CRM/Utils/Check/Component/Security.php

   1 <?php
   2 /*
   3  +--------------------------------------------------------------------+
   4  | Copyright CiviCRM LLC. All rights reserved.                        |
   5  |                                                                    |
   6  | This work is published under the GNU AGPLv3 license with some      |
   7  | permitted exceptions and without any warranty. For full license    |
   8  | and copyright information, see https://civicrm.org/licensing       |
   9  +--------------------------------------------------------------------+
  10  */
  11
  12 /**
  13  *
  14  * @package CRM
  15  * @copyright CiviCRM LLC https://civicrm.org/licensing
  16  */
  17 class CRM_Utils_Check_Component_Security extends CRM_Utils_Check_Component {
  18
  19   /**
  20    * CMS have a different pattern to their default file path and URL.
  21    *
  22    * @todo Use Civi::paths instead?
  23    * @return string
  24    */
  25   public function getFilePathMarker() {
  26     $config = CRM_Core_Config::singleton();
  27     switch ($config->userFramework) {
  28       case 'Joomla':
  29         return '/media/';
  30
  31       default:
  32         return '/files/';
  33     }
  34   }
  35
  36   /**
  37    * Check if our logfile is directly accessible.
  38    *
  39    * Per CiviCRM default the logfile sits in a folder which is
  40    * web-accessible, and is protected by a default .htaccess
  41    * configuration. If server config causes the .htaccess not to
  42    * function as intended, there may be information disclosure.
  43    *
  44    * The debug log may be jam-packed with sensitive data, we don't
  45    * want that.
  46    *
  47    * Being able to be retrieved directly doesn't mean the logfile
  48    * is browseable or visible to search engines; it means it can be
  49    * requested directly.
  50    *
  51    * @return CRM_Utils_Check_Message[]
  52    * @see CRM-14091
  53    */
  54   public function checkLogFileIsNotAccessible() {
  55     $messages = [];
  56
  57     $config = CRM_Core_Config::singleton();
  58
  59     $log = CRM_Core_Error::createDebugLogger();
  60     $log_filename = str_replace('\\', '/', $log->_filename);
  61
  62     $filePathMarker = $this->getFilePathMarker();
  63
  64     // Hazard a guess at the URL of the logfile, based on common
  65     // CiviCRM layouts.
  66     if ($upload_url = explode($filePathMarker, $config->imageUploadURL)) {
  67       $url[] = $upload_url[0];
  68       if ($log_path = explode($filePathMarker, $log_filename)) {
  69         // CRM-17149: check if debug log path includes $filePathMarker
  70         if (count($log_path) > 1) {
  71           $url[] = $log_path[1];
  72           $log_url = implode($filePathMarker, $url);
  73           if ($this->fileExists($log_url)) {
  74             $docs_url = $this->createDocUrl('the-log-file-should-not-be-accessible');
  75             $msg = 'The <a href="%1">CiviCRM debug log</a> should not be downloadable.'
  76               . '<br />' .
  77               '<a href="%2">Read more about this warning</a>';
  78             $messages[] = new CRM_Utils_Check_Message(
  79               __FUNCTION__,
  80               ts($msg, [1 => $log_url, 2 => $docs_url]),
  81               ts('Security Warning'),
  82               \Psr\Log\LogLevel::WARNING,
  83               'fa-lock'
  84             );
  85           }
  86         }
  87       }
  88     }
  89
  90     return $messages;
  91   }
  92
  93   /**
  94    * Check if our uploads directory has accessible files.
  95    *
  96    * We'll test a handful of files randomly. Hazard a guess at the URL
  97    * of the uploads dir, based on common CiviCRM layouts. Try and
  98    * request the files, and if any are successfully retrieved, warn.
  99    *
 100    * Being retrievable doesn't mean the files are browseable or visible
 101    * to search engines; it only means they can be requested directly.
 102    *
 103    * @return CRM_Utils_Check_Message[]
 104    * @see CRM-14091
 105    *
 106    * @todo Test with WordPress, Joomla.
 107    */
 108   public function checkUploadsAreNotAccessible() {
 109     $messages = [];
 110
 111     $config = CRM_Core_Config::singleton();
 112     $privateDirs = [
 113       $config->uploadDir,
 114       $config->customFileUploadDir,
 115     ];
 116
 117     foreach ($privateDirs as $privateDir) {
 118       $heuristicUrl = $this->guessUrl($privateDir);
 119       if ($this->isDirAccessible($privateDir, $heuristicUrl)) {
 120         $messages[] = new CRM_Utils_Check_Message(
 121           __FUNCTION__,
 122           ts('Files in the data directory (<a href="%3">%2</a>) should not be downloadable.'
 123             . '<br />'
 124             . '<a href="%1">Read more about this warning</a>',
 125             [
 126               1 => $this->createDocUrl('uploads-should-not-be-accessible'),
 127               2 => $privateDir,
 128               3 => $heuristicUrl,
 129             ]),
 130             ts('Private Files Readable'),
 131             \Psr\Log\LogLevel::WARNING,
 132             'fa-lock'
 133         );
 134       }
 135     }
 136
 137     return $messages;
 138   }
 139
 140   /**
 141    * Check if our uploads or ConfigAndLog directories have browseable
 142    * listings.
 143    *
 144    * Retrieve a listing of files from the local filesystem, and the
 145    * corresponding path via HTTP. Then check and see if the local
 146    * files are represented in the HTTP result; if so then warn. This
 147    * MAY trigger false positives (if you have files named 'a', 'e'
 148    * we'll probably match that).
 149    *
 150    * @return CRM_Utils_Check_Message[]
 151    * @see CRM-14091
 152    *
 153    * @todo Test with WordPress, Joomla.
 154    */
 155   public function checkDirectoriesAreNotBrowseable() {
 156     $messages = [];
 157     $config = CRM_Core_Config::singleton();
 158     $publicDirs = [
 159       $config->imageUploadDir => $config->imageUploadURL,
 160     ];
 161
 162     // Setup index.html files to prevent browsing
 163     foreach ($publicDirs as $publicDir => $publicUrl) {
 164       CRM_Utils_File::restrictBrowsing($publicDir);
 165     }
 166
 167     // Test that $publicDir is not browsable
 168     foreach ($publicDirs as $publicDir => $publicUrl) {
 169       if ($this->isBrowsable($publicDir, $publicUrl)) {
 170         $msg = 'Directory <a href="%1">%2</a> should not be browseable via the web.'
 171           . '<br />' .
 172           '<a href="%3">Read more about this warning</a>';
 173         $docs_url = $this->createDocUrl('directories-should-not-be-browsable');
 174         $messages[] = new CRM_Utils_Check_Message(
 175           __FUNCTION__,
 176           ts($msg, [1 => $publicDir, 2 => $publicDir, 3 => $docs_url]),
 177           ts('Browseable Directories'),
 178           \Psr\Log\LogLevel::ERROR,
 179           'fa-lock'
 180         );
 181       }
 182     }
 183
 184     return $messages;
 185   }
 186
 187   /**
 188    * Check that some files are not present.
 189    *
 190    * These files have generally been deleted but Civi source tree but could be
 191    * left online if one does a faulty upgrade.
 192    *
 193    * @return CRM_Utils_Check_Message[]
 194    */
 195   public function checkFilesAreNotPresent() {
 196     $packages_path = rtrim(\Civi::paths()->getPath('[civicrm.packages]/'), '/' . DIRECTORY_SEPARATOR);
 197     $vendor_path = rtrim(\Civi::paths()->getPath('[civicrm.vendor]/'), '/' . DIRECTORY_SEPARATOR);
 198
 199     $messages = [];
 200     $files = [
 201       [
 202         // CRM-16005, upgraded from Civi <= 4.5.6
 203         "{$packages_path}/dompdf/dompdf.php",
 204         \Psr\Log\LogLevel::CRITICAL,
 205       ],
 206       [
 207         // CRM-16005, Civi >= 4.5.7
 208         "{$packages_path}/vendor/dompdf/dompdf/dompdf.php",
 209         \Psr\Log\LogLevel::CRITICAL,
 210       ],
 211       [
 212         // CRM-16005, Civi >= 4.6.0
 213         "{$vendor_path}/dompdf/dompdf/dompdf.php",
 214         \Psr\Log\LogLevel::CRITICAL,
 215       ],
 216       [
 217         // CIVI-SA-2013-001
 218         "{$packages_path}/OpenFlashChart/php-ofc-library/ofc_upload_image.php",
 219         \Psr\Log\LogLevel::CRITICAL,
 220       ],
 221       [
 222         "{$packages_path}/html2text/class.html2text.inc",
 223         \Psr\Log\LogLevel::CRITICAL,
 224       ],
 225     ];
 226     foreach ($files as $file) {
 227       if (file_exists($file[0])) {
 228         $messages[] = new CRM_Utils_Check_Message(
 229           __FUNCTION__,
 230           ts('File \'%1\' presents a security risk and should be deleted.', [1 => $file[0]]),
 231           ts('Unsafe Files'),
 232           $file[1],
 233           'fa-lock'
 234         );
 235       }
 236     }
 237     return $messages;
 238   }
 239
 240   /**
 241    * Discourage use of remote profile forms.
 242    * @return CRM_Utils_Check_Message[]
 243    */
 244   public function checkRemoteProfile() {
 245     $messages = [];
 246
 247     if (Civi::settings()->get('remote_profile_submissions')) {
 248       $messages[] = new CRM_Utils_Check_Message(
 249         __FUNCTION__,
 250         ts('Warning: External profile support (aka "HTML Snippet" support) is enabled in <a href="%1">system settings</a>. This setting may be prone to abuse. If you must retain it, consider HTTP throttling or other protections.',
 251           [1 => CRM_Utils_System::url('civicrm/admin/setting/misc', 'reset=1')]
 252         ),
 253         ts('Remote Profiles Enabled'),
 254         \Psr\Log\LogLevel::WARNING,
 255         'fa-lock'
 256       );
 257     }
 258
 259     return $messages;
 260   }
 261
 262   /**
 263    * Check that the sysadmin has not modified the Cxn security setup.
 264    * @return CRM_Utils_Check_Message[]
 265    */
 266   public function checkCxnOverrides() {
 267     $list = [];
 268     if (defined('CIVICRM_CXN_CA') && CIVICRM_CXN_CA !== 'CiviRootCA') {
 269       $list[] = 'CIVICRM_CXN_CA';
 270     }
 271     if (defined('CIVICRM_CXN_APPS_URL') && CIVICRM_CXN_APPS_URL !== \Civi\Cxn\Rpc\Constants::OFFICIAL_APPMETAS_URL) {
 272       $list[] = 'CIVICRM_CXN_APPS_URL';
 273     }
 274
 275     $messages = [];
 276
 277     if (!empty($list)) {
 278       $messages[] = new CRM_Utils_Check_Message(
 279         __FUNCTION__,
 280         ts('The system administrator has disabled security settings (%1). Connections to remote applications are insecure.', [
 281           1 => implode(', ', $list),
 282         ]),
 283         ts('Security Warning'),
 284         \Psr\Log\LogLevel::WARNING,
 285         'fa-lock'
 286       );
 287     }
 288
 289     return $messages;
 290   }
 291
 292   /**
 293    * Determine whether $url is a public, browsable listing for $dir
 294    *
 295    * @param string $dir
 296    *   Local dir path.
 297    * @param string $url
 298    *   Public URL.
 299    * @return bool
 300    */
 301   public function isBrowsable($dir, $url) {
 302     if (empty($dir) || empty($url) || !is_dir($dir)) {
 303       return FALSE;
 304     }
 305
 306     $result = FALSE;
 307
 308     // this could be a new system with no uploads (yet) -- so we'll make a file
 309     $file = CRM_Utils_File::createFakeFile($dir);
 310
 311     if ($file === FALSE) {
 312       // Couldn't write the file
 313       return FALSE;
 314     }
 315
 316     $content = @file_get_contents("$url");
 317     if (stristr($content, $file)) {
 318       $result = TRUE;
 319     }
 320     unlink("$dir/$file");
 321
 322     return $result;
 323   }
 324
 325   /**
 326    * Determine whether $url is a public version of $dir in which files
 327    * are remotely accessible.
 328    *
 329    * @param string $dir
 330    *   Local dir path.
 331    * @param string $url
 332    *   Public URL.
 333    * @return bool
 334    */
 335   public function isDirAccessible($dir, $url) {
 336     $url = rtrim($url, '/');
 337     if (empty($dir) || empty($url) || !is_dir($dir)) {
 338       return FALSE;
 339     }
 340
 341     $result = FALSE;
 342     $file = CRM_Utils_File::createFakeFile($dir, 'delete me');
 343
 344     if ($file === FALSE) {
 345       // Couldn't write the file
 346       return FALSE;
 347     }
 348
 349     if ($this->fileExists("$url/$file")) {
 350       $content = @file_get_contents("$url/$file");
 351       if (preg_match('/delete me/', $content)) {
 352         $result = TRUE;
 353       }
 354     }
 355
 356     unlink("$dir/$file");
 357
 358     return $result;
 359   }
 360
 361   /**
 362    * @param $topic
 363    *
 364    * @return string
 365    */
 366   public function createDocUrl($topic) {
 367     return CRM_Utils_System::docURL2('sysadmin/setup/security#' . $topic, TRUE);
 368   }
 369
 370   /**
 371    * Make a guess about the URL that corresponds to $targetDir.
 372    *
 373    * @param string $targetDir
 374    *   Local path to a directory.
 375    * @return string
 376    *   a guessed URL for $realDir
 377    */
 378   public function guessUrl($targetDir) {
 379     $filePathMarker = $this->getFilePathMarker();
 380     $config = CRM_Core_Config::singleton();
 381
 382     list($heuristicBaseUrl) = explode($filePathMarker, $config->imageUploadURL);
 383     list(, $heuristicSuffix) = array_pad(explode($filePathMarker, str_replace('\\', '/', $targetDir)), 2, '');
 384     return $heuristicBaseUrl . $filePathMarker . $heuristicSuffix;
 385   }
 386
 387 }