diff options
author | robocoder <anthon.pang@gmail.com> | 2011-01-15 19:21:59 +0300 |
---|---|---|
committer | robocoder <anthon.pang@gmail.com> | 2011-01-15 19:21:59 +0300 |
commit | 0024739923629a2036ba9d72076c4a2dbc1e7bdb (patch) | |
tree | afa5937d47fb02edf9abefe15ddf5a86b47169e7 /plugins/SecurityInfo/PhpSecInfo | |
parent | 06c113c5e345c599cc0bd542ad28ebb0f7bf65ba (diff) |
refs #2014 - improve test and error messages when not php-cgi, when force_redirect=0 is required by some web servers, or when php not compiled with --enable-force-cgi-redirect
git-svn-id: http://dev.piwik.org/svn/trunk@3745 59fd770c-687e-43c8-a1e3-f5a4ff64c105
Diffstat (limited to 'plugins/SecurityInfo/PhpSecInfo')
-rw-r--r-- | plugins/SecurityInfo/PhpSecInfo/Test/CGI/force_redirect.php | 40 |
1 files changed, 35 insertions, 5 deletions
diff --git a/plugins/SecurityInfo/PhpSecInfo/Test/CGI/force_redirect.php b/plugins/SecurityInfo/PhpSecInfo/Test/CGI/force_redirect.php index 9822cbf394..d84d709cc4 100644 --- a/plugins/SecurityInfo/PhpSecInfo/Test/CGI/force_redirect.php +++ b/plugins/SecurityInfo/PhpSecInfo/Test/CGI/force_redirect.php @@ -41,16 +41,41 @@ class PhpSecInfo_Test_Cgi_Force_Redirect extends PhpSecInfo_Test_Cgi } + + private function skipTest() { + if (strpos(PHP_SAPI, 'cgi') === false) { + return PHP_SAPI . ' SAPI for php'; + } + + // these web servers require cgi.force_redirect = 0 + $webServers = array('Microsoft-IIS', 'OmniHTTPd', 'Xitami'); + if (isset($_SERVER['SERVER_SOFTWARE'])) { + foreach ($webServers as $webServer) { + if (strpos($_SERVER['SERVER_SOFTWARE'], $webServer) === 0) { + return $_SERVER['SERVER_SOFTWARE']; + } + } + } + + return false; + } + + + /** * Checks to see if cgi.force_redirect is enabled * */ function _execTest() { - if ($this->current_value == $this->recommended_value) { return PHPSECINFO_TEST_RESULT_OK; } + if ($this->skipTest()) + { + return PHPSECINFO_TEST_RESULT_NOTICE; + } + return PHPSECINFO_TEST_RESULT_WARN; } @@ -64,8 +89,13 @@ class PhpSecInfo_Test_Cgi_Force_Redirect extends PhpSecInfo_Test_Cgi parent::_setMessages(); $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', "force_redirect is enabled, which is the recommended setting"); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', "force_redirect is disabled. In most cases, this is a <strong>serious</strong> security vulnerability. Unless you are absolutely sure this is not needed, enable this setting"); - + $ini = ini_get_all(); + if (isset($ini['cgi.force_redirect'])) { + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', "force_redirect is disabled. In most cases, this is a security vulnerability, but it appears this is not needed because you are running " . $this->skipTest()); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', "force_redirect is disabled. In most cases, this is a <strong>serious</strong> security vulnerability. Unless you are absolutely sure this is not needed, enable this setting"); + } else { + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', "force_redirect is disabled because php was not compiled with --enable-force-cgi-redirect. In most cases, this is a security vulnerability, but it appears this is not needed because you are running " . $this->skipTest()); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', "force_redirect is disabled because php was not compiled with --enable-force-cgi-redirect. In most cases, this is a <strong>serious</strong> security vulnerability. Unless you are absolutely sure this is not needed, recompile php with --enable-force-cgi-redirect and enable cgi.force_redirect"); + } } - -}
\ No newline at end of file +} |