projects / civicrm-core.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 4.5 into master
[civicrm-core.git] / CRM / Utils / Check / Security.php
1 <?php
2 /*
3 +--------------------------------------------------------------------+
4 | CiviCRM version 4.6 |
5 +--------------------------------------------------------------------+
6 | Copyright CiviCRM LLC (c) 2004-2014 |
7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
9 | |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
13 | |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
18 | |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
26 */
27
28 /**
29 *
30 * @package CRM
31 * @copyright CiviCRM LLC (c) 2004-2014
32 * $Id: $
33 *
34 */
35 class CRM_Utils_Check_Security {
36
37 /**
38 * CMS have a different pattern to their default file path and URL.
39 *
40 * @TODO This function might be better shared in CRM_Utils_Check
41 * class, but that class doesn't yet exist.
42 */
43 public function getFilePathMarker() {
44 $config = CRM_Core_Config::singleton();
45 switch ($config->userFramework) {
46 case 'Joomla':
47 return '/media/';
48
49 default:
50 return '/files/';
51 }
52 }
53
54 /**
55 * Run some sanity checks.
56 *
57 * @return array<CRM_Utils_Check_Message>
58 */
59 public function checkAll() {
60 $messages = array_merge(
61 $this->checkLogFileIsNotAccessible(),
62 $this->checkUploadsAreNotAccessible(),
63 $this->checkDirectoriesAreNotBrowseable()
64 );
65 return $messages;
66 }
67
68 /**
69 * Check if our logfile is directly accessible.
70 *
71 * Per CiviCRM default the logfile sits in a folder which is
72 * web-accessible, and is protected by a default .htaccess
73 * configuration. If server config causes the .htaccess not to
74 * function as intended, there may be information disclosure.
75 *
76 * The debug log may be jam-packed with sensitive data, we don't
77 * want that.
78 *
79 * Being able to be retrieved directly doesn't mean the logfile
80 * is browseable or visible to search engines; it means it can be
81 * requested directly.
82 *
83 * @return array
84 * Array of messages
85 * @see CRM-14091
86 */
87 public function checkLogFileIsNotAccessible() {
88 $messages = array();
89
90 $config = CRM_Core_Config::singleton();
91
92 $log = CRM_Core_Error::createDebugLogger();
93 $log_filename = str_replace('\\', '/', $log->_filename);
94
95 $filePathMarker = $this->getFilePathMarker();
96
97 // Hazard a guess at the URL of the logfile, based on common
98 // CiviCRM layouts.
99 if ($upload_url = explode($filePathMarker, $config->imageUploadURL)) {
100 $url[] = $upload_url[0];
101 if ($log_path = explode($filePathMarker, $log_filename)) {
102 $url[] = $log_path[1];
103 $log_url = implode($filePathMarker, $url);
104 $headers = @get_headers($log_url);
105 if (stripos($headers[0], '200')) {
106 $docs_url = $this->createDocUrl('checkLogFileIsNotAccessible');
107 $msg = 'The <a href="%1">CiviCRM debug log</a> should not be downloadable.'
108 . '<br />' .
109 '<a href="%2">Read more about this warning</a>';
110 $messages[] = new CRM_Utils_Check_Message(
111 'checkLogFileIsNotAccessible',
112 ts($msg, array(1 => $log_url, 2 => $docs_url)),
113 ts('Security Warning')
114 );
115 }
116 }
117 }
118
119 return $messages;
120 }
121
122 /**
123 * Check if our uploads directory has accessible files.
124 *
125 * We'll test a handful of files randomly. Hazard a guess at the URL
126 * of the uploads dir, based on common CiviCRM layouts. Try and
127 * request the files, and if any are successfully retrieved, warn.
128 *
129 * Being retrievable doesn't mean the files are browseable or visible
130 * to search engines; it only means they can be requested directly.
131 *
132 * @return array
133 * Array of messages
134 * @see CRM-14091
135 *
136 * @TODO: Test with WordPress, Joomla.
137 */
138 public function checkUploadsAreNotAccessible() {
139 $messages = array();
140
141 $config = CRM_Core_Config::singleton();
142 $privateDirs = array(
143 $config->uploadDir,
144 $config->customFileUploadDir,
145 );
146
147 foreach ($privateDirs as $privateDir) {
148 $heuristicUrl = $this->guessUrl($privateDir);
149 if ($this->isDirAccessible($privateDir, $heuristicUrl)) {
150 $messages[] = new CRM_Utils_Check_Message(
151 'checkUploadsAreNotAccessible',
152 ts('Files in the data directory (<a href="%3">%2</a>) should not be downloadable.'
153 . '<br />'
154 . '<a href="%1">Read more about this warning</a>',
155 array(
156 1 => $this->createDocUrl('checkUploadsAreNotAccessible'),
157 2 => $privateDir,
158 3 => $heuristicUrl,
159 )),
160 ts('Security Warning')
161 );
162 }
163 }
164
165 return $messages;
166 }
167
168 /**
169 * Check if our uploads or ConfigAndLog directories have browseable
170 * listings.
171 *
172 * Retrieve a listing of files from the local filesystem, and the
173 * corresponding path via HTTP. Then check and see if the local
174 * files are represented in the HTTP result; if so then warn. This
175 * MAY trigger false positives (if you have files named 'a', 'e'
176 * we'll probably match that).
177 *
178 * @return array
179 * Array of messages
180 * @see CRM-14091
181 *
182 * @TODO: Test with WordPress, Joomla.
183 */
184 public function checkDirectoriesAreNotBrowseable() {
185 $messages = array();
186 $config = CRM_Core_Config::singleton();
187 $publicDirs = array(
188 $config->imageUploadDir => $config->imageUploadURL,
189 );
190
191 // Setup index.html files to prevent browsing
192 foreach ($publicDirs as $publicDir => $publicUrl) {
193 CRM_Utils_File::restrictBrowsing($publicDir);
194 }
195
196 // Test that $publicDir is not browsable
197 foreach ($publicDirs as $publicDir => $publicUrl) {
198 if ($this->isBrowsable($publicDir, $publicUrl)) {
199 $msg = 'Directory <a href="%1">%2</a> should not be browseable via the web.'
200 . '<br />' .
201 '<a href="%3">Read more about this warning</a>';
202 $docs_url = $this->createDocUrl('checkDirectoriesAreNotBrowseable');
203 $messages[] = new CRM_Utils_Check_Message(
204 'checkDirectoriesAreNotBrowseable',
205 ts($msg, array(1 => $publicDir, 2 => $publicDir, 3 => $docs_url)),
206 ts('Security Warning')
207 );
208 }
209 }
210
211 return $messages;
212 }
213
214 /**
215 * Determine whether $url is a public, browsable listing for $dir
216 *
217 * @param string $dir
218 * Local dir path.
219 * @param string $url
220 * Public URL.
221 * @return bool
222 */
223 public function isBrowsable($dir, $url) {
224 if (empty($dir) || empty($url) || !is_dir($dir)) {
225 return FALSE;
226 }
227
228 $result = FALSE;
229 $file = 'delete-this-' . CRM_Utils_String::createRandom(10, CRM_Utils_String::ALPHANUMERIC);
230
231 // this could be a new system with no uploads (yet) -- so we'll make a file
232 file_put_contents("$dir/$file", "delete me");
233 $content = @file_get_contents("$url");
234 if (stristr($content, $file)) {
235 $result = TRUE;
236 }
237 unlink("$dir/$file");
238
239 return $result;
240 }
241
242 /**
243 * Determine whether $url is a public version of $dir in which files
244 * are remotely accessible.
245 *
246 * @param string $dir
247 * Local dir path.
248 * @param string $url
249 * Public URL.
250 * @return bool
251 */
252 public function isDirAccessible($dir, $url) {
253 $dir = rtrim($dir, '/');
254 $url = rtrim($url, '/');
255 if (empty($dir) || empty($url) || !is_dir($dir)) {
256 return FALSE;
257 }
258
259 $result = FALSE;
260 $file = 'delete-this-' . CRM_Utils_String::createRandom(10, CRM_Utils_String::ALPHANUMERIC);
261
262 // this could be a new system with no uploads (yet) -- so we'll make a file
263 file_put_contents("$dir/$file", "delete me");
264
265 $headers = @get_headers("$url/$file");
266 if (stripos($headers[0], '200')) {
267 $content = @file_get_contents("$url/$file");
268 if (preg_match('/delete me/', $content)) {
269 $result = TRUE;
270 }
271 }
272
273 unlink("$dir/$file");
274
275 return $result;
276 }
277
278 /**
279 * @param $topic
280 *
281 * @return string
282 */
283 public function createDocUrl($topic) {
284 return CRM_Utils_System::getWikiBaseURL() . $topic;
285 }
286
287 /**
288 * Make a guess about the URL that corresponds to $targetDir.
289 *
290 * @param string $targetDir
291 * Local path to a directory.
292 * @return string
293 * a guessed URL for $realDir
294 */
295 public function guessUrl($targetDir) {
296 $filePathMarker = $this->getFilePathMarker();
297 $config = CRM_Core_Config::singleton();
298
299 list ($heuristicBaseUrl, $ignore) = explode($filePathMarker, $config->imageUploadURL);
300 list ($ignore, $heuristicSuffix) = explode($filePathMarker, str_replace('\\', '/', $targetDir));
301 return $heuristicBaseUrl . $filePathMarker . $heuristicSuffix;
302 }
303
304 }