From ead51cf06585c37f88f4fc9fe64b53ba3e5b5fe2 Mon Sep 17 00:00:00 2001
From: demeritcowboy <demeritcowboy@hotmail.com>
Date: Sun, 8 Aug 2021 18:03:06 -0400
Subject: [PATCH] replace fopen with stream_resolve_include_path

---
 CRM/Utils/File.php                   |  9 +++-----
 tests/phpunit/CRM/Utils/FileTest.php | 31 ++++++++++++++++++++++++++++
 2 files changed, 34 insertions(+), 6 deletions(-)

diff --git a/CRM/Utils/File.php b/CRM/Utils/File.php
index d50ee48d77..0b81f69606 100644
--- a/CRM/Utils/File.php
+++ b/CRM/Utils/File.php
@@ -415,14 +415,11 @@ class CRM_Utils_File {
    *   whether the file can be include()d or require()d
    */
   public static function isIncludable($name) {
-    $x = @fopen($name, 'r', TRUE);
-    if ($x) {
-      fclose($x);
-      return TRUE;
-    }
-    else {
+    $full_filepath = stream_resolve_include_path($name);
+    if ($full_filepath === FALSE) {
       return FALSE;
     }
+    return is_readable($full_filepath);
   }
 
   /**
diff --git a/tests/phpunit/CRM/Utils/FileTest.php b/tests/phpunit/CRM/Utils/FileTest.php
index 58247d1f17..08b32b905e 100644
--- a/tests/phpunit/CRM/Utils/FileTest.php
+++ b/tests/phpunit/CRM/Utils/FileTest.php
@@ -130,4 +130,35 @@ class CRM_Utils_FileTest extends CiviUnitTestCase {
     $this->assertEquals($expectedExtensions, CRM_Utils_File::getAcceptableExtensionsForMimeType($mimeType));
   }
 
+  /**
+   * Check a few variations of isIncludable
+   */
+  public function testIsIncludable() {
+    $path = \Civi::paths()->getPath('[civicrm.private]/');
+    $bare_filename = 'afile' . time() . '.php';
+    $file = "$path/$bare_filename";
+    file_put_contents($file, '<?php');
+
+    // A file that doesn't exist shouldn't be includable.
+    $this->assertFalse(CRM_Utils_File::isIncludable('invisiblefile.php'));
+
+    // Shouldn't be includable by default in civicrm.private
+    $this->assertFalse(CRM_Utils_File::isIncludable($bare_filename));
+
+    // Add civicrm.private to the include_path, then it should be includable.
+    $old_include_path = ini_get('include_path');
+    ini_set('include_path', $old_include_path . PATH_SEPARATOR . $path);
+    $this->assertTrue(CRM_Utils_File::isIncludable($bare_filename));
+
+    // Set permissions to 0, then it shouldn't be includable even if in path.
+    if (strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN') {
+      chmod($file, 0);
+      $this->assertFalse(CRM_Utils_File::isIncludable($bare_filename));
+      chmod($file, 0644);
+    }
+
+    ini_set('include_path', $old_include_path);
+    unlink($file);
+  }
+
 }
-- 
2.25.1