projects / civicrm-core.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #17770 from civicrm/5.28
[civicrm-core.git] / CRM / Utils / Check / Component / Security.php
1 <?php
2 /*
3 +--------------------------------------------------------------------+
4 | Copyright CiviCRM LLC. All rights reserved. |
5 | |
6 | This work is published under the GNU AGPLv3 license with some |
7 | permitted exceptions and without any warranty. For full license |
8 | and copyright information, see https://civicrm.org/licensing |
9 +--------------------------------------------------------------------+
10 */
11
12 /**
13 *
14 * @package CRM
15 * @copyright CiviCRM LLC https://civicrm.org/licensing
16 */
17 class CRM_Utils_Check_Component_Security extends CRM_Utils_Check_Component {
18
19 /**
20 * CMS have a different pattern to their default file path and URL.
21 *
22 * @todo Use Civi::paths instead?
23 */
24 public function getFilePathMarker() {
25 $config = CRM_Core_Config::singleton();
26 switch ($config->userFramework) {
27 case 'Joomla':
28 return '/media/';
29
30 default:
31 return '/files/';
32 }
33 }
34
35 /**
36 * Check if our logfile is directly accessible.
37 *
38 * Per CiviCRM default the logfile sits in a folder which is
39 * web-accessible, and is protected by a default .htaccess
40 * configuration. If server config causes the .htaccess not to
41 * function as intended, there may be information disclosure.
42 *
43 * The debug log may be jam-packed with sensitive data, we don't
44 * want that.
45 *
46 * Being able to be retrieved directly doesn't mean the logfile
47 * is browseable or visible to search engines; it means it can be
48 * requested directly.
49 *
50 * @return array
51 * Array of messages
52 * @see CRM-14091
53 */
54 public function checkLogFileIsNotAccessible() {
55 $messages = [];
56
57 $config = CRM_Core_Config::singleton();
58
59 $log = CRM_Core_Error::createDebugLogger();
60 $log_filename = str_replace('\\', '/', $log->_filename);
61
62 $filePathMarker = $this->getFilePathMarker();
63
64 // Hazard a guess at the URL of the logfile, based on common
65 // CiviCRM layouts.
66 if ($upload_url = explode($filePathMarker, $config->imageUploadURL)) {
67 $url[] = $upload_url[0];
68 if ($log_path = explode($filePathMarker, $log_filename)) {
69 // CRM-17149: check if debug log path includes $filePathMarker
70 if (count($log_path) > 1) {
71 $url[] = $log_path[1];
72 $log_url = implode($filePathMarker, $url);
73 if ($this->fileExists($log_url)) {
74 $docs_url = $this->createDocUrl('the-log-file-should-not-be-accessible');
75 $msg = 'The <a href="%1">CiviCRM debug log</a> should not be downloadable.'
76 . '<br />' .
77 '<a href="%2">Read more about this warning</a>';
78 $messages[] = new CRM_Utils_Check_Message(
79 __FUNCTION__,
80 ts($msg, [1 => $log_url, 2 => $docs_url]),
81 ts('Security Warning'),
82 \Psr\Log\LogLevel::WARNING,
83 'fa-lock'
84 );
85 }
86 }
87 }
88 }
89
90 return $messages;
91 }
92
93 /**
94 * Check if our uploads directory has accessible files.
95 *
96 * We'll test a handful of files randomly. Hazard a guess at the URL
97 * of the uploads dir, based on common CiviCRM layouts. Try and
98 * request the files, and if any are successfully retrieved, warn.
99 *
100 * Being retrievable doesn't mean the files are browseable or visible
101 * to search engines; it only means they can be requested directly.
102 *
103 * @return array
104 * Array of messages
105 * @see CRM-14091
106 *
107 * @todo Test with WordPress, Joomla.
108 */
109 public function checkUploadsAreNotAccessible() {
110 $messages = [];
111
112 $config = CRM_Core_Config::singleton();
113 $privateDirs = [
114 $config->uploadDir,
115 $config->customFileUploadDir,
116 ];
117
118 foreach ($privateDirs as $privateDir) {
119 $heuristicUrl = $this->guessUrl($privateDir);
120 if ($this->isDirAccessible($privateDir, $heuristicUrl)) {
121 $messages[] = new CRM_Utils_Check_Message(
122 __FUNCTION__,
123 ts('Files in the data directory (<a href="%3">%2</a>) should not be downloadable.'
124 . '<br />'
125 . '<a href="%1">Read more about this warning</a>',
126 [
127 1 => $this->createDocUrl('uploads-should-not-be-accessible'),
128 2 => $privateDir,
129 3 => $heuristicUrl,
130 ]),
131 ts('Private Files Readable'),
132 \Psr\Log\LogLevel::WARNING,
133 'fa-lock'
134 );
135 }
136 }
137
138 return $messages;
139 }
140
141 /**
142 * Check if our uploads or ConfigAndLog directories have browseable
143 * listings.
144 *
145 * Retrieve a listing of files from the local filesystem, and the
146 * corresponding path via HTTP. Then check and see if the local
147 * files are represented in the HTTP result; if so then warn. This
148 * MAY trigger false positives (if you have files named 'a', 'e'
149 * we'll probably match that).
150 *
151 * @return array
152 * Array of messages
153 * @see CRM-14091
154 *
155 * @todo Test with WordPress, Joomla.
156 */
157 public function checkDirectoriesAreNotBrowseable() {
158 $messages = [];
159 $config = CRM_Core_Config::singleton();
160 $publicDirs = [
161 $config->imageUploadDir => $config->imageUploadURL,
162 ];
163
164 // Setup index.html files to prevent browsing
165 foreach ($publicDirs as $publicDir => $publicUrl) {
166 CRM_Utils_File::restrictBrowsing($publicDir);
167 }
168
169 // Test that $publicDir is not browsable
170 foreach ($publicDirs as $publicDir => $publicUrl) {
171 if ($this->isBrowsable($publicDir, $publicUrl)) {
172 $msg = 'Directory <a href="%1">%2</a> should not be browseable via the web.'
173 . '<br />' .
174 '<a href="%3">Read more about this warning</a>';
175 $docs_url = $this->createDocUrl('directories-should-not-be-browsable');
176 $messages[] = new CRM_Utils_Check_Message(
177 __FUNCTION__,
178 ts($msg, [1 => $publicDir, 2 => $publicDir, 3 => $docs_url]),
179 ts('Browseable Directories'),
180 \Psr\Log\LogLevel::ERROR,
181 'fa-lock'
182 );
183 }
184 }
185
186 return $messages;
187 }
188
189 /**
190 * Check that some files are not present.
191 *
192 * These files have generally been deleted but Civi source tree but could be
193 * left online if one does a faulty upgrade.
194 *
195 * @return array of messages
196 */
197 public function checkFilesAreNotPresent() {
198 global $civicrm_root;
199
200 $messages = [];
201 $files = [
202 [
203 // CRM-16005, upgraded from Civi <= 4.5.6
204 "{$civicrm_root}/packages/dompdf/dompdf.php",
205 \Psr\Log\LogLevel::CRITICAL,
206 ],
207 [
208 // CRM-16005, Civi >= 4.5.7
209 "{$civicrm_root}/packages/vendor/dompdf/dompdf/dompdf.php",
210 \Psr\Log\LogLevel::CRITICAL,
211 ],
212 [
213 // CRM-16005, Civi >= 4.6.0
214 "{$civicrm_root}/vendor/dompdf/dompdf/dompdf.php",
215 \Psr\Log\LogLevel::CRITICAL,
216 ],
217 [
218 // CIVI-SA-2013-001
219 "{$civicrm_root}/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php",
220 \Psr\Log\LogLevel::CRITICAL,
221 ],
222 [
223 "{$civicrm_root}/packages/html2text/class.html2text.inc",
224 \Psr\Log\LogLevel::CRITICAL,
225 ],
226 ];
227 foreach ($files as $file) {
228 if (file_exists($file[0])) {
229 $messages[] = new CRM_Utils_Check_Message(
230 __FUNCTION__,
231 ts('File \'%1\' presents a security risk and should be deleted.', [1 => $file[0]]),
232 ts('Unsafe Files'),
233 $file[1],
234 'fa-lock'
235 );
236 }
237 }
238 return $messages;
239 }
240
241 /**
242 * Discourage use of remote profile forms.
243 */
244 public function checkRemoteProfile() {
245 $messages = [];
246
247 if (Civi::settings()->get('remote_profile_submissions')) {
248 $messages[] = new CRM_Utils_Check_Message(
249 __FUNCTION__,
250 ts('Warning: External profile support (aka "HTML Snippet" support) is enabled in <a href="%1">system settings</a>. This setting may be prone to abuse. If you must retain it, consider HTTP throttling or other protections.',
251 [1 => CRM_Utils_System::url('civicrm/admin/setting/misc', 'reset=1')]
252 ),
253 ts('Remote Profiles Enabled'),
254 \Psr\Log\LogLevel::WARNING,
255 'fa-lock'
256 );
257 }
258
259 return $messages;
260 }
261
262 /**
263 * Check that the sysadmin has not modified the Cxn
264 * security setup.
265 */
266 public function checkCxnOverrides() {
267 $list = [];
268 if (defined('CIVICRM_CXN_CA') && CIVICRM_CXN_CA !== 'CiviRootCA') {
269 $list[] = 'CIVICRM_CXN_CA';
270 }
271 if (defined('CIVICRM_CXN_APPS_URL') && CIVICRM_CXN_APPS_URL !== \Civi\Cxn\Rpc\Constants::OFFICIAL_APPMETAS_URL) {
272 $list[] = 'CIVICRM_CXN_APPS_URL';
273 }
274
275 $messages = [];
276
277 if (!empty($list)) {
278 $messages[] = new CRM_Utils_Check_Message(
279 __FUNCTION__,
280 ts('The system administrator has disabled security settings (%1). Connections to remote applications are insecure.', [
281 1 => implode(', ', $list),
282 ]),
283 ts('Security Warning'),
284 \Psr\Log\LogLevel::WARNING,
285 'fa-lock'
286 );
287 }
288
289 return $messages;
290 }
291
292 /**
293 * Determine whether $url is a public, browsable listing for $dir
294 *
295 * @param string $dir
296 * Local dir path.
297 * @param string $url
298 * Public URL.
299 * @return bool
300 */
301 public function isBrowsable($dir, $url) {
302 if (empty($dir) || empty($url) || !is_dir($dir)) {
303 return FALSE;
304 }
305
306 $result = FALSE;
307
308 // this could be a new system with no uploads (yet) -- so we'll make a file
309 $file = CRM_Utils_File::createFakeFile($dir);
310
311 if ($file === FALSE) {
312 // Couldn't write the file
313 return FALSE;
314 }
315
316 $content = @file_get_contents("$url");
317 if (stristr($content, $file)) {
318 $result = TRUE;
319 }
320 unlink("$dir/$file");
321
322 return $result;
323 }
324
325 /**
326 * Determine whether $url is a public version of $dir in which files
327 * are remotely accessible.
328 *
329 * @param string $dir
330 * Local dir path.
331 * @param string $url
332 * Public URL.
333 * @return bool
334 */
335 public function isDirAccessible($dir, $url) {
336 $url = rtrim($url, '/');
337 if (empty($dir) || empty($url) || !is_dir($dir)) {
338 return FALSE;
339 }
340
341 $result = FALSE;
342 $file = CRM_Utils_File::createFakeFile($dir, 'delete me');
343
344 if ($file === FALSE) {
345 // Couldn't write the file
346 return FALSE;
347 }
348
349 if ($this->fileExists("$url/$file")) {
350 $content = @file_get_contents("$url/$file");
351 if (preg_match('/delete me/', $content)) {
352 $result = TRUE;
353 }
354 }
355
356 unlink("$dir/$file");
357
358 return $result;
359 }
360
361 /**
362 * @param $topic
363 *
364 * @return string
365 */
366 public function createDocUrl($topic) {
367 return CRM_Utils_System::docURL2('sysadmin/setup/security#' . $topic, TRUE);
368 }
369
370 /**
371 * Make a guess about the URL that corresponds to $targetDir.
372 *
373 * @param string $targetDir
374 * Local path to a directory.
375 * @return string
376 * a guessed URL for $realDir
377 */
378 public function guessUrl($targetDir) {
379 $filePathMarker = $this->getFilePathMarker();
380 $config = CRM_Core_Config::singleton();
381
382 list($heuristicBaseUrl) = explode($filePathMarker, $config->imageUploadURL);
383 list(, $heuristicSuffix) = array_pad(explode($filePathMarker, str_replace('\\', '/', $targetDir)), 2, '');
384 return $heuristicBaseUrl . $filePathMarker . $heuristicSuffix;
385 }
386
387 }