feat: add openBaseDir for php website config (#8866)

zhengkunwang223 · web-flow · commit 71d92c30e31b · 2025-05-28T10:20:22.000Z
diff --git a/agent/app/api/v2/website.go b/agent/app/api/v2/website.go
@@ -1101,3 +1101,23 @@ func (b *BaseApi) ClearProxyCache(c *gin.Context) {
 	}
 	helper.Success(c)
 }
+
+// @Tags Website
+// @Summary Operate Cross Site Access
+// @Accept json
+// @Param request body request.CrossSiteAccessOp true "request"
+// @Success 200
+// @Security ApiKeyAuth
+// @Security Timestamp
+// @Router /websites/crosssite [post]
+func (b *BaseApi) OperateCrossSiteAccess(c *gin.Context) {
+	var req request.CrossSiteAccessOp
+	if err := helper.CheckBindAndValidate(&req, c); err != nil {
+		return
+	}
+	if err := websiteService.OperateCrossSiteAccess(req); err != nil {
+		helper.InternalServer(c, err)
+		return
+	}
+	helper.Success(c)
+}
diff --git a/agent/app/dto/request/website.go b/agent/app/dto/request/website.go
@@ -289,3 +289,8 @@ type WebsiteProxyDel struct {
 	ID   uint   `json:"id" validate:"required"`
 	Name string `json:"name" validate:"required"`
 }
+
+type CrossSiteAccessOp struct {
+	WebsiteID uint   `json:"websiteID" validate:"required"`
+	Operation string `json:"operation" validate:"required,oneof=Enable Disable"`
+}
diff --git a/agent/app/dto/response/website.go b/agent/app/dto/response/website.go
@@ -15,6 +15,7 @@ type WebsiteDTO struct {
 	RuntimeName   string `json:"runtimeName"`
 	RuntimeType   string `json:"runtimeType"`
 	SiteDir       string `json:"siteDir"`
+	OpenBaseDir   bool   `json:"openBaseDir"`
 }
 
 type WebsiteRes struct {
diff --git a/agent/app/service/website.go b/agent/app/service/website.go
@@ -124,6 +124,8 @@ type IWebsiteService interface {
 	GetWebsiteResource(websiteID uint) ([]response.Resource, error)
 	ListDatabases() ([]response.Database, error)
 	ChangeDatabase(req request.ChangeDatabase) error
+
+	OperateCrossSiteAccess(req request.CrossSiteAccessOp) error
 }
 
 func NewIWebsiteService() IWebsiteService {
@@ -428,7 +430,7 @@ func (w WebsiteService) CreateWebsite(create request.WebsiteCreate) (err error)
 				return err
 			}
 			if runtime.Type == constant.RuntimePHP && runtime.Resource == constant.ResourceAppstore {
-				createPHPConfig(website)
+				createOpenBasedirConfig(website)
 			}
 		}
 		tx, ctx := helper.GetTxAndContext()
@@ -573,6 +575,9 @@ func (w WebsiteService) GetWebsite(id uint) (response.WebsiteDTO, error) {
 		}
 		res.RuntimeType = runtime.Type
 		res.RuntimeName = runtime.Name
+		if runtime.Type == constant.RuntimePHP {
+			res.OpenBaseDir = files.NewFileOp().Stat(path.Join(GetSitePath(website, SiteIndexDir), ".user.ini"))
+		}
 	}
 	return res, nil
 }
@@ -3278,3 +3283,18 @@ func (w WebsiteService) ChangeDatabase(req request.ChangeDatabase) error {
 	website.DbType = req.DatabaseType
 	return websiteRepo.Save(context.Background(), &website)
 }
+
+func (w WebsiteService) OperateCrossSiteAccess(req request.CrossSiteAccessOp) error {
+	website, err := websiteRepo.GetFirst(repo.WithByID(req.WebsiteID))
+	if err != nil {
+		return err
+	}
+	if req.Operation == constant.StatusEnable {
+		createOpenBasedirConfig(&website)
+	}
+	if req.Operation == constant.StatusDisable {
+		fileOp := files.NewFileOp()
+		return fileOp.DeleteFile(path.Join(GetSitePath(website, SiteIndexDir), ".user.ini"))
+	}
+	return nil
+}
diff --git a/agent/app/service/website_utils.go b/agent/app/service/website_utils.go
@@ -349,11 +349,11 @@ func createAllWebsitesWAFConfig(websites []model.Website) error {
 	return nil
 }
 
-func createPHPConfig(website *model.Website) {
+func createOpenBasedirConfig(website *model.Website) {
 	fileOp := files.NewFileOp()
 	userIniPath := path.Join(GetSitePath(*website, SiteIndexDir), ".user.ini")
 	_ = fileOp.CreateFile(userIniPath)
-	_ = fileOp.SaveFile(userIniPath, fmt.Sprintf("open_basedir=/www/sites/%s/index", website.Alias), 0644)
+	_ = fileOp.SaveFile(userIniPath, fmt.Sprintf("open_basedir=/www/sites/%s/index:/tmp/", website.Alias), 0644)
 }
 
 func createWafConfig(website *model.Website, domains []model.WebsiteDomain) error {
diff --git a/agent/router/ro_website.go b/agent/router/ro_website.go
@@ -84,5 +84,7 @@ func (a *WebsiteRouter) InitRouter(Router *gin.RouterGroup) {
 		websiteRouter.GET("/resource/:id", baseApi.GetWebsiteResource)
 		websiteRouter.GET("/databases", baseApi.GetWebsiteDatabase)
 		websiteRouter.POST("/databases", baseApi.ChangeWebsiteDatabase)
+
+		websiteRouter.POST("/crosssite", baseApi.OperateCrossSiteAccess)
 	}
 }
diff --git a/frontend/src/api/interface/website.ts b/frontend/src/api/interface/website.ts
@@ -36,6 +36,7 @@ export namespace Website {
         appName: string;
         runtimeName: string;
         runtimeType: string;
+        openBaseDir: boolean;
     }
     export interface WebsiteRes extends CommonModel {
         protocol: string;
@@ -646,4 +647,9 @@ export namespace Website {
         databaseID: number;
         databaseType: string;
     }
+
+    export interface CrossSiteAccessOp {
+        websiteID: number;
+        operation: string;
+    }
 }
diff --git a/frontend/src/api/modules/website.ts b/frontend/src/api/modules/website.ts
@@ -343,3 +343,7 @@ export const operateCustomRewrite = (req: Website.CustomRewirte) => {
 export const listCustomRewrite = () => {
     return http.get<string[]>(`/websites/rewrite/custom`);
 };
+
+export const operateCrossSiteAccess = (req: Website.CrossSiteAccessOp) => {
+    return http.post(`/websites/crosssite`, req);
+};
diff --git a/frontend/src/lang/modules/en.ts b/frontend/src/lang/modules/en.ts
@@ -2476,6 +2476,9 @@ const message = {
         useProxy: 'Use Proxy',
         useProxyHelper: 'Use the proxy server address in the panel settings',
         westCN: 'West Digital',
+        openBaseDir: 'Prevent Cross-Site Attacks',
+        openBaseDirHelper:
+            'open_basedir is used to restrict the PHP file access path, which helps prevent cross-site access and enhance security',
     },
     php: {
         short_open_tag: 'Short tag support',
diff --git a/frontend/src/lang/modules/ja.ts b/frontend/src/lang/modules/ja.ts
@@ -2382,6 +2382,9 @@ const message = {
         useProxy: 'プロキシを使用',
         useProxyHelper: 'パネル設定のプロキシサーバーアドレスを使用',
         westCN: '西部デジタル',
+        openBaseDir: 'クロスサイト攻撃を防ぐ',
+        openBaseDirHelper:
+            'open_basedir は PHP ファイルのアクセスパスを制限し、クロスサイトアクセスを防ぎセキュリティを向上させるために使用されます',
     },
     php: {
         short_open_tag: '短いタグサポート',
diff --git a/frontend/src/lang/modules/ko.ts b/frontend/src/lang/modules/ko.ts
@@ -2341,6 +2341,9 @@ const message = {
         useProxy: '프록시 사용',
         useProxyHelper: '패널 설정의 프록시 서버 주소 사용',
         westCN: '서부 디지털',
+        openBaseDir: '사이트 간 공격 방지',
+        openBaseDirHelper:
+            'open_basedir는 PHP 파일 액세스 경로를 제한하여 사이트 간 액세스를 방지하고 보안을 향상시키는 데 사용됩니다',
     },
     php: {
         short_open_tag: '짧은 태그 지원',
diff --git a/frontend/src/lang/modules/ms.ts b/frontend/src/lang/modules/ms.ts
@@ -2436,6 +2436,9 @@ const message = {
         useProxy: 'Gunakan Proksi',
         useProxyHelper: 'Gunakan alamat pelayan proksi dalam tetapan panel',
         westCN: 'West Digital',
+        openBaseDir: 'Pencegahan Serangan Lintas Situs',
+        openBaseDirHelper:
+            'open_basedir digunakan untuk membatasi jalur akses file PHP, yang membantu mencegah akses lintas situs dan meningkatkan keamanan',
     },
     php: {
         short_open_tag: 'Sokongan tag pendek',
diff --git a/frontend/src/lang/modules/pt-br.ts b/frontend/src/lang/modules/pt-br.ts
@@ -2433,6 +2433,9 @@ const message = {
         useProxy: 'Usar Proxy',
         useProxyHelper: 'Usar o endereço do servidor proxy nas configurações do painel',
         westCN: 'West Digital',
+        openBaseDir: 'Prevenir Ataques entre Sites',
+        openBaseDirHelper:
+            'open_basedir é usado para restringir o caminho de acesso a arquivos PHP, ajudando a prevenir acesso entre sites e aumentar a segurança',
     },
     php: {
         short_open_tag: 'Suporte para short tags',
diff --git a/frontend/src/lang/modules/ru.ts b/frontend/src/lang/modules/ru.ts
@@ -2432,6 +2432,9 @@ const message = {
         useProxy: 'Использовать прокси',
         useProxyHelper: 'Использовать адрес прокси-сервера в настройках панели',
         westCN: 'Западный цифровой',
+        openBaseDir: 'Предотвращение межсайтовых атак',
+        openBaseDirHelper:
+            'open_basedir используется для ограничения пути доступа к файлам PHP, что помогает предотвратить межсайтовый доступ и повысить безопасность',
     },
     php: {
         short_open_tag: 'Поддержка коротких тегов',
diff --git a/frontend/src/lang/modules/zh-Hant.ts b/frontend/src/lang/modules/zh-Hant.ts
@@ -2296,6 +2296,8 @@ const message = {
         useProxy: '使用代理',
         useProxyHelper: '使用面板設置中的代理服務器地址',
         westCN: '西部數碼',
+        openBaseDir: '防跨站攻擊',
+        openBaseDirHelper: 'open_basedir 用於限制 PHP 文件訪問路徑，有助於防止跨站訪問和提升安全性',
     },
     php: {
         short_open_tag: '短標簽支持',
diff --git a/frontend/src/lang/modules/zh.ts b/frontend/src/lang/modules/zh.ts
@@ -2286,6 +2286,8 @@ const message = {
         useProxy: '使用代理',
         useProxyHelper: '使用面板设置中的代理服务器地址',
         westCN: '西部数码',
+        openBaseDir: '防跨站攻击',
+        openBaseDirHelper: 'open_basedir 用于限制 PHP 文件访问路径，有助于防止跨站访问和提升安全性',
     },
     php: {
         short_open_tag: '短标签支持',
diff --git a/frontend/src/views/website/website/config/basic/php/index.vue b/frontend/src/views/website/website/config/basic/php/index.vue
@@ -2,28 +2,39 @@
     <div v-loading="loading">
         <el-row>
             <el-col :xs="20" :sm="12" :md="10" :lg="10" :xl="8">
-                <el-form label-position="right" label-width="80px">
+                <el-form label-position="right" label-width="120px">
                     <el-form-item>
-                        <div v-if="website.type === 'static'">
-                            <el-text type="info">{{ $t('website.staticChangePHPHelper') }}</el-text>
-                        </div>
+                        <el-text type="info" v-if="website.type === 'static'">
+                            {{ $t('website.staticChangePHPHelper') }}
+                        </el-text>
                     </el-form-item>
-
                     <el-form-item :label="$t('website.changeVersion')">
-                        <el-select v-model="versionReq.runtimeID" class="w-full">
-                            <el-option :key="-1" :label="$t('website.static')" :value="0"></el-option>
-                            <el-option
-                                v-for="(item, index) in versions"
-                                :key="index"
-                                :label="item.label"
-                                :value="item.value"
-                            ></el-option>
-                        </el-select>
+                        <el-row :gutter="20">
+                            <el-col :span="20">
+                                <el-select v-model="versionReq.runtimeID" class="p-w-200">
+                                    <el-option :key="-1" :label="$t('website.static')" :value="0"></el-option>
+                                    <el-option
+                                        v-for="(item, index) in versions"
+                                        :key="index"
+                                        :label="item.label"
+                                        :value="item.value"
+                                    ></el-option>
+                                </el-select>
+                            </el-col>
+                            <el-col :span="4">
+                                <el-button
+                                    type="primary"
+                                    @click="submit()"
+                                    :disabled="versionReq.runtimeID === oldRuntimeID"
+                                >
+                                    {{ $t('commons.button.save') }}
+                                </el-button>
+                            </el-col>
+                        </el-row>
                     </el-form-item>
-                    <el-form-item>
-                        <el-button type="primary" @click="submit()" :disabled="versionReq.runtimeID === oldRuntimeID">
-                            {{ $t('commons.button.save') }}
-                        </el-button>
+                    <el-form-item :label="$t('website.openBaseDir')">
+                        <el-switch v-model="openBaseDir" @change="operateCrossSite"></el-switch>
+                        <span class="input-help">{{ $t('website.openBaseDirHelper') }}</span>
                     </el-form-item>
                 </el-form>
             </el-col>
@@ -36,7 +47,7 @@ import { SearchRuntimes } from '@/api/modules/runtime';
 import { onMounted, reactive, ref } from 'vue';
 import { Runtime } from '@/api/interface/runtime';
 import { Website } from '@/api/interface/website';
-import { changePHPVersion, getWebsite } from '@/api/modules/website';
+import { changePHPVersion, getWebsite, operateCrossSiteAccess } from '@/api/modules/website';
 import i18n from '@/lang';
 import { MsgSuccess } from '@/utils/message';
 const props = defineProps({
@@ -56,7 +67,9 @@ const loading = ref(false);
 const oldRuntimeID = ref(0);
 const website = ref({
     type: '',
+    openBaseDir: false,
 });
+const openBaseDir = ref(false);
 
 const getRuntimes = async () => {
     try {
@@ -95,6 +108,18 @@ const getWebsiteDetail = async () => {
     versionReq.runtimeID = res.data.runtimeID;
     oldRuntimeID.value = res.data.runtimeID;
     website.value = res.data;
+    openBaseDir.value = res.data.openBaseDir || false;
+};
+
+const operateCrossSite = async () => {
+    try {
+        await operateCrossSiteAccess({
+            websiteID: props.id,
+            operation: openBaseDir.value ? 'Enable' : 'Disable',
+        });
+        MsgSuccess(i18n.global.t('commons.msg.updateSuccess'));
+        getWebsiteDetail();
+    } catch (error) {}
 };
 
 onMounted(() => {

Original file line number	Diff line number	Diff line change
`@@ -289,3 +289,8 @@ type WebsiteProxyDel struct {`
`289`	`289`	ID uint `json:"id" validate:"required"`
`290`	`290`	Name string `json:"name" validate:"required"`
`291`	`291`	`}`
	`292`	`+`
	`293`	`+type CrossSiteAccessOp struct {`
	`294`	+ WebsiteID uint `json:"websiteID" validate:"required"`
	`295`	+ Operation string `json:"operation" validate:"required,oneof=Enable Disable"`
	`296`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,7 @@ type WebsiteDTO struct {`
`15`	`15`	RuntimeName string `json:"runtimeName"`
`16`	`16`	RuntimeType string `json:"runtimeType"`
`17`	`17`	SiteDir string `json:"siteDir"`
	`18`	+ OpenBaseDir bool `json:"openBaseDir"`
`18`	`19`	`}`
`19`	`20`
`20`	`21`	`type WebsiteRes struct {`
Original file line number	Diff line number	Diff line change
`@@ -124,6 +124,8 @@ type IWebsiteService interface {`
`124`	`124`	`GetWebsiteResource(websiteID uint) ([]response.Resource, error)`
`125`	`125`	`ListDatabases() ([]response.Database, error)`
`126`	`126`	`ChangeDatabase(req request.ChangeDatabase) error`
	`127`	`+`
	`128`	`+ OperateCrossSiteAccess(req request.CrossSiteAccessOp) error`
`127`	`129`	`}`
`128`	`130`
`129`	`131`	`func NewIWebsiteService() IWebsiteService {`
`@@ -428,7 +430,7 @@ func (w WebsiteService) CreateWebsite(create request.WebsiteCreate) (err error)`
`428`	`430`	`return err`
`429`	`431`	`}`
`430`	`432`	`if runtime.Type == constant.RuntimePHP && runtime.Resource == constant.ResourceAppstore {`
`431`		`- createPHPConfig(website)`
	`433`	`+ createOpenBasedirConfig(website)`
`432`	`434`	`}`
`433`	`435`	`}`
`434`	`436`	`tx, ctx := helper.GetTxAndContext()`
`@@ -573,6 +575,9 @@ func (w WebsiteService) GetWebsite(id uint) (response.WebsiteDTO, error) {`
`573`	`575`	`}`
`574`	`576`	`res.RuntimeType = runtime.Type`
`575`	`577`	`res.RuntimeName = runtime.Name`
	`578`	`+ if runtime.Type == constant.RuntimePHP {`
	`579`	`+ res.OpenBaseDir = files.NewFileOp().Stat(path.Join(GetSitePath(website, SiteIndexDir), ".user.ini"))`
	`580`	`+ }`
`576`	`581`	`}`
`577`	`582`	`return res, nil`
`578`	`583`	`}`
`@@ -3278,3 +3283,18 @@ func (w WebsiteService) ChangeDatabase(req request.ChangeDatabase) error {`
`3278`	`3283`	`website.DbType = req.DatabaseType`
`3279`	`3284`	`return websiteRepo.Save(context.Background(), &website)`
`3280`	`3285`	`}`
	`3286`	`+`
	`3287`	`+func (w WebsiteService) OperateCrossSiteAccess(req request.CrossSiteAccessOp) error {`
	`3288`	`+ website, err := websiteRepo.GetFirst(repo.WithByID(req.WebsiteID))`
	`3289`	`+ if err != nil {`
	`3290`	`+ return err`
	`3291`	`+ }`
	`3292`	`+ if req.Operation == constant.StatusEnable {`
	`3293`	`+ createOpenBasedirConfig(&website)`
	`3294`	`+ }`
	`3295`	`+ if req.Operation == constant.StatusDisable {`
	`3296`	`+ fileOp := files.NewFileOp()`
	`3297`	`+ return fileOp.DeleteFile(path.Join(GetSitePath(website, SiteIndexDir), ".user.ini"))`
	`3298`	`+ }`
	`3299`	`+ return nil`
	`3300`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -349,11 +349,11 @@ func createAllWebsitesWAFConfig(websites []model.Website) error {`
`349`	`349`	`return nil`
`350`	`350`	`}`
`351`	`351`
`352`		`-func createPHPConfig(website *model.Website) {`
	`352`	`+func createOpenBasedirConfig(website *model.Website) {`
`353`	`353`	`fileOp := files.NewFileOp()`
`354`	`354`	`userIniPath := path.Join(GetSitePath(*website, SiteIndexDir), ".user.ini")`
`355`	`355`	`_ = fileOp.CreateFile(userIniPath)`
`356`		`- _ = fileOp.SaveFile(userIniPath, fmt.Sprintf("open_basedir=/www/sites/%s/index", website.Alias), 0644)`
	`356`	`+ _ = fileOp.SaveFile(userIniPath, fmt.Sprintf("open_basedir=/www/sites/%s/index:/tmp/", website.Alias), 0644)`
`357`	`357`	`}`
`358`	`358`
`359`	`359`	`func createWafConfig(website *model.Website, domains []model.WebsiteDomain) error {`
Original file line number	Diff line number	Diff line change
`@@ -84,5 +84,7 @@ func (a WebsiteRouter) InitRouter(Router gin.RouterGroup) {`
`84`	`84`	`websiteRouter.GET("/resource/:id", baseApi.GetWebsiteResource)`
`85`	`85`	`websiteRouter.GET("/databases", baseApi.GetWebsiteDatabase)`
`86`	`86`	`websiteRouter.POST("/databases", baseApi.ChangeWebsiteDatabase)`
	`87`	`+`
	`88`	`+ websiteRouter.POST("/crosssite", baseApi.OperateCrossSiteAccess)`
`87`	`89`	`}`
`88`	`90`	`}`
Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,7 @@ export namespace Website {`
`36`	`36`	`appName: string;`
`37`	`37`	`runtimeName: string;`
`38`	`38`	`runtimeType: string;`
	`39`	`+ openBaseDir: boolean;`
`39`	`40`	`}`
`40`	`41`	`export interface WebsiteRes extends CommonModel {`
`41`	`42`	`protocol: string;`
`@@ -646,4 +647,9 @@ export namespace Website {`
`646`	`647`	`databaseID: number;`
`647`	`648`	`databaseType: string;`
`648`	`649`	`}`
	`650`	`+`
	`651`	`+ export interface CrossSiteAccessOp {`
	`652`	`+ websiteID: number;`
	`653`	`+ operation: string;`
	`654`	`+ }`
`649`	`655`	`}`