fix: improved checks on path during update

Author: thorsten

phpmyfaq/.htaccess

@@ -163,7 +163,7 @@ DirectoryIndex index.php
     # Setup and update pages
     RewriteCond %{REQUEST_URI} ^(.*/)setup/
     RewriteRule ^(.*/)?setup/(.*) $1setup/index.php [L,QSA]
-    RewriteRule ^update$ update/index.php [L,QSA]
+    RewriteRule ^update$ update/ [R=301,L]
     RewriteCond %{REQUEST_FILENAME} !-f
     RewriteRule ^update/(.*) update/index.php [L,QSA]
     # Administration API

phpmyfaq/assets/src/configuration/update.ts

@@ -13,6 +13,26 @@
  * @since     2023-10-22
  */
 
+const getBasePath = (): string => {
+  const path = window.location.pathname;
+  let basePath: string;
+  if (path.endsWith('/update/index.php')) {
+    basePath = path.slice(0, -'/update/index.php'.length);
+  } else if (path.endsWith('/update/')) {
+    basePath = path.slice(0, -'/update/'.length);
+  } else if (path.endsWith('/update')) {
+    basePath = path.slice(0, -'/update'.length);
+  } else {
+    basePath = path;
+  }
+
+  if (!basePath.endsWith('/')) {
+    basePath += '/';
+  }
+
+  return basePath;
+};
+
 export const handleUpdateNextStepButton = (): void => {
   const nextStepButton = document.getElementById('phpmyfaq-update-next-step-button') as HTMLButtonElement | null;
   const nextStep = document.getElementById('phpmyfaq-update-next-step') as HTMLInputElement | null;
@@ -36,8 +56,10 @@ export const handleUpdateInformation = async (): Promise<void> => {
 
     if (!installedVersion) return;
 
+    const basePath = getBasePath();
+
     try {
-      const response = await fetch('../api/setup/check', {
+      const response = await fetch(`${basePath}api/setup/check`, {
         method: 'POST',
         headers: {
           Accept: 'application/json, text/plain, */*',
@@ -102,8 +124,10 @@ export const handleConfigBackup = async (): Promise<void> => {
 
     if (!installedVersion) return;
 
+    const basePath = getBasePath();
+
     try {
-      const response = await fetch('../api/setup/backup', {
+      const response = await fetch(`${basePath}api/setup/backup`, {
         method: 'POST',
         headers: {
           Accept: 'application/json, text/plain, */*',
@@ -131,8 +155,10 @@ export const handleDatabaseUpdate = async (): Promise<void> => {
 
     if (!installedVersion) return;
 
+    const basePath = getBasePath();
+
     try {
-      const response = await fetch('../api/setup/update-database', {
+      const response = await fetch(`${basePath}api/setup/update-database`, {
         method: 'POST',
         headers: {
           Accept: 'application/json, text/plain, */*',

phpmyfaq/src/phpMyFAQ/Controller/Api/SetupController.php

@@ -31,6 +31,15 @@
 
 final class SetupController extends AbstractController
 {
+    /**
+     * Setup endpoints must be accessible without authentication,
+     * so we override the security check from AbstractController.
+     */
+    protected function isSecured(): void
+    {
+        // No-op: setup/update API endpoints do not require login
+    }
+
     public function check(Request $request): JsonResponse
     {
         if (trim($request->getContent()) === '') {