projects / civicrm-core.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #6909 from colemanw/CRM-12527
[civicrm-core.git] / CRM / Utils / Check / Security.php
1 <?php
2 /*
3 +--------------------------------------------------------------------+
4 | CiviCRM version 4.7 |
5 +--------------------------------------------------------------------+
6 | Copyright CiviCRM LLC (c) 2004-2015 |
7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
9 | |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
13 | |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
18 | |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
26 */
27
28 /**
29 *
30 * @package CRM
31 * @copyright CiviCRM LLC (c) 2004-2015
32 */
33 class CRM_Utils_Check_Security {
34
35 /**
36 * CMS have a different pattern to their default file path and URL.
37 *
38 * @todo This function might be better shared in CRM_Utils_Check
39 * class, but that class doesn't yet exist.
40 */
41 public function getFilePathMarker() {
42 $config = CRM_Core_Config::singleton();
43 switch ($config->userFramework) {
44 case 'Joomla':
45 return '/media/';
46
47 default:
48 return '/files/';
49 }
50 }
51
52 /**
53 * Run some sanity checks.
54 *
55 * @return array<CRM_Utils_Check_Message>
56 */
57 public function checkAll() {
58 $messages = array_merge(
59 $this->checkCxnOverrides(),
60 $this->checkLogFileIsNotAccessible(),
61 $this->checkUploadsAreNotAccessible(),
62 $this->checkDirectoriesAreNotBrowseable(),
63 $this->checkFilesAreNotPresent()
64 );
65 return $messages;
66 }
67
68 /**
69 * Check if our logfile is directly accessible.
70 *
71 * Per CiviCRM default the logfile sits in a folder which is
72 * web-accessible, and is protected by a default .htaccess
73 * configuration. If server config causes the .htaccess not to
74 * function as intended, there may be information disclosure.
75 *
76 * The debug log may be jam-packed with sensitive data, we don't
77 * want that.
78 *
79 * Being able to be retrieved directly doesn't mean the logfile
80 * is browseable or visible to search engines; it means it can be
81 * requested directly.
82 *
83 * @return array
84 * Array of messages
85 * @see CRM-14091
86 */
87 public function checkLogFileIsNotAccessible() {
88 $messages = array();
89
90 $config = CRM_Core_Config::singleton();
91
92 $log = CRM_Core_Error::createDebugLogger();
93 $log_filename = str_replace('\\', '/', $log->_filename);
94
95 $filePathMarker = $this->getFilePathMarker();
96
97 // Hazard a guess at the URL of the logfile, based on common
98 // CiviCRM layouts.
99 if ($upload_url = explode($filePathMarker, $config->imageUploadURL)) {
100 $url[] = $upload_url[0];
101 if ($log_path = explode($filePathMarker, $log_filename)) {
102 // CRM-17149: check if debug log path includes $filePathMarker
103 if (count($log_path) > 1) {
104 $url[] = $log_path[1];
105 $log_url = implode($filePathMarker, $url);
106 $headers = @get_headers($log_url);
107 if (stripos($headers[0], '200')) {
108 $docs_url = $this->createDocUrl('checkLogFileIsNotAccessible');
109 $msg = 'The <a href="%1">CiviCRM debug log</a> should not be downloadable.'
110 . '<br />' .
111 '<a href="%2">Read more about this warning</a>';
112 $messages[] = new CRM_Utils_Check_Message(
113 'checkLogFileIsNotAccessible',
114 ts($msg, array(1 => $log_url, 2 => $docs_url)),
115 ts('Security Warning')
116 );
117 }
118 }
119 }
120 }
121
122 return $messages;
123 }
124
125 /**
126 * Check if our uploads directory has accessible files.
127 *
128 * We'll test a handful of files randomly. Hazard a guess at the URL
129 * of the uploads dir, based on common CiviCRM layouts. Try and
130 * request the files, and if any are successfully retrieved, warn.
131 *
132 * Being retrievable doesn't mean the files are browseable or visible
133 * to search engines; it only means they can be requested directly.
134 *
135 * @return array
136 * Array of messages
137 * @see CRM-14091
138 *
139 * @todo Test with WordPress, Joomla.
140 */
141 public function checkUploadsAreNotAccessible() {
142 $messages = array();
143
144 $config = CRM_Core_Config::singleton();
145 $privateDirs = array(
146 $config->uploadDir,
147 $config->customFileUploadDir,
148 );
149
150 foreach ($privateDirs as $privateDir) {
151 $heuristicUrl = $this->guessUrl($privateDir);
152 if ($this->isDirAccessible($privateDir, $heuristicUrl)) {
153 $messages[] = new CRM_Utils_Check_Message(
154 'checkUploadsAreNotAccessible',
155 ts('Files in the data directory (<a href="%3">%2</a>) should not be downloadable.'
156 . '<br />'
157 . '<a href="%1">Read more about this warning</a>',
158 array(
159 1 => $this->createDocUrl('checkUploadsAreNotAccessible'),
160 2 => $privateDir,
161 3 => $heuristicUrl,
162 )),
163 ts('Private Files Readable'),
164 \Psr\Log\LogLevel::WARNING
165 );
166 }
167 }
168
169 return $messages;
170 }
171
172 /**
173 * Check if our uploads or ConfigAndLog directories have browseable
174 * listings.
175 *
176 * Retrieve a listing of files from the local filesystem, and the
177 * corresponding path via HTTP. Then check and see if the local
178 * files are represented in the HTTP result; if so then warn. This
179 * MAY trigger false positives (if you have files named 'a', 'e'
180 * we'll probably match that).
181 *
182 * @return array
183 * Array of messages
184 * @see CRM-14091
185 *
186 * @todo Test with WordPress, Joomla.
187 */
188 public function checkDirectoriesAreNotBrowseable() {
189 $messages = array();
190 $config = CRM_Core_Config::singleton();
191 $publicDirs = array(
192 $config->imageUploadDir => $config->imageUploadURL,
193 );
194
195 // Setup index.html files to prevent browsing
196 foreach ($publicDirs as $publicDir => $publicUrl) {
197 CRM_Utils_File::restrictBrowsing($publicDir);
198 }
199
200 // Test that $publicDir is not browsable
201 foreach ($publicDirs as $publicDir => $publicUrl) {
202 if ($this->isBrowsable($publicDir, $publicUrl)) {
203 $msg = 'Directory <a href="%1">%2</a> should not be browseable via the web.'
204 . '<br />' .
205 '<a href="%3">Read more about this warning</a>';
206 $docs_url = $this->createDocUrl('checkDirectoriesAreNotBrowseable');
207 $messages[] = new CRM_Utils_Check_Message(
208 'checkDirectoriesAreNotBrowseable',
209 ts($msg, array(1 => $publicDir, 2 => $publicDir, 3 => $docs_url)),
210 ts('Browseable Directories'),
211 \Psr\Log\LogLevel::ERROR
212 );
213 }
214 }
215
216 return $messages;
217 }
218
219
220 /**
221 * Check that some files are not present.
222 *
223 * These files have generally been deleted but Civi source tree but could be
224 * left online if one does a faulty upgrade.
225 *
226 * @return array of messages
227 */
228 public function checkFilesAreNotPresent() {
229 global $civicrm_root;
230
231 $messages = array();
232 $files = array(
233 array(
234 "{$civicrm_root}/packages/dompdf/dompdf.php", // CRM-16005, upgraded from Civi <= 4.5.6
235 \Psr\Log\LogLevel::CRITICAL,
236 ),
237 array(
238 "{$civicrm_root}/packages/vendor/dompdf/dompdf/dompdf.php", // CRM-16005, Civi >= 4.5.7
239 \Psr\Log\LogLevel::CRITICAL,
240 ),
241 array(
242 "{$civicrm_root}/vendor/dompdf/dompdf/dompdf.php", // CRM-16005, Civi >= 4.6.0
243 \Psr\Log\LogLevel::CRITICAL,
244 ),
245 array(
246 "{$civicrm_root}/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php", // CIVI-SA-2013-001
247 \Psr\Log\LogLevel::CRITICAL,
248 ),
249 array(
250 "{$civicrm_root}/packages/html2text/class.html2text.inc",
251 \Psr\Log\LogLevel::CRITICAL,
252 ),
253 );
254 foreach ($files as $file) {
255 if (file_exists($file[0])) {
256 $messages[] = new CRM_Utils_Check_Message(
257 'checkFilesAreNotPresent',
258 ts('File \'%1\' presents a security risk and should be deleted.', array(1 => $file)),
259 ts('Unsafe Files'),
260 $file[1]
261 );
262 }
263 }
264 return $messages;
265 }
266
267 /**
268 * Check that the sysadmin has not modified the Cxn
269 * security setup.
270 */
271 public function checkCxnOverrides() {
272 $list = array();
273 if (defined('CIVICRM_CXN_CA') && CIVICRM_CXN_CA !== 'CiviRootCA') {
274 $list[] = 'CIVICRM_CXN_CA';
275 }
276 if (defined('CIVICRM_CXN_APPS_URL') && CIVICRM_CXN_APPS_URL !== \Civi\Cxn\Rpc\Constants::OFFICIAL_APPMETAS_URL) {
277 $list[] = 'CIVICRM_CXN_APPS_URL';
278 }
279
280 $messages = array();
281
282 if (!empty($list)) {
283 $messages[] = new CRM_Utils_Check_Message(
284 'checkCxnOverrides',
285 ts('The system administrator has disabled security settings (%1). Connections to remote applications are insecure.', array(
286 1 => implode(', ', $list),
287 )),
288 ts('Security Warning')
289 );
290 }
291
292 return $messages;
293 }
294
295 /**
296 * Determine whether $url is a public, browsable listing for $dir
297 *
298 * @param string $dir
299 * Local dir path.
300 * @param string $url
301 * Public URL.
302 * @return bool
303 */
304 public function isBrowsable($dir, $url) {
305 if (empty($dir) || empty($url) || !is_dir($dir)) {
306 return FALSE;
307 }
308
309 $result = FALSE;
310 $file = 'delete-this-' . CRM_Utils_String::createRandom(10, CRM_Utils_String::ALPHANUMERIC);
311
312 // this could be a new system with no uploads (yet) -- so we'll make a file
313 file_put_contents("$dir/$file", "delete me");
314 $content = @file_get_contents("$url");
315 if (stristr($content, $file)) {
316 $result = TRUE;
317 }
318 unlink("$dir/$file");
319
320 return $result;
321 }
322
323 /**
324 * Determine whether $url is a public version of $dir in which files
325 * are remotely accessible.
326 *
327 * @param string $dir
328 * Local dir path.
329 * @param string $url
330 * Public URL.
331 * @return bool
332 */
333 public function isDirAccessible($dir, $url) {
334 $dir = rtrim($dir, '/');
335 $url = rtrim($url, '/');
336 if (empty($dir) || empty($url) || !is_dir($dir)) {
337 return FALSE;
338 }
339
340 $result = FALSE;
341 $file = 'delete-this-' . CRM_Utils_String::createRandom(10, CRM_Utils_String::ALPHANUMERIC);
342
343 // this could be a new system with no uploads (yet) -- so we'll make a file
344 file_put_contents("$dir/$file", "delete me");
345
346 $headers = @get_headers("$url/$file");
347 if (stripos($headers[0], '200')) {
348 $content = @file_get_contents("$url/$file");
349 if (preg_match('/delete me/', $content)) {
350 $result = TRUE;
351 }
352 }
353
354 unlink("$dir/$file");
355
356 return $result;
357 }
358
359 /**
360 * @param $topic
361 *
362 * @return string
363 */
364 public function createDocUrl($topic) {
365 return CRM_Utils_System::getWikiBaseURL() . $topic;
366 }
367
368 /**
369 * Make a guess about the URL that corresponds to $targetDir.
370 *
371 * @param string $targetDir
372 * Local path to a directory.
373 * @return string
374 * a guessed URL for $realDir
375 */
376 public function guessUrl($targetDir) {
377 $filePathMarker = $this->getFilePathMarker();
378 $config = CRM_Core_Config::singleton();
379
380 list ($heuristicBaseUrl, $ignore) = explode($filePathMarker, $config->imageUploadURL);
381 list ($ignore, $heuristicSuffix) = explode($filePathMarker, str_replace('\\', '/', $targetDir));
382 return $heuristicBaseUrl . $filePathMarker . $heuristicSuffix;
383 }
384
385 }