to the webfolders URL with Internet Explorer and see if 584 | you get a certificate error. Internet Explorer uses the same networking code 585 | as the builtin Webfolders client, and any errors you get in Internet Explorer 586 | will tell you what's going wrong in the Webfolders client. 587 | 588 | - Windows XP does not support SSL connection syntax, or connecting to anything 589 | other than the root of a domain, but it does properly redirect to an SSL 590 | connection if it receives a redirect response from the server. So for proper 591 | Windows XP support, you must setup a plain HTTP server that redirects all 592 | requests to an SSL server with a valid SSL certificate. See the 593 | [Config](#webserver-configuration) section. 594 | 595 | 596 | ### Slow in Windows 7? 597 | 598 | The default configuration of the built-in Windows 7 WebDAV client sometimes 599 | makes network drives seem really slow to respond. A network share will take 600 | ages to connect and opening folders takes many seconds. Luckily, getting a 601 | snappy browsing experience is an easy fix: 602 | 603 | 1. Open Internet Explorer. 604 | 2. Open the `Tools` menu from the top menu bar. 605 | 3. Click `Internet Options`. A window opens. 606 | 4. In the window, open the `Connections` tab. 607 | 5. Click the button `LAN settings` near the bottom. A second window opens. 608 | 6. Uncheck the box marked `Automatically detect settings`. 609 | 7. Click `Ok` on both the windows to close them. 610 | 611 | Try again and you should be able to connect and browse at normal speeds. 612 | 613 | More information can be found in the [SabreDAV wiki](http://sabre.io/dav/clients). 614 | 615 | 616 | ## Security considerations 617 | 618 | Always run this service over SSL! Your users are sending plaintext passwords, 619 | which is only secure if the transport is encrypted. 620 | 621 | Files inside the WebDAV tree (such as PHP files) are not interpreted or 622 | executed by SambaDAV; they are streamed straight through `smbclient` to the 623 | user in passthrough mode. 624 | 625 | All operations on the server are run through `smbclient`, so users can do no 626 | more than they already could by running `smbclient` on the server in a shell. 627 | All permission checking is left to the SMB server. 628 | 629 | The username and password are supplied to `smbclient` in plaintext through an 630 | anonymous file descriptor (Unix pipe). This is reasonably secure (the passwords 631 | don't show up in the process table and aren't written to disk), but in theory, 632 | the data could be intercepted by other processes running as the same user. For 633 | that reason, you should run this service under a dedicated user account. 634 | 635 | `smbclient` comes with an ill-conceived shell-command "feature": users can 636 | execute shell commands on the local server by sending `smbclient` a command 637 | that starts with an exclamation mark; see the manpage. This is hardly useful 638 | because the shell command is executed locally instead of remotely. The problem 639 | is made worse by the fact that the exclamation mark is actually allowed in 640 | Windows filenames, so it can't really be filtered out. However, characters from 641 | 0 to 31 are not allowed, and that range includes newlines. SambaDAV does filter 642 | out (rather, forbid) characters in that range, so it's not easy to arrange for 643 | an exclamation mark to appear at the start of a line. 644 | 645 | We make no guarantees about the security or fitness for purpose of this 646 | software. See the 647 | [LICENSE](https://github.com/1afa/sambadav/blob/master/LICENSE) for 648 | specifics. 649 | 650 | 651 | ## Troubleshooting 652 | 653 | - Is your `smbclient` install working correctly? Do you get the expected output 654 | when you execute: 655 | 656 | ```sh 657 | # Lookup shares list as guest: 658 | smbclient -N -L //myserver 659 | 660 | # Lookup shares as specific user: 661 | smbclient -U myuser -L //myserver 662 | 663 | # Connect to a share as a specific user, get a file listing: 664 | smbclient -U myuser //myserver/myshare -c 'ls' 665 | ``` 666 | 667 | If these examples fail, try again with `--debuglevel=3` and carefully inspect 668 | the output for errors. 669 | 670 | - If things are not working, try connecting to the server with a browser first. 671 | If your browser can't connect, or if you encounter certificate errors, fix 672 | those problems first. Only try WebDAV clients after getting SambaDAV to work 673 | in the browser. 674 | 675 | - If nothing appears to happen (blank page), check the PHP error logs for error 676 | messages. SabreDAV requires a number of PHP extensions; you might need to 677 | enable some. 678 | 679 | - Is `$enable_webfolders` set to the precise value of `true` in 680 | `/config/share_userhomes.inc.php`? That variable is the master switch; if 681 | it's set to anything but `true`, `server.php` bails out early with a 404 Not 682 | Found error. 683 | 684 | - If you're getting errors, try checking the server logs. Pay attention to the 685 | resources requested and the HTTP reponse codes dished out by SambaDAV. Is 686 | the client requesting the proper URL? 687 | 688 | - Remember that SambaDAV is ultimately just a frontend to `smbclient`. If a 689 | user is granted no rights by `smbclient`, there's nothing SambaDAV can do. 690 | Turn on tracelogging to see the commands issued to `smbclient` and reproduce 691 | them on the commandline. Any unexpected errors? 692 | 693 | - SambaDAV makes precise assumptions about the format of the `smbclient` 694 | output. Your `smbclient` might be producing different output from what 695 | SambaDAV expects. 696 | 697 | 698 | ## Reporting bugs 699 | 700 | Bugs should be reported at the GitHub project page, in the issues section. This 701 | requires a GitHub account. Alternatively, you can send an e-mail to the 702 | authors; the e-mail addresses are found in the commit headers. 703 | 704 | Please be specific about any problems you encounter. Turn on logging and try to 705 | capture the commands and responses sent by SambaDAV and `smbclient`. (This 706 | might require the insertion of some strategically placed `error_log()` 707 | statements.) Include a mention of what you think the output should be. 708 | 709 | ## Upgrading 710 | 711 | ### From 0.5 to 0.6 712 | 713 | If you want to migrate an older config, you need to add the new config options: 714 | - `'ldap_port' => 389,` 715 | - `'browserplugin_enable_delete' => false,` 716 | 717 | ### From 0.4 to 0.5 718 | 719 | If you want to migrate an older config, you probably need to add the new 720 | `ldap_username_pattern` and `samba_username_pattern` config options. The 721 | backwards-compatible value for these is `%u` (use the stripped username). 722 | 723 | ### From 0.3 to 0.4 724 | 725 | The config system changed between 0.3 and 0.4. In 0.3, configuration was done 726 | with a mix of global variables and defines. This changed in 0.4 to a system of 727 | array keys which are merged into the main config from all PHP files found in 728 | `/config`. The config variables and settings themselves have not changed, and 729 | can be carried over quite easily from an 0.3 installation. 730 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU AFFERO GENERAL PUBLIC LICENSE 2 | Version 3, 19 November 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU Affero General Public License is a free, copyleft license for 11 | software and other kinds of works, specifically designed to ensure 12 | cooperation with the community in the case of network server software. 13 | 14 | The licenses for most software and other practical works are designed 15 | to take away your freedom to share and change the works. By contrast, 16 | our General Public Licenses are intended to guarantee your freedom to 17 | share and change all versions of a program--to make sure it remains free 18 | software for all its users. 19 | 20 | When we speak of free software, we are referring to freedom, not 21 | price. Our General Public Licenses are designed to make sure that you 22 | have the freedom to distribute copies of free software (and charge for 23 | them if you wish), that you receive source code or can get it if you 24 | want it, that you can change the software or use pieces of it in new 25 | free programs, and that you know you can do these things. 26 | 27 | Developers that use our General Public Licenses protect your rights 28 | with two steps: (1) assert copyright on the software, and (2) offer 29 | you this License which gives you legal permission to copy, distribute 30 | and/or modify the software. 31 | 32 | A secondary benefit of defending all users' freedom is that 33 | improvements made in alternate versions of the program, if they 34 | receive widespread use, become available for other developers to 35 | incorporate. Many developers of free software are heartened and 36 | encouraged by the resulting cooperation. However, in the case of 37 | software used on network servers, this result may fail to come about. 38 | The GNU General Public License permits making a modified version and 39 | letting the public access it on a server without ever releasing its 40 | source code to the public. 41 | 42 | The GNU Affero General Public License is designed specifically to 43 | ensure that, in such cases, the modified source code becomes available 44 | to the community. It requires the operator of a network server to 45 | provide the source code of the modified version running there to the 46 | users of that server. Therefore, public use of a modified version, on 47 | a publicly accessible server, gives the public access to the source 48 | code of the modified version. 49 | 50 | An older license, called the Affero General Public License and 51 | published by Affero, was designed to accomplish similar goals. This is 52 | a different license, not a version of the Affero GPL, but Affero has 53 | released a new version of the Affero GPL which permits relicensing under 54 | this license. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | TERMS AND CONDITIONS 60 | 61 | 0. Definitions. 62 | 63 | "This License" refers to version 3 of the GNU Affero General Public License. 64 | 65 | "Copyright" also means copyright-like laws that apply to other kinds of 66 | works, such as semiconductor masks. 67 | 68 | "The Program" refers to any copyrightable work licensed under this 69 | License. Each licensee is addressed as "you". "Licensees" and 70 | "recipients" may be individuals or organizations. 71 | 72 | To "modify" a work means to copy from or adapt all or part of the work 73 | in a fashion requiring copyright permission, other than the making of an 74 | exact copy. The resulting work is called a "modified version" of the 75 | earlier work or a work "based on" the earlier work. 76 | 77 | A "covered work" means either the unmodified Program or a work based 78 | on the Program. 79 | 80 | To "propagate" a work means to do anything with it that, without 81 | permission, would make you directly or secondarily liable for 82 | infringement under applicable copyright law, except executing it on a 83 | computer or modifying a private copy. Propagation includes copying, 84 | distribution (with or without modification), making available to the 85 | public, and in some countries other activities as well. 86 | 87 | To "convey" a work means any kind of propagation that enables other 88 | parties to make or receive copies. Mere interaction with a user through 89 | a computer network, with no transfer of a copy, is not conveying. 90 | 91 | An interactive user interface displays "Appropriate Legal Notices" 92 | to the extent that it includes a convenient and prominently visible 93 | feature that (1) displays an appropriate copyright notice, and (2) 94 | tells the user that there is no warranty for the work (except to the 95 | extent that warranties are provided), that licensees may convey the 96 | work under this License, and how to view a copy of this License. If 97 | the interface presents a list of user commands or options, such as a 98 | menu, a prominent item in the list meets this criterion. 99 | 100 | 1. Source Code. 101 | 102 | The "source code" for a work means the preferred form of the work 103 | for making modifications to it. "Object code" means any non-source 104 | form of a work. 105 | 106 | A "Standard Interface" means an interface that either is an official 107 | standard defined by a recognized standards body, or, in the case of 108 | interfaces specified for a particular programming language, one that 109 | is widely used among developers working in that language. 110 | 111 | The "System Libraries" of an executable work include anything, other 112 | than the work as a whole, that (a) is included in the normal form of 113 | packaging a Major Component, but which is not part of that Major 114 | Component, and (b) serves only to enable use of the work with that 115 | Major Component, or to implement a Standard Interface for which an 116 | implementation is available to the public in source code form. A 117 | "Major Component", in this context, means a major essential component 118 | (kernel, window system, and so on) of the specific operating system 119 | (if any) on which the executable work runs, or a compiler used to 120 | produce the work, or an object code interpreter used to run it. 121 | 122 | The "Corresponding Source" for a work in object code form means all 123 | the source code needed to generate, install, and (for an executable 124 | work) run the object code and to modify the work, including scripts to 125 | control those activities. However, it does not include the work's 126 | System Libraries, or general-purpose tools or generally available free 127 | programs which are used unmodified in performing those activities but 128 | which are not part of the work. For example, Corresponding Source 129 | includes interface definition files associated with source files for 130 | the work, and the source code for shared libraries and dynamically 131 | linked subprograms that the work is specifically designed to require, 132 | such as by intimate data communication or control flow between those 133 | subprograms and other parts of the work. 134 | 135 | The Corresponding Source need not include anything that users 136 | can regenerate automatically from other parts of the Corresponding 137 | Source. 138 | 139 | The Corresponding Source for a work in source code form is that 140 | same work. 141 | 142 | 2. Basic Permissions. 143 | 144 | All rights granted under this License are granted for the term of 145 | copyright on the Program, and are irrevocable provided the stated 146 | conditions are met. This License explicitly affirms your unlimited 147 | permission to run the unmodified Program. The output from running a 148 | covered work is covered by this License only if the output, given its 149 | content, constitutes a covered work. This License acknowledges your 150 | rights of fair use or other equivalent, as provided by copyright law. 151 | 152 | You may make, run and propagate covered works that you do not 153 | convey, without conditions so long as your license otherwise remains 154 | in force. You may convey covered works to others for the sole purpose 155 | of having them make modifications exclusively for you, or provide you 156 | with facilities for running those works, provided that you comply with 157 | the terms of this License in conveying all material for which you do 158 | not control copyright. Those thus making or running the covered works 159 | for you must do so exclusively on your behalf, under your direction 160 | and control, on terms that prohibit them from making any copies of 161 | your copyrighted material outside their relationship with you. 162 | 163 | Conveying under any other circumstances is permitted solely under 164 | the conditions stated below. Sublicensing is not allowed; section 10 165 | makes it unnecessary. 166 | 167 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 168 | 169 | No covered work shall be deemed part of an effective technological 170 | measure under any applicable law fulfilling obligations under article 171 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 172 | similar laws prohibiting or restricting circumvention of such 173 | measures. 174 | 175 | When you convey a covered work, you waive any legal power to forbid 176 | circumvention of technological measures to the extent such circumvention 177 | is effected by exercising rights under this License with respect to 178 | the covered work, and you disclaim any intention to limit operation or 179 | modification of the work as a means of enforcing, against the work's 180 | users, your or third parties' legal rights to forbid circumvention of 181 | technological measures. 182 | 183 | 4. Conveying Verbatim Copies. 184 | 185 | You may convey verbatim copies of the Program's source code as you 186 | receive it, in any medium, provided that you conspicuously and 187 | appropriately publish on each copy an appropriate copyright notice; 188 | keep intact all notices stating that this License and any 189 | non-permissive terms added in accord with section 7 apply to the code; 190 | keep intact all notices of the absence of any warranty; and give all 191 | recipients a copy of this License along with the Program. 192 | 193 | You may charge any price or no price for each copy that you convey, 194 | and you may offer support or warranty protection for a fee. 195 | 196 | 5. Conveying Modified Source Versions. 197 | 198 | You may convey a work based on the Program, or the modifications to 199 | produce it from the Program, in the form of source code under the 200 | terms of section 4, provided that you also meet all of these conditions: 201 | 202 | a) The work must carry prominent notices stating that you modified 203 | it, and giving a relevant date. 204 | 205 | b) The work must carry prominent notices stating that it is 206 | released under this License and any conditions added under section 207 | 7. This requirement modifies the requirement in section 4 to 208 | "keep intact all notices". 209 | 210 | c) You must license the entire work, as a whole, under this 211 | License to anyone who comes into possession of a copy. This 212 | License will therefore apply, along with any applicable section 7 213 | additional terms, to the whole of the work, and all its parts, 214 | regardless of how they are packaged. This License gives no 215 | permission to license the work in any other way, but it does not 216 | invalidate such permission if you have separately received it. 217 | 218 | d) If the work has interactive user interfaces, each must display 219 | Appropriate Legal Notices; however, if the Program has interactive 220 | interfaces that do not display Appropriate Legal Notices, your 221 | work need not make them do so. 222 | 223 | A compilation of a covered work with other separate and independent 224 | works, which are not by their nature extensions of the covered work, 225 | and which are not combined with it such as to form a larger program, 226 | in or on a volume of a storage or distribution medium, is called an 227 | "aggregate" if the compilation and its resulting copyright are not 228 | used to limit the access or legal rights of the compilation's users 229 | beyond what the individual works permit. Inclusion of a covered work 230 | in an aggregate does not cause this License to apply to the other 231 | parts of the aggregate. 232 | 233 | 6. Conveying Non-Source Forms. 234 | 235 | You may convey a covered work in object code form under the terms 236 | of sections 4 and 5, provided that you also convey the 237 | machine-readable Corresponding Source under the terms of this License, 238 | in one of these ways: 239 | 240 | a) Convey the object code in, or embodied in, a physical product 241 | (including a physical distribution medium), accompanied by the 242 | Corresponding Source fixed on a durable physical medium 243 | customarily used for software interchange. 244 | 245 | b) Convey the object code in, or embodied in, a physical product 246 | (including a physical distribution medium), accompanied by a 247 | written offer, valid for at least three years and valid for as 248 | long as you offer spare parts or customer support for that product 249 | model, to give anyone who possesses the object code either (1) a 250 | copy of the Corresponding Source for all the software in the 251 | product that is covered by this License, on a durable physical 252 | medium customarily used for software interchange, for a price no 253 | more than your reasonable cost of physically performing this 254 | conveying of source, or (2) access to copy the 255 | Corresponding Source from a network server at no charge. 256 | 257 | c) Convey individual copies of the object code with a copy of the 258 | written offer to provide the Corresponding Source. This 259 | alternative is allowed only occasionally and noncommercially, and 260 | only if you received the object code with such an offer, in accord 261 | with subsection 6b. 262 | 263 | d) Convey the object code by offering access from a designated 264 | place (gratis or for a charge), and offer equivalent access to the 265 | Corresponding Source in the same way through the same place at no 266 | further charge. You need not require recipients to copy the 267 | Corresponding Source along with the object code. If the place to 268 | copy the object code is a network server, the Corresponding Source 269 | may be on a different server (operated by you or a third party) 270 | that supports equivalent copying facilities, provided you maintain 271 | clear directions next to the object code saying where to find the 272 | Corresponding Source. Regardless of what server hosts the 273 | Corresponding Source, you remain obligated to ensure that it is 274 | available for as long as needed to satisfy these requirements. 275 | 276 | e) Convey the object code using peer-to-peer transmission, provided 277 | you inform other peers where the object code and Corresponding 278 | Source of the work are being offered to the general public at no 279 | charge under subsection 6d. 280 | 281 | A separable portion of the object code, whose source code is excluded 282 | from the Corresponding Source as a System Library, need not be 283 | included in conveying the object code work. 284 | 285 | A "User Product" is either (1) a "consumer product", which means any 286 | tangible personal property which is normally used for personal, family, 287 | or household purposes, or (2) anything designed or sold for incorporation 288 | into a dwelling. In determining whether a product is a consumer product, 289 | doubtful cases shall be resolved in favor of coverage. For a particular 290 | product received by a particular user, "normally used" refers to a 291 | typical or common use of that class of product, regardless of the status 292 | of the particular user or of the way in which the particular user 293 | actually uses, or expects or is expected to use, the product. A product 294 | is a consumer product regardless of whether the product has substantial 295 | commercial, industrial or non-consumer uses, unless such uses represent 296 | the only significant mode of use of the product. 297 | 298 | "Installation Information" for a User Product means any methods, 299 | procedures, authorization keys, or other information required to install 300 | and execute modified versions of a covered work in that User Product from 301 | a modified version of its Corresponding Source. The information must 302 | suffice to ensure that the continued functioning of the modified object 303 | code is in no case prevented or interfered with solely because 304 | modification has been made. 305 | 306 | If you convey an object code work under this section in, or with, or 307 | specifically for use in, a User Product, and the conveying occurs as 308 | part of a transaction in which the right of possession and use of the 309 | User Product is transferred to the recipient in perpetuity or for a 310 | fixed term (regardless of how the transaction is characterized), the 311 | Corresponding Source conveyed under this section must be accompanied 312 | by the Installation Information. But this requirement does not apply 313 | if neither you nor any third party retains the ability to install 314 | modified object code on the User Product (for example, the work has 315 | been installed in ROM). 316 | 317 | The requirement to provide Installation Information does not include a 318 | requirement to continue to provide support service, warranty, or updates 319 | for a work that has been modified or installed by the recipient, or for 320 | the User Product in which it has been modified or installed. Access to a 321 | network may be denied when the modification itself materially and 322 | adversely affects the operation of the network or violates the rules and 323 | protocols for communication across the network. 324 | 325 | Corresponding Source conveyed, and Installation Information provided, 326 | in accord with this section must be in a format that is publicly 327 | documented (and with an implementation available to the public in 328 | source code form), and must require no special password or key for 329 | unpacking, reading or copying. 330 | 331 | 7. Additional Terms. 332 | 333 | "Additional permissions" are terms that supplement the terms of this 334 | License by making exceptions from one or more of its conditions. 335 | Additional permissions that are applicable to the entire Program shall 336 | be treated as though they were included in this License, to the extent 337 | that they are valid under applicable law. If additional permissions 338 | apply only to part of the Program, that part may be used separately 339 | under those permissions, but the entire Program remains governed by 340 | this License without regard to the additional permissions. 341 | 342 | When you convey a copy of a covered work, you may at your option 343 | remove any additional permissions from that copy, or from any part of 344 | it. (Additional permissions may be written to require their own 345 | removal in certain cases when you modify the work.) You may place 346 | additional permissions on material, added by you to a covered work, 347 | for which you have or can give appropriate copyright permission. 348 | 349 | Notwithstanding any other provision of this License, for material you 350 | add to a covered work, you may (if authorized by the copyright holders of 351 | that material) supplement the terms of this License with terms: 352 | 353 | a) Disclaiming warranty or limiting liability differently from the 354 | terms of sections 15 and 16 of this License; or 355 | 356 | b) Requiring preservation of specified reasonable legal notices or 357 | author attributions in that material or in the Appropriate Legal 358 | Notices displayed by works containing it; or 359 | 360 | c) Prohibiting misrepresentation of the origin of that material, or 361 | requiring that modified versions of such material be marked in 362 | reasonable ways as different from the original version; or 363 | 364 | d) Limiting the use for publicity purposes of names of licensors or 365 | authors of the material; or 366 | 367 | e) Declining to grant rights under trademark law for use of some 368 | trade names, trademarks, or service marks; or 369 | 370 | f) Requiring indemnification of licensors and authors of that 371 | material by anyone who conveys the material (or modified versions of 372 | it) with contractual assumptions of liability to the recipient, for 373 | any liability that these contractual assumptions directly impose on 374 | those licensors and authors. 375 | 376 | All other non-permissive additional terms are considered "further 377 | restrictions" within the meaning of section 10. If the Program as you 378 | received it, or any part of it, contains a notice stating that it is 379 | governed by this License along with a term that is a further 380 | restriction, you may remove that term. If a license document contains 381 | a further restriction but permits relicensing or conveying under this 382 | License, you may add to a covered work material governed by the terms 383 | of that license document, provided that the further restriction does 384 | not survive such relicensing or conveying. 385 | 386 | If you add terms to a covered work in accord with this section, you 387 | must place, in the relevant source files, a statement of the 388 | additional terms that apply to those files, or a notice indicating 389 | where to find the applicable terms. 390 | 391 | Additional terms, permissive or non-permissive, may be stated in the 392 | form of a separately written license, or stated as exceptions; 393 | the above requirements apply either way. 394 | 395 | 8. Termination. 396 | 397 | You may not propagate or modify a covered work except as expressly 398 | provided under this License. Any attempt otherwise to propagate or 399 | modify it is void, and will automatically terminate your rights under 400 | this License (including any patent licenses granted under the third 401 | paragraph of section 11). 402 | 403 | However, if you cease all violation of this License, then your 404 | license from a particular copyright holder is reinstated (a) 405 | provisionally, unless and until the copyright holder explicitly and 406 | finally terminates your license, and (b) permanently, if the copyright 407 | holder fails to notify you of the violation by some reasonable means 408 | prior to 60 days after the cessation. 409 | 410 | Moreover, your license from a particular copyright holder is 411 | reinstated permanently if the copyright holder notifies you of the 412 | violation by some reasonable means, this is the first time you have 413 | received notice of violation of this License (for any work) from that 414 | copyright holder, and you cure the violation prior to 30 days after 415 | your receipt of the notice. 416 | 417 | Termination of your rights under this section does not terminate the 418 | licenses of parties who have received copies or rights from you under 419 | this License. If your rights have been terminated and not permanently 420 | reinstated, you do not qualify to receive new licenses for the same 421 | material under section 10. 422 | 423 | 9. Acceptance Not Required for Having Copies. 424 | 425 | You are not required to accept this License in order to receive or 426 | run a copy of the Program. Ancillary propagation of a covered work 427 | occurring solely as a consequence of using peer-to-peer transmission 428 | to receive a copy likewise does not require acceptance. However, 429 | nothing other than this License grants you permission to propagate or 430 | modify any covered work. These actions infringe copyright if you do 431 | not accept this License. Therefore, by modifying or propagating a 432 | covered work, you indicate your acceptance of this License to do so. 433 | 434 | 10. Automatic Licensing of Downstream Recipients. 435 | 436 | Each time you convey a covered work, the recipient automatically 437 | receives a license from the original licensors, to run, modify and 438 | propagate that work, subject to this License. You are not responsible 439 | for enforcing compliance by third parties with this License. 440 | 441 | An "entity transaction" is a transaction transferring control of an 442 | organization, or substantially all assets of one, or subdividing an 443 | organization, or merging organizations. If propagation of a covered 444 | work results from an entity transaction, each party to that 445 | transaction who receives a copy of the work also receives whatever 446 | licenses to the work the party's predecessor in interest had or could 447 | give under the previous paragraph, plus a right to possession of the 448 | Corresponding Source of the work from the predecessor in interest, if 449 | the predecessor has it or can get it with reasonable efforts. 450 | 451 | You may not impose any further restrictions on the exercise of the 452 | rights granted or affirmed under this License. For example, you may 453 | not impose a license fee, royalty, or other charge for exercise of 454 | rights granted under this License, and you may not initiate litigation 455 | (including a cross-claim or counterclaim in a lawsuit) alleging that 456 | any patent claim is infringed by making, using, selling, offering for 457 | sale, or importing the Program or any portion of it. 458 | 459 | 11. Patents. 460 | 461 | A "contributor" is a copyright holder who authorizes use under this 462 | License of the Program or a work on which the Program is based. The 463 | work thus licensed is called the contributor's "contributor version". 464 | 465 | A contributor's "essential patent claims" are all patent claims 466 | owned or controlled by the contributor, whether already acquired or 467 | hereafter acquired, that would be infringed by some manner, permitted 468 | by this License, of making, using, or selling its contributor version, 469 | but do not include claims that would be infringed only as a 470 | consequence of further modification of the contributor version. For 471 | purposes of this definition, "control" includes the right to grant 472 | patent sublicenses in a manner consistent with the requirements of 473 | this License. 474 | 475 | Each contributor grants you a non-exclusive, worldwide, royalty-free 476 | patent license under the contributor's essential patent claims, to 477 | make, use, sell, offer for sale, import and otherwise run, modify and 478 | propagate the contents of its contributor version. 479 | 480 | In the following three paragraphs, a "patent license" is any express 481 | agreement or commitment, however denominated, not to enforce a patent 482 | (such as an express permission to practice a patent or covenant not to 483 | sue for patent infringement). To "grant" such a patent license to a 484 | party means to make such an agreement or commitment not to enforce a 485 | patent against the party. 486 | 487 | If you convey a covered work, knowingly relying on a patent license, 488 | and the Corresponding Source of the work is not available for anyone 489 | to copy, free of charge and under the terms of this License, through a 490 | publicly available network server or other readily accessible means, 491 | then you must either (1) cause the Corresponding Source to be so 492 | available, or (2) arrange to deprive yourself of the benefit of the 493 | patent license for this particular work, or (3) arrange, in a manner 494 | consistent with the requirements of this License, to extend the patent 495 | license to downstream recipients. "Knowingly relying" means you have 496 | actual knowledge that, but for the patent license, your conveying the 497 | covered work in a country, or your recipient's use of the covered work 498 | in a country, would infringe one or more identifiable patents in that 499 | country that you have reason to believe are valid. 500 | 501 | If, pursuant to or in connection with a single transaction or 502 | arrangement, you convey, or propagate by procuring conveyance of, a 503 | covered work, and grant a patent license to some of the parties 504 | receiving the covered work authorizing them to use, propagate, modify 505 | or convey a specific copy of the covered work, then the patent license 506 | you grant is automatically extended to all recipients of the covered 507 | work and works based on it. 508 | 509 | A patent license is "discriminatory" if it does not include within 510 | the scope of its coverage, prohibits the exercise of, or is 511 | conditioned on the non-exercise of one or more of the rights that are 512 | specifically granted under this License. You may not convey a covered 513 | work if you are a party to an arrangement with a third party that is 514 | in the business of distributing software, under which you make payment 515 | to the third party based on the extent of your activity of conveying 516 | the work, and under which the third party grants, to any of the 517 | parties who would receive the covered work from you, a discriminatory 518 | patent license (a) in connection with copies of the covered work 519 | conveyed by you (or copies made from those copies), or (b) primarily 520 | for and in connection with specific products or compilations that 521 | contain the covered work, unless you entered into that arrangement, 522 | or that patent license was granted, prior to 28 March 2007. 523 | 524 | Nothing in this License shall be construed as excluding or limiting 525 | any implied license or other defenses to infringement that may 526 | otherwise be available to you under applicable patent law. 527 | 528 | 12. No Surrender of Others' Freedom. 529 | 530 | If conditions are imposed on you (whether by court order, agreement or 531 | otherwise) that contradict the conditions of this License, they do not 532 | excuse you from the conditions of this License. If you cannot convey a 533 | covered work so as to satisfy simultaneously your obligations under this 534 | License and any other pertinent obligations, then as a consequence you may 535 | not convey it at all. For example, if you agree to terms that obligate you 536 | to collect a royalty for further conveying from those to whom you convey 537 | the Program, the only way you could satisfy both those terms and this 538 | License would be to refrain entirely from conveying the Program. 539 | 540 | 13. Remote Network Interaction; Use with the GNU General Public License. 541 | 542 | Notwithstanding any other provision of this License, if you modify the 543 | Program, your modified version must prominently offer all users 544 | interacting with it remotely through a computer network (if your version 545 | supports such interaction) an opportunity to receive the Corresponding 546 | Source of your version by providing access to the Corresponding Source 547 | from a network server at no charge, through some standard or customary 548 | means of facilitating copying of software. This Corresponding Source 549 | shall include the Corresponding Source for any work covered by version 3 550 | of the GNU General Public License that is incorporated pursuant to the 551 | following paragraph. 552 | 553 | Notwithstanding any other provision of this License, you have 554 | permission to link or combine any covered work with a work licensed 555 | under version 3 of the GNU General Public License into a single 556 | combined work, and to convey the resulting work. The terms of this 557 | License will continue to apply to the part which is the covered work, 558 | but the work with which it is combined will remain governed by version 559 | 3 of the GNU General Public License. 560 | 561 | 14. Revised Versions of this License. 562 | 563 | The Free Software Foundation may publish revised and/or new versions of 564 | the GNU Affero General Public License from time to time. Such new versions 565 | will be similar in spirit to the present version, but may differ in detail to 566 | address new problems or concerns. 567 | 568 | Each version is given a distinguishing version number. If the 569 | Program specifies that a certain numbered version of the GNU Affero General 570 | Public License "or any later version" applies to it, you have the 571 | option of following the terms and conditions either of that numbered 572 | version or of any later version published by the Free Software 573 | Foundation. If the Program does not specify a version number of the 574 | GNU Affero General Public License, you may choose any version ever published 575 | by the Free Software Foundation. 576 | 577 | If the Program specifies that a proxy can decide which future 578 | versions of the GNU Affero General Public License can be used, that proxy's 579 | public statement of acceptance of a version permanently authorizes you 580 | to choose that version for the Program. 581 | 582 | Later license versions may give you additional or different 583 | permissions. However, no additional obligations are imposed on any 584 | author or copyright holder as a result of your choosing to follow a 585 | later version. 586 | 587 | 15. Disclaimer of Warranty. 588 | 589 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 590 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 591 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 592 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 593 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 594 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 595 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 596 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 597 | 598 | 16. Limitation of Liability. 599 | 600 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 601 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 602 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 603 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 604 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 605 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 606 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 607 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 608 | SUCH DAMAGES. 609 | 610 | 17. Interpretation of Sections 15 and 16. 611 | 612 | If the disclaimer of warranty and limitation of liability provided 613 | above cannot be given local legal effect according to their terms, 614 | reviewing courts shall apply local law that most closely approximates 615 | an absolute waiver of all civil liability in connection with the 616 | Program, unless a warranty or assumption of liability accompanies a 617 | copy of the Program in return for a fee. 618 | 619 | END OF TERMS AND CONDITIONS 620 | 621 | How to Apply These Terms to Your New Programs 622 | 623 | If you develop a new program, and you want it to be of the greatest 624 | possible use to the public, the best way to achieve this is to make it 625 | free software which everyone can redistribute and change under these terms. 626 | 627 | To do so, attach the following notices to the program. It is safest 628 | to attach them to the start of each source file to most effectively 629 | state the exclusion of warranty; and each file should have at least 630 | the "copyright" line and a pointer to where the full notice is found. 631 | 632 | 633 | Copyright (C) 634 | 635 | This program is free software: you can redistribute it and/or modify 636 | it under the terms of the GNU Affero General Public License as published by 637 | the Free Software Foundation, either version 3 of the License, or 638 | (at your option) any later version. 639 | 640 | This program is distributed in the hope that it will be useful, 641 | but WITHOUT ANY WARRANTY; without even the implied warranty of 642 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 643 | GNU Affero General Public License for more details. 644 | 645 | You should have received a copy of the GNU Affero General Public License 646 | along with this program. If not, see . 647 | 648 | Also add information on how to contact you by electronic and paper mail. 649 | 650 | If your software can interact with users remotely through a computer 651 | network, you should also make sure that it provides a way for users to 652 | get its source. For example, if your program is a web application, its 653 | interface could display a "Source" link that leads users to an archive 654 | of the code. There are many ways you could offer source, and different 655 | solutions will be better for different programs; see section 13 for the 656 | specific requirements. 657 | 658 | You should also get your employer (if you work as a programmer) or school, 659 | if any, to sign a "copyright disclaimer" for the program, if necessary. 660 | For more information on this, and how to apply and follow the GNU AGPL, see 661 | . 662 | --------------------------------------------------------------------------------