projects / civicrm-core.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #15248 from MegaphoneJon/reporting-19
[civicrm-core.git] / CRM / Utils / Check / Component / Security.php
1 <?php
2 /*
3 +--------------------------------------------------------------------+
4 | CiviCRM version 5 |
5 +--------------------------------------------------------------------+
6 | Copyright CiviCRM LLC (c) 2004-2020 |
7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
9 | |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
13 | |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
18 | |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
26 */
27
28 /**
29 *
30 * @package CRM
31 * @copyright CiviCRM LLC (c) 2004-2020
32 */
33 class CRM_Utils_Check_Component_Security extends CRM_Utils_Check_Component {
34
35 /**
36 * CMS have a different pattern to their default file path and URL.
37 *
38 * @todo Use Civi::paths instead?
39 */
40 public function getFilePathMarker() {
41 $config = CRM_Core_Config::singleton();
42 switch ($config->userFramework) {
43 case 'Joomla':
44 return '/media/';
45
46 default:
47 return '/files/';
48 }
49 }
50
51 /**
52 * Check if our logfile is directly accessible.
53 *
54 * Per CiviCRM default the logfile sits in a folder which is
55 * web-accessible, and is protected by a default .htaccess
56 * configuration. If server config causes the .htaccess not to
57 * function as intended, there may be information disclosure.
58 *
59 * The debug log may be jam-packed with sensitive data, we don't
60 * want that.
61 *
62 * Being able to be retrieved directly doesn't mean the logfile
63 * is browseable or visible to search engines; it means it can be
64 * requested directly.
65 *
66 * @return array
67 * Array of messages
68 * @see CRM-14091
69 */
70 public function checkLogFileIsNotAccessible() {
71 $messages = [];
72
73 $config = CRM_Core_Config::singleton();
74
75 $log = CRM_Core_Error::createDebugLogger();
76 $log_filename = str_replace('\\', '/', $log->_filename);
77
78 $filePathMarker = $this->getFilePathMarker();
79
80 // Hazard a guess at the URL of the logfile, based on common
81 // CiviCRM layouts.
82 if ($upload_url = explode($filePathMarker, $config->imageUploadURL)) {
83 $url[] = $upload_url[0];
84 if ($log_path = explode($filePathMarker, $log_filename)) {
85 // CRM-17149: check if debug log path includes $filePathMarker
86 if (count($log_path) > 1) {
87 $url[] = $log_path[1];
88 $log_url = implode($filePathMarker, $url);
89 if ($this->fileExists($log_url)) {
90 $docs_url = $this->createDocUrl('checkLogFileIsNotAccessible');
91 $msg = 'The <a href="%1">CiviCRM debug log</a> should not be downloadable.'
92 . '<br />' .
93 '<a href="%2">Read more about this warning</a>';
94 $messages[] = new CRM_Utils_Check_Message(
95 __FUNCTION__,
96 ts($msg, [1 => $log_url, 2 => $docs_url]),
97 ts('Security Warning'),
98 \Psr\Log\LogLevel::WARNING,
99 'fa-lock'
100 );
101 }
102 }
103 }
104 }
105
106 return $messages;
107 }
108
109 /**
110 * Check if our uploads directory has accessible files.
111 *
112 * We'll test a handful of files randomly. Hazard a guess at the URL
113 * of the uploads dir, based on common CiviCRM layouts. Try and
114 * request the files, and if any are successfully retrieved, warn.
115 *
116 * Being retrievable doesn't mean the files are browseable or visible
117 * to search engines; it only means they can be requested directly.
118 *
119 * @return array
120 * Array of messages
121 * @see CRM-14091
122 *
123 * @todo Test with WordPress, Joomla.
124 */
125 public function checkUploadsAreNotAccessible() {
126 $messages = [];
127
128 $config = CRM_Core_Config::singleton();
129 $privateDirs = [
130 $config->uploadDir,
131 $config->customFileUploadDir,
132 ];
133
134 foreach ($privateDirs as $privateDir) {
135 $heuristicUrl = $this->guessUrl($privateDir);
136 if ($this->isDirAccessible($privateDir, $heuristicUrl)) {
137 $messages[] = new CRM_Utils_Check_Message(
138 __FUNCTION__,
139 ts('Files in the data directory (<a href="%3">%2</a>) should not be downloadable.'
140 . '<br />'
141 . '<a href="%1">Read more about this warning</a>',
142 [
143 1 => $this->createDocUrl('checkUploadsAreNotAccessible'),
144 2 => $privateDir,
145 3 => $heuristicUrl,
146 ]),
147 ts('Private Files Readable'),
148 \Psr\Log\LogLevel::WARNING,
149 'fa-lock'
150 );
151 }
152 }
153
154 return $messages;
155 }
156
157 /**
158 * Check if our uploads or ConfigAndLog directories have browseable
159 * listings.
160 *
161 * Retrieve a listing of files from the local filesystem, and the
162 * corresponding path via HTTP. Then check and see if the local
163 * files are represented in the HTTP result; if so then warn. This
164 * MAY trigger false positives (if you have files named 'a', 'e'
165 * we'll probably match that).
166 *
167 * @return array
168 * Array of messages
169 * @see CRM-14091
170 *
171 * @todo Test with WordPress, Joomla.
172 */
173 public function checkDirectoriesAreNotBrowseable() {
174 $messages = [];
175 $config = CRM_Core_Config::singleton();
176 $publicDirs = [
177 $config->imageUploadDir => $config->imageUploadURL,
178 ];
179
180 // Setup index.html files to prevent browsing
181 foreach ($publicDirs as $publicDir => $publicUrl) {
182 CRM_Utils_File::restrictBrowsing($publicDir);
183 }
184
185 // Test that $publicDir is not browsable
186 foreach ($publicDirs as $publicDir => $publicUrl) {
187 if ($this->isBrowsable($publicDir, $publicUrl)) {
188 $msg = 'Directory <a href="%1">%2</a> should not be browseable via the web.'
189 . '<br />' .
190 '<a href="%3">Read more about this warning</a>';
191 $docs_url = $this->createDocUrl('checkDirectoriesAreNotBrowseable');
192 $messages[] = new CRM_Utils_Check_Message(
193 __FUNCTION__,
194 ts($msg, [1 => $publicDir, 2 => $publicDir, 3 => $docs_url]),
195 ts('Browseable Directories'),
196 \Psr\Log\LogLevel::ERROR,
197 'fa-lock'
198 );
199 }
200 }
201
202 return $messages;
203 }
204
205 /**
206 * Check that some files are not present.
207 *
208 * These files have generally been deleted but Civi source tree but could be
209 * left online if one does a faulty upgrade.
210 *
211 * @return array of messages
212 */
213 public function checkFilesAreNotPresent() {
214 global $civicrm_root;
215
216 $messages = [];
217 $files = [
218 [
219 // CRM-16005, upgraded from Civi <= 4.5.6
220 "{$civicrm_root}/packages/dompdf/dompdf.php",
221 \Psr\Log\LogLevel::CRITICAL,
222 ],
223 [
224 // CRM-16005, Civi >= 4.5.7
225 "{$civicrm_root}/packages/vendor/dompdf/dompdf/dompdf.php",
226 \Psr\Log\LogLevel::CRITICAL,
227 ],
228 [
229 // CRM-16005, Civi >= 4.6.0
230 "{$civicrm_root}/vendor/dompdf/dompdf/dompdf.php",
231 \Psr\Log\LogLevel::CRITICAL,
232 ],
233 [
234 // CIVI-SA-2013-001
235 "{$civicrm_root}/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php",
236 \Psr\Log\LogLevel::CRITICAL,
237 ],
238 [
239 "{$civicrm_root}/packages/html2text/class.html2text.inc",
240 \Psr\Log\LogLevel::CRITICAL,
241 ],
242 ];
243 foreach ($files as $file) {
244 if (file_exists($file[0])) {
245 $messages[] = new CRM_Utils_Check_Message(
246 __FUNCTION__,
247 ts('File \'%1\' presents a security risk and should be deleted.', [1 => $file[0]]),
248 ts('Unsafe Files'),
249 $file[1],
250 'fa-lock'
251 );
252 }
253 }
254 return $messages;
255 }
256
257 /**
258 * Discourage use of remote profile forms.
259 */
260 public function checkRemoteProfile() {
261 $messages = [];
262
263 if (Civi::settings()->get('remote_profile_submissions')) {
264 $messages[] = new CRM_Utils_Check_Message(
265 __FUNCTION__,
266 ts('Warning: External profile support (aka "HTML Snippet" support) is enabled in <a href="%1">system settings</a>. This setting may be prone to abuse. If you must retain it, consider HTTP throttling or other protections.',
267 [1 => CRM_Utils_System::url('civicrm/admin/setting/misc', 'reset=1')]
268 ),
269 ts('Remote Profiles Enabled'),
270 \Psr\Log\LogLevel::WARNING,
271 'fa-lock'
272 );
273 }
274
275 return $messages;
276 }
277
278 /**
279 * Check that the sysadmin has not modified the Cxn
280 * security setup.
281 */
282 public function checkCxnOverrides() {
283 $list = [];
284 if (defined('CIVICRM_CXN_CA') && CIVICRM_CXN_CA !== 'CiviRootCA') {
285 $list[] = 'CIVICRM_CXN_CA';
286 }
287 if (defined('CIVICRM_CXN_APPS_URL') && CIVICRM_CXN_APPS_URL !== \Civi\Cxn\Rpc\Constants::OFFICIAL_APPMETAS_URL) {
288 $list[] = 'CIVICRM_CXN_APPS_URL';
289 }
290
291 $messages = [];
292
293 if (!empty($list)) {
294 $messages[] = new CRM_Utils_Check_Message(
295 __FUNCTION__,
296 ts('The system administrator has disabled security settings (%1). Connections to remote applications are insecure.', [
297 1 => implode(', ', $list),
298 ]),
299 ts('Security Warning'),
300 \Psr\Log\LogLevel::WARNING,
301 'fa-lock'
302 );
303 }
304
305 return $messages;
306 }
307
308 /**
309 * Determine whether $url is a public, browsable listing for $dir
310 *
311 * @param string $dir
312 * Local dir path.
313 * @param string $url
314 * Public URL.
315 * @return bool
316 */
317 public function isBrowsable($dir, $url) {
318 if (empty($dir) || empty($url) || !is_dir($dir)) {
319 return FALSE;
320 }
321
322 $result = FALSE;
323
324 // this could be a new system with no uploads (yet) -- so we'll make a file
325 $file = CRM_Utils_File::createFakeFile($dir);
326
327 if ($file === FALSE) {
328 // Couldn't write the file
329 return FALSE;
330 }
331
332 $content = @file_get_contents("$url");
333 if (stristr($content, $file)) {
334 $result = TRUE;
335 }
336 unlink("$dir/$file");
337
338 return $result;
339 }
340
341 /**
342 * Determine whether $url is a public version of $dir in which files
343 * are remotely accessible.
344 *
345 * @param string $dir
346 * Local dir path.
347 * @param string $url
348 * Public URL.
349 * @return bool
350 */
351 public function isDirAccessible($dir, $url) {
352 $url = rtrim($url, '/');
353 if (empty($dir) || empty($url) || !is_dir($dir)) {
354 return FALSE;
355 }
356
357 $result = FALSE;
358 $file = CRM_Utils_File::createFakeFile($dir, 'delete me');
359
360 if ($file === FALSE) {
361 // Couldn't write the file
362 return FALSE;
363 }
364
365 if ($this->fileExists("$url/$file")) {
366 $content = @file_get_contents("$url/$file");
367 if (preg_match('/delete me/', $content)) {
368 $result = TRUE;
369 }
370 }
371
372 unlink("$dir/$file");
373
374 return $result;
375 }
376
377 /**
378 * @param $topic
379 *
380 * @return string
381 */
382 public function createDocUrl($topic) {
383 return CRM_Utils_System::getWikiBaseURL() . $topic;
384 }
385
386 /**
387 * Make a guess about the URL that corresponds to $targetDir.
388 *
389 * @param string $targetDir
390 * Local path to a directory.
391 * @return string
392 * a guessed URL for $realDir
393 */
394 public function guessUrl($targetDir) {
395 $filePathMarker = $this->getFilePathMarker();
396 $config = CRM_Core_Config::singleton();
397
398 list($heuristicBaseUrl) = explode($filePathMarker, $config->imageUploadURL);
399 list(, $heuristicSuffix) = array_pad(explode($filePathMarker, str_replace('\\', '/', $targetDir)), 2, '');
400 return $heuristicBaseUrl . $filePathMarker . $heuristicSuffix;
401 }
402
403 }