diff options
| author | mattab <matthieu.aubry@gmail.com> | 2013-03-28 03:42:39 +0400 |
|---|---|---|
| committer | mattab <matthieu.aubry@gmail.com> | 2013-03-28 03:42:40 +0400 |
| commit | ae4b03163792f0b6e933933e5d37df87dc3fd566 (patch) | |
| tree | d1d7510a9728f587d3d63ebd03e4ecf3d904838b /plugins/SecurityInfo/PhpSecInfo | |
| parent | 158c2150f5f2e13ece459b8d131244c11b763997 (diff) | |
Mass conversion of all files to the newly agreed coding standard: PSR 1/2
Converting Piwik core source files, PHP, JS, TPL, CSS
More info: http://piwik.org/participate/coding-standards/
Diffstat (limited to 'plugins/SecurityInfo/PhpSecInfo')
30 files changed, 2278 insertions, 2188 deletions
diff --git a/plugins/SecurityInfo/PhpSecInfo/PhpSecInfo.php b/plugins/SecurityInfo/PhpSecInfo/PhpSecInfo.php index 0e9bbc7768..acdba6b959 100644 --- a/plugins/SecurityInfo/PhpSecInfo/PhpSecInfo.php +++ b/plugins/SecurityInfo/PhpSecInfo/PhpSecInfo.php @@ -95,497 +95,505 @@ define('PHPSECINFO_BASE_DIR', dirname(__FILE__)); class PhpSecInfo { - /** - * An array of tests to run - * - * @var array PhpSecInfo_Test - */ - var $tests_to_run = array(); - - - /** - * An array of results. Each result is an associative array: - * <code> - * $result['result'] = PHPSECINFO_TEST_RESULT_NOTICE; - * $result['message'] = "a string describing the test results and what they mean"; - * </code> - * - * @var array - */ - var $test_results = array(); - - - /** - * An array of tests that were not run - * - * <code> - * $result['result'] = PHPSECINFO_TEST_RESULT_NOTRUN; - * $result['message'] = "a string explaining why the test was not run"; - * </code> - * - * @var array - */ - var $tests_not_run = array(); - - - /** - * The language code used. Defaults to PHPSECINFO_LANG_DEFAULT, which - * is 'en' - * - * @var string - * @see PHPSECINFO_LANG_DEFAULT - */ - var $language = PHPSECINFO_LANG_DEFAULT; - - - /** - * An array of integers recording the number of test results in each category. Categories can include - * some or all of the PHPSECINFO_TEST_* constants. Constants are the keys, # of results are the values. - * - * @var array - */ - var $result_counts = array(); - - - /** - * The number of tests that have been run - * - * @var integer - */ - var $num_tests_run = 0; - - - /** - * The base directory for phpsecinfo. Set within the constructor. Paths are resolved from this. - * @var string - */ - var $_base_dir; - - - /** - * The directory PHPSecInfo will look for views. It defaults to the value - * in PHPSECINFO_VIEW_DIR_DEFAULT, but can be changed with the setViewDirectory() - * method. - * - * @var string - */ - var $_view_directory; - - - /** - * The output format, used to load the proper view - * - * @var string - **/ - var $_format; - - /** - * Constructor - * - * @return PhpSecInfo - */ - function PhpSecInfo($opts = null) { - - $this->_base_dir = dirname(__FILE__); - - if ($opts) { - if (isset($opts['view_directory'])) { - $this->setViewDirectory($opts['view_directory']); - } else { - $this->setViewDirectory(dirname(__FILE__).DIRECTORY_SEPARATOR . PHPSECINFO_VIEW_DIR_DEFAULT); - } - - if (isset($opts['format'])) { - $this->setFormat($opts['format']); - } else { - if (!strcasecmp(PHP_SAPI, 'cli')) { - $this->setFormat('Cli'); - } else { - $this->setFormat(PHPSECINFO_FORMAT_DEFAULT); - } - } - - } else { /* Use defaults */ - $this->setViewDirectory(dirname(__FILE__).DIRECTORY_SEPARATOR . PHPSECINFO_VIEW_DIR_DEFAULT); - if (!strcasecmp(PHP_SAPI, 'cli')) { - $this->setFormat('Cli'); - } else { - $this->setFormat(PHPSECINFO_FORMAT_DEFAULT); - } - } - } - - - /** - * recurses through the Test subdir and includes classes in each test group subdir, - * then builds an array of classnames for the tests that will be run - * - */ - function loadTests() { - - $test_root = dir(dirname(__FILE__).DIRECTORY_SEPARATOR.'Test'); - - //echo "<pre>"; echo print_r($test_root, true); echo "</pre>"; - - while (false !== ($entry = $test_root->read())) { - if ( is_dir($test_root->path.DIRECTORY_SEPARATOR.$entry) && !preg_match('~^(\.|_vti)(.*)$~', $entry) ) { - $test_dirs[] = $entry; - } - } - //echo "<pre>"; echo print_r($test_dirs, true); echo "</pre>"; - - // include_once all files in each test dir - foreach ($test_dirs as $test_dir) { - $this_dir = dir($test_root->path.DIRECTORY_SEPARATOR.$test_dir); - - while (false !== ($entry = $this_dir->read())) { - if (!is_dir($this_dir->path.DIRECTORY_SEPARATOR.$entry)) { - include_once $this_dir->path.DIRECTORY_SEPARATOR.$entry; - $classNames[] = "PhpSecInfo_Test_".$test_dir."_".basename($entry, '.php'); - } - } - - } - - // modded this to not throw a PHP5 STRICT notice, although I don't like passing by value here - $this->tests_to_run = $classNames; - } - - - /** - * This runs the tests in the tests_to_run array and - * places returned data in the following arrays/scalars: - * - $this->test_results - * - $this->result_counts - * - $this->num_tests_run - * - $this->tests_not_run; - * - */ - function runTests() { - // initialize a bunch of arrays - $this->test_results = array(); - $this->result_counts = array(); - $this->result_counts[PHPSECINFO_TEST_RESULT_NOTRUN] = 0; - $this->num_tests_run = 0; - - foreach ($this->tests_to_run as $testClass) { - - /** - * @var $test PhpSecInfo_Test - */ - $test = new $testClass(); - - if ($test->isTestable()) { - $test->test(); - $rs = array( 'result' => $test->getResult(), - 'message' => $test->getMessage(), - 'value_current' => $test->getCurrentTestValue(), - 'value_recommended' => $test->getRecommendedTestValue(), - 'moreinfo_url' => $test->getMoreInfoURL(), - ); - $this->test_results[$test->getTestGroup()][$test->getTestName()] = $rs; - - // initialize if not yet set - if (!isset ($this->result_counts[$rs['result']]) ) { - $this->result_counts[$rs['result']] = 0; - } - - $this->result_counts[$rs['result']]++; - $this->num_tests_run++; - } else { - $rs = array( 'result' => $test->getResult(), - 'message' => $test->getMessage(), - 'value_current' => NULL, - 'value_recommended' => NULL, - 'moreinfo_url' => $test->getMoreInfoURL(), - ); - $this->result_counts[PHPSECINFO_TEST_RESULT_NOTRUN]++; - $this->tests_not_run[$test->getTestGroup()."::".$test->getTestName()] = $rs; - } - } - } - - - /** - * This is the main output method. The look and feel mimics phpinfo() - * - */ - function renderOutput($page_title="Security Information About PHP") { - /** - * We need to use PhpSecInfo_Test::getBooleanIniValue() below - * @see PhpSecInfo_Test::getBooleanIniValue() - */ - if (!class_exists('PhpSecInfo_Test')) { - include( dirname(__FILE__).DIRECTORY_SEPARATOR.'Test'.DIRECTORY_SEPARATOR.'Test.php'); - } - $this->loadView($this->_format); - } - - - /** - * This is a helper method that makes it easy to output tables of test results - * for a given test group - * - * @param string $group_name - * @param array $group_results - */ - function _outputRenderTable($group_name, $group_results) { - - // exit out if $group_results was empty or not an array. This sorta seems a little hacky... - if (!is_array($group_results) || sizeof($group_results) < 1) { - return false; - } - - ksort($group_results); - - $this->loadView($this->_format.'/Result', array('group_name'=>$group_name, 'group_results'=>$group_results)); - - return true; - } - - - - /** - * This outputs a table containing a summary of the test results (counts and % in each result type) - * - * @see PHPSecInfo::_outputRenderTable() - * @see PHPSecInfo::_outputGetResultTypeFromCode() - */ - function _outputRenderStatsTable() { - - foreach($this->result_counts as $code=>$val) { - if ($code != PHPSECINFO_TEST_RESULT_NOTRUN) { - $percentage = round($val/$this->num_tests_run * 100,2); - $result_type = $this->_outputGetResultTypeFromCode($code); - $stats[$result_type] = array( 'count' => $val, - 'result' => $code, - 'message' => "$val out of {$this->num_tests_run} ($percentage%)"); - } - } - - $this->_outputRenderTable('Test Results Summary', $stats); - - } - - - - /** - * This outputs a table containing a summary or test that were not executed, and the reasons why they were skipped - * - * @see PHPSecInfo::_outputRenderTable() - */ - function _outputRenderNotRunTable() { - - $this->_outputRenderTable('Tests Not Run', $this->tests_not_run); - - } - - - - - /** - * This is a helper function that returns a CSS class corresponding to - * the result code the test returned. This allows us to color-code - * results - * - * @param integer $code - * @return string - */ - function _outputGetCssClassFromResult($code) { - - switch ($code) { - case PHPSECINFO_TEST_RESULT_OK: - return 'value-ok'; - break; - - case PHPSECINFO_TEST_RESULT_NOTICE: - return 'value-notice'; - break; - - case PHPSECINFO_TEST_RESULT_WARN: - return 'value-warn'; - break; - - case PHPSECINFO_TEST_RESULT_NOTRUN: - return 'value-notrun'; - break; - - case PHPSECINFO_TEST_RESULT_ERROR: - return 'value-error'; - break; - - default: - return 'value-notrun'; - break; - } - - } - - - - /** - * This is a helper function that returns a label string corresponding to - * the result code the test returned. This is mainly used for the Test - * Results Summary table. - * - * @see PHPSecInfo::_outputRenderStatsTable() - * @param integer $code - * @return string - */ - function _outputGetResultTypeFromCode($code) { - - switch ($code) { - case PHPSECINFO_TEST_RESULT_OK: - return 'Pass'; - break; - - case PHPSECINFO_TEST_RESULT_NOTICE: - return 'Notice'; - break; - - case PHPSECINFO_TEST_RESULT_WARN: - return 'Warning'; - break; - - case PHPSECINFO_TEST_RESULT_NOTRUN: - return 'Not Run'; - break; - - case PHPSECINFO_TEST_RESULT_ERROR: - return 'Error'; - break; - - default: - return 'Invalid Result Code'; - break; - } - - } - - - /** - * Loads and runs all the tests - * - * As loading, then running, is a pretty common process, this saves a extra method call - * - * @since 0.1.1 - * - */ - function loadAndRun() { - $this->loadTests(); - $this->runTests(); - } - - - /** - * returns an associative array of test data. Four keys are set: - * - test_results (array) - * - tests_not_run (array) - * - result_counts (array) - * - num_tests_run (integer) - * - * note that this must be called after tests are loaded and run - * - * @since 0.1.1 - * @return array - */ - function getResultsAsArray() { - $results = array(); - - $results['test_results'] = $this->test_results; - $results['tests_not_run'] = $this->tests_not_run; - $results['result_counts'] = $this->result_counts; - $results['num_tests_run'] = $this->num_tests_run; - - return $results; - } - - - - /** - * returns the standard output as a string instead of echoing it to the browser - * - * note that this must be called after tests are loaded and run - * - * @since 0.1.1 - * - * @return string - */ - function getOutput() { - ob_start(); - $this->renderOutput(); - $output = ob_get_clean(); - return $output; - } - - - /** - * A very, very simple "view" system - * - */ - function loadView($view_name, $data=null) { - if ($data != null) { - extract($data); - } - - $view_file = $this->getViewDirectory().$view_name.".php"; - - if ( file_exists($view_file) && is_readable($view_file) ) { - ob_start(); - include $view_file; - echo ob_get_clean(); - } else { - user_error("The view '{$view_file}' either does not exist or is not readable", E_USER_WARNING); - } - - - } - - - /** - * Returns the current view directory - * - * @return string - */ - function getViewDirectory() { - return $this->_view_directory; - } - - - /** - * Sets the directory that PHPSecInfo will look in for views - * - * @param string $newdir - */ - function setViewDirectory($newdir) { - $this->_view_directory = $newdir; - } - - - - - function getFormat() { - return $this->_format; - } - - - function setFormat($format) { - $this->_format = $format; - } + /** + * An array of tests to run + * + * @var array PhpSecInfo_Test + */ + var $tests_to_run = array(); + + + /** + * An array of results. Each result is an associative array: + * <code> + * $result['result'] = PHPSECINFO_TEST_RESULT_NOTICE; + * $result['message'] = "a string describing the test results and what they mean"; + * </code> + * + * @var array + */ + var $test_results = array(); + + + /** + * An array of tests that were not run + * + * <code> + * $result['result'] = PHPSECINFO_TEST_RESULT_NOTRUN; + * $result['message'] = "a string explaining why the test was not run"; + * </code> + * + * @var array + */ + var $tests_not_run = array(); + + + /** + * The language code used. Defaults to PHPSECINFO_LANG_DEFAULT, which + * is 'en' + * + * @var string + * @see PHPSECINFO_LANG_DEFAULT + */ + var $language = PHPSECINFO_LANG_DEFAULT; + + + /** + * An array of integers recording the number of test results in each category. Categories can include + * some or all of the PHPSECINFO_TEST_* constants. Constants are the keys, # of results are the values. + * + * @var array + */ + var $result_counts = array(); + + + /** + * The number of tests that have been run + * + * @var integer + */ + var $num_tests_run = 0; + + + /** + * The base directory for phpsecinfo. Set within the constructor. Paths are resolved from this. + * @var string + */ + var $_base_dir; + + + /** + * The directory PHPSecInfo will look for views. It defaults to the value + * in PHPSECINFO_VIEW_DIR_DEFAULT, but can be changed with the setViewDirectory() + * method. + * + * @var string + */ + var $_view_directory; + + + /** + * The output format, used to load the proper view + * + * @var string + **/ + var $_format; + + /** + * Constructor + * + * @return PhpSecInfo + */ + function PhpSecInfo($opts = null) + { + + $this->_base_dir = dirname(__FILE__); + + if ($opts) { + if (isset($opts['view_directory'])) { + $this->setViewDirectory($opts['view_directory']); + } else { + $this->setViewDirectory(dirname(__FILE__) . DIRECTORY_SEPARATOR . PHPSECINFO_VIEW_DIR_DEFAULT); + } + + if (isset($opts['format'])) { + $this->setFormat($opts['format']); + } else { + if (!strcasecmp(PHP_SAPI, 'cli')) { + $this->setFormat('Cli'); + } else { + $this->setFormat(PHPSECINFO_FORMAT_DEFAULT); + } + } + + } else { /* Use defaults */ + $this->setViewDirectory(dirname(__FILE__) . DIRECTORY_SEPARATOR . PHPSECINFO_VIEW_DIR_DEFAULT); + if (!strcasecmp(PHP_SAPI, 'cli')) { + $this->setFormat('Cli'); + } else { + $this->setFormat(PHPSECINFO_FORMAT_DEFAULT); + } + } + } + + + /** + * recurses through the Test subdir and includes classes in each test group subdir, + * then builds an array of classnames for the tests that will be run + * + */ + function loadTests() + { + + $test_root = dir(dirname(__FILE__) . DIRECTORY_SEPARATOR . 'Test'); + + //echo "<pre>"; echo print_r($test_root, true); echo "</pre>"; + + while (false !== ($entry = $test_root->read())) { + if (is_dir($test_root->path . DIRECTORY_SEPARATOR . $entry) && !preg_match('~^(\.|_vti)(.*)$~', $entry)) { + $test_dirs[] = $entry; + } + } + //echo "<pre>"; echo print_r($test_dirs, true); echo "</pre>"; + + // include_once all files in each test dir + foreach ($test_dirs as $test_dir) { + $this_dir = dir($test_root->path . DIRECTORY_SEPARATOR . $test_dir); + + while (false !== ($entry = $this_dir->read())) { + if (!is_dir($this_dir->path . DIRECTORY_SEPARATOR . $entry)) { + include_once $this_dir->path . DIRECTORY_SEPARATOR . $entry; + $classNames[] = "PhpSecInfo_Test_" . $test_dir . "_" . basename($entry, '.php'); + } + } + + } + + // modded this to not throw a PHP5 STRICT notice, although I don't like passing by value here + $this->tests_to_run = $classNames; + } + + + /** + * This runs the tests in the tests_to_run array and + * places returned data in the following arrays/scalars: + * - $this->test_results + * - $this->result_counts + * - $this->num_tests_run + * - $this->tests_not_run; + * + */ + function runTests() + { + // initialize a bunch of arrays + $this->test_results = array(); + $this->result_counts = array(); + $this->result_counts[PHPSECINFO_TEST_RESULT_NOTRUN] = 0; + $this->num_tests_run = 0; + + foreach ($this->tests_to_run as $testClass) { + + /** + * @var $test PhpSecInfo_Test + */ + $test = new $testClass(); + + if ($test->isTestable()) { + $test->test(); + $rs = array('result' => $test->getResult(), + 'message' => $test->getMessage(), + 'value_current' => $test->getCurrentTestValue(), + 'value_recommended' => $test->getRecommendedTestValue(), + 'moreinfo_url' => $test->getMoreInfoURL(), + ); + $this->test_results[$test->getTestGroup()][$test->getTestName()] = $rs; + + // initialize if not yet set + if (!isset ($this->result_counts[$rs['result']])) { + $this->result_counts[$rs['result']] = 0; + } + + $this->result_counts[$rs['result']]++; + $this->num_tests_run++; + } else { + $rs = array('result' => $test->getResult(), + 'message' => $test->getMessage(), + 'value_current' => NULL, + 'value_recommended' => NULL, + 'moreinfo_url' => $test->getMoreInfoURL(), + ); + $this->result_counts[PHPSECINFO_TEST_RESULT_NOTRUN]++; + $this->tests_not_run[$test->getTestGroup() . "::" . $test->getTestName()] = $rs; + } + } + } + + + /** + * This is the main output method. The look and feel mimics phpinfo() + * + */ + function renderOutput($page_title = "Security Information About PHP") + { + /** + * We need to use PhpSecInfo_Test::getBooleanIniValue() below + * @see PhpSecInfo_Test::getBooleanIniValue() + */ + if (!class_exists('PhpSecInfo_Test')) { + include(dirname(__FILE__) . DIRECTORY_SEPARATOR . 'Test' . DIRECTORY_SEPARATOR . 'Test.php'); + } + $this->loadView($this->_format); + } + + + /** + * This is a helper method that makes it easy to output tables of test results + * for a given test group + * + * @param string $group_name + * @param array $group_results + */ + function _outputRenderTable($group_name, $group_results) + { + + // exit out if $group_results was empty or not an array. This sorta seems a little hacky... + if (!is_array($group_results) || sizeof($group_results) < 1) { + return false; + } + + ksort($group_results); + + $this->loadView($this->_format . '/Result', array('group_name' => $group_name, 'group_results' => $group_results)); + + return true; + } + + + /** + * This outputs a table containing a summary of the test results (counts and % in each result type) + * + * @see PHPSecInfo::_outputRenderTable() + * @see PHPSecInfo::_outputGetResultTypeFromCode() + */ + function _outputRenderStatsTable() + { + + foreach ($this->result_counts as $code => $val) { + if ($code != PHPSECINFO_TEST_RESULT_NOTRUN) { + $percentage = round($val / $this->num_tests_run * 100, 2); + $result_type = $this->_outputGetResultTypeFromCode($code); + $stats[$result_type] = array('count' => $val, + 'result' => $code, + 'message' => "$val out of {$this->num_tests_run} ($percentage%)"); + } + } + + $this->_outputRenderTable('Test Results Summary', $stats); + + } + + + /** + * This outputs a table containing a summary or test that were not executed, and the reasons why they were skipped + * + * @see PHPSecInfo::_outputRenderTable() + */ + function _outputRenderNotRunTable() + { + + $this->_outputRenderTable('Tests Not Run', $this->tests_not_run); + + } + + + /** + * This is a helper function that returns a CSS class corresponding to + * the result code the test returned. This allows us to color-code + * results + * + * @param integer $code + * @return string + */ + function _outputGetCssClassFromResult($code) + { + + switch ($code) { + case PHPSECINFO_TEST_RESULT_OK: + return 'value-ok'; + break; + + case PHPSECINFO_TEST_RESULT_NOTICE: + return 'value-notice'; + break; + + case PHPSECINFO_TEST_RESULT_WARN: + return 'value-warn'; + break; + + case PHPSECINFO_TEST_RESULT_NOTRUN: + return 'value-notrun'; + break; + + case PHPSECINFO_TEST_RESULT_ERROR: + return 'value-error'; + break; + + default: + return 'value-notrun'; + break; + } + + } + + + /** + * This is a helper function that returns a label string corresponding to + * the result code the test returned. This is mainly used for the Test + * Results Summary table. + * + * @see PHPSecInfo::_outputRenderStatsTable() + * @param integer $code + * @return string + */ + function _outputGetResultTypeFromCode($code) + { + + switch ($code) { + case PHPSECINFO_TEST_RESULT_OK: + return 'Pass'; + break; + + case PHPSECINFO_TEST_RESULT_NOTICE: + return 'Notice'; + break; + + case PHPSECINFO_TEST_RESULT_WARN: + return 'Warning'; + break; + + case PHPSECINFO_TEST_RESULT_NOTRUN: + return 'Not Run'; + break; + + case PHPSECINFO_TEST_RESULT_ERROR: + return 'Error'; + break; + + default: + return 'Invalid Result Code'; + break; + } + + } + + + /** + * Loads and runs all the tests + * + * As loading, then running, is a pretty common process, this saves a extra method call + * + * @since 0.1.1 + * + */ + function loadAndRun() + { + $this->loadTests(); + $this->runTests(); + } + + + /** + * returns an associative array of test data. Four keys are set: + * - test_results (array) + * - tests_not_run (array) + * - result_counts (array) + * - num_tests_run (integer) + * + * note that this must be called after tests are loaded and run + * + * @since 0.1.1 + * @return array + */ + function getResultsAsArray() + { + $results = array(); + + $results['test_results'] = $this->test_results; + $results['tests_not_run'] = $this->tests_not_run; + $results['result_counts'] = $this->result_counts; + $results['num_tests_run'] = $this->num_tests_run; + + return $results; + } + + + /** + * returns the standard output as a string instead of echoing it to the browser + * + * note that this must be called after tests are loaded and run + * + * @since 0.1.1 + * + * @return string + */ + function getOutput() + { + ob_start(); + $this->renderOutput(); + $output = ob_get_clean(); + return $output; + } + + + /** + * A very, very simple "view" system + * + */ + function loadView($view_name, $data = null) + { + if ($data != null) { + extract($data); + } + + $view_file = $this->getViewDirectory() . $view_name . ".php"; + + if (file_exists($view_file) && is_readable($view_file)) { + ob_start(); + include $view_file; + echo ob_get_clean(); + } else { + user_error("The view '{$view_file}' either does not exist or is not readable", E_USER_WARNING); + } + + + } + + + /** + * Returns the current view directory + * + * @return string + */ + function getViewDirectory() + { + return $this->_view_directory; + } + + + /** + * Sets the directory that PHPSecInfo will look in for views + * + * @param string $newdir + */ + function setViewDirectory($newdir) + { + $this->_view_directory = $newdir; + } + + + function getFormat() + { + return $this->_format; + } + + + function setFormat($format) + { + $this->_format = $format; + } } - - /** * A globally-available function that runs the tests and creates the result page * */ -function phpsecinfo() { - // modded this to not throw a PHP5 STRICT notice, although I don't like passing by value here - $psi = new PhpSecInfo(); - $psi->loadAndRun(); - $psi->renderOutput(); +function phpsecinfo() +{ + // modded this to not throw a PHP5 STRICT notice, although I don't like passing by value here + $psi = new PhpSecInfo(); + $psi->loadAndRun(); + $psi->renderOutput(); } diff --git a/plugins/SecurityInfo/PhpSecInfo/Test/Application/php.php b/plugins/SecurityInfo/PhpSecInfo/Test/Application/php.php index 919d73a2cb..3199cb3167 100644 --- a/plugins/SecurityInfo/PhpSecInfo/Test/Application/php.php +++ b/plugins/SecurityInfo/PhpSecInfo/Test/Application/php.php @@ -9,7 +9,7 @@ /** * require the PhpSecInfo_Test_Application class */ -require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Application.php'); +require_once(PHPSECINFO_BASE_DIR . '/Test/Test_Application.php'); /** * Test class for PHP application @@ -21,49 +21,52 @@ require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Application.php'); */ class PhpSecInfo_Test_Application_Php extends PhpSecInfo_Test_Application { - var $test_name = "PHP"; + var $test_name = "PHP"; - var $recommended_value = null; + var $recommended_value = null; - function _retrieveCurrentValue() { - $this->current_value = PHP_VERSION; + function _retrieveCurrentValue() + { + $this->current_value = PHP_VERSION; - $url = 'http://php.net/releases/?serialize=1&version=5'; - $timeout = Piwik_UpdateCheck::SOCKET_TIMEOUT; - try { - $latestVersion = Piwik_Http::sendHttpRequest($url, $timeout); - $versionInfo = safe_unserialize($latestVersion); - $this->recommended_value = $versionInfo['version']; - } catch(Exception $e) { - $this->recommended_value = ''; - } - } + $url = 'http://php.net/releases/?serialize=1&version=5'; + $timeout = Piwik_UpdateCheck::SOCKET_TIMEOUT; + try { + $latestVersion = Piwik_Http::sendHttpRequest($url, $timeout); + $versionInfo = safe_unserialize($latestVersion); + $this->recommended_value = $versionInfo['version']; + } catch (Exception $e) { + $this->recommended_value = ''; + } + } - function _execTest() { - if (version_compare($this->current_value, '5.2.1') < 0) { - return PHPSECINFO_TEST_RESULT_WARN; - } + function _execTest() + { + if (version_compare($this->current_value, '5.2.1') < 0) { + return PHPSECINFO_TEST_RESULT_WARN; + } - if (empty($this->recommended_value)) { - return PHPSECINFO_TEST_RESULT_ERROR; - } + if (empty($this->recommended_value)) { + return PHPSECINFO_TEST_RESULT_ERROR; + } - if (version_compare($this->current_value, $this->recommended_value) >= 0 ) { - return PHPSECINFO_TEST_RESULT_OK; - } + if (version_compare($this->current_value, $this->recommended_value) >= 0) { + return PHPSECINFO_TEST_RESULT_OK; + } - return PHPSECINFO_TEST_RESULT_NOTICE; - } + return PHPSECINFO_TEST_RESULT_NOTICE; + } - function _setMessages() { - parent::_setMessages(); + function _setMessages() + { + parent::_setMessages(); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', "You are running PHP ".$this->current_value. - ($this->current_value == $this->recommended_value - ? " (the latest version)." - : ". The latest version is ".$this->recommended_value.".")); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', "You are running PHP ".$this->current_value.". The latest version of PHP is ".$this->recommended_value."."); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', "You are running PHP ".$this->current_value." which is really old. We recommend running the latest (stable) version of PHP which includes numerous bug fixes and security fixes."); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_ERROR, 'en', "Unable to determine the latest version of PHP available."); - } + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', "You are running PHP " . $this->current_value . + ($this->current_value == $this->recommended_value + ? " (the latest version)." + : ". The latest version is " . $this->recommended_value . ".")); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', "You are running PHP " . $this->current_value . ". The latest version of PHP is " . $this->recommended_value . "."); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', "You are running PHP " . $this->current_value . " which is really old. We recommend running the latest (stable) version of PHP which includes numerous bug fixes and security fixes."); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_ERROR, 'en', "Unable to determine the latest version of PHP available."); + } } diff --git a/plugins/SecurityInfo/PhpSecInfo/Test/Application/piwik.php b/plugins/SecurityInfo/PhpSecInfo/Test/Application/piwik.php index 5a495a352c..16e7fbf42f 100644 --- a/plugins/SecurityInfo/PhpSecInfo/Test/Application/piwik.php +++ b/plugins/SecurityInfo/PhpSecInfo/Test/Application/piwik.php @@ -9,7 +9,7 @@ /** * require the PhpSecInfo_Test_Application class */ -require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Application.php'); +require_once(PHPSECINFO_BASE_DIR . '/Test/Test_Application.php'); /** * Test class for Piwik application @@ -21,38 +21,41 @@ require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Application.php'); */ class PhpSecInfo_Test_Application_Piwik extends PhpSecInfo_Test_Application { - var $test_name = "Piwik"; + var $test_name = "Piwik"; - var $recommended_value = null; + var $recommended_value = null; - function _retrieveCurrentValue() { - $this->current_value = Piwik_Version::VERSION; + function _retrieveCurrentValue() + { + $this->current_value = Piwik_Version::VERSION; - $this->recommended_value = Piwik_GetOption(Piwik_UpdateCheck::LATEST_VERSION); - } + $this->recommended_value = Piwik_GetOption(Piwik_UpdateCheck::LATEST_VERSION); + } - function _execTest() { - if (version_compare($this->current_value, '0.5') < 0) { - return PHPSECINFO_TEST_RESULT_WARN; - } + function _execTest() + { + if (version_compare($this->current_value, '0.5') < 0) { + return PHPSECINFO_TEST_RESULT_WARN; + } - if (empty($this->recommended_value)) { - return PHPSECINFO_TEST_RESULT_ERROR; - } + if (empty($this->recommended_value)) { + return PHPSECINFO_TEST_RESULT_ERROR; + } - if (version_compare($this->current_value, $this->recommended_value) >= 0) { - return PHPSECINFO_TEST_RESULT_OK; - } + if (version_compare($this->current_value, $this->recommended_value) >= 0) { + return PHPSECINFO_TEST_RESULT_OK; + } - return PHPSECINFO_TEST_RESULT_NOTICE; - } + return PHPSECINFO_TEST_RESULT_NOTICE; + } - function _setMessages() { - parent::_setMessages(); + function _setMessages() + { + parent::_setMessages(); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', "You are running Piwik ".$this->current_value." (the latest version)."); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', "You are running Piwik ".$this->current_value.". The latest version of Piwik is ".$this->recommended_value."."); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', "You are running Piwik ".$this->current_value." which is no longer supported by the Piwik developers. We recommend running the latest (stable) version of Piwik which includes numerous enhancements, bug fixes, and security fixes."); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_ERROR, 'en', "Unable to determine the latest version of Piwik available."); - } + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', "You are running Piwik " . $this->current_value . " (the latest version)."); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', "You are running Piwik " . $this->current_value . ". The latest version of Piwik is " . $this->recommended_value . "."); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', "You are running Piwik " . $this->current_value . " which is no longer supported by the Piwik developers. We recommend running the latest (stable) version of Piwik which includes numerous enhancements, bug fixes, and security fixes."); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_ERROR, 'en', "Unable to determine the latest version of Piwik available."); + } } diff --git a/plugins/SecurityInfo/PhpSecInfo/Test/CGI/force_redirect.php b/plugins/SecurityInfo/PhpSecInfo/Test/CGI/force_redirect.php index d84d709cc4..cdb0ca2c4f 100644 --- a/plugins/SecurityInfo/PhpSecInfo/Test/CGI/force_redirect.php +++ b/plugins/SecurityInfo/PhpSecInfo/Test/CGI/force_redirect.php @@ -9,7 +9,7 @@ /** * require the PhpSecInfo_Test_Cgi class */ -require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Cgi.php'); +require_once(PHPSECINFO_BASE_DIR . '/Test/Test_Cgi.php'); /** * Test class for cgi force_redirect @@ -20,82 +20,81 @@ require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Cgi.php'); class PhpSecInfo_Test_Cgi_Force_Redirect extends PhpSecInfo_Test_Cgi { - /** - * This should be a <b>unique</b>, human-readable identifier for this test - * - * @var string - */ - var $test_name = "force_redirect"; - - /** - * The recommended setting value - * - * @var mixed - */ - var $recommended_value = TRUE; - - - - function _retrieveCurrentValue() { - $this->current_value = $this->getBooleanIniValue('cgi.force_redirect'); - } - - - - private function skipTest() { - if (strpos(PHP_SAPI, 'cgi') === false) { - return PHP_SAPI . ' SAPI for php'; - } - - // these web servers require cgi.force_redirect = 0 - $webServers = array('Microsoft-IIS', 'OmniHTTPd', 'Xitami'); - if (isset($_SERVER['SERVER_SOFTWARE'])) { - foreach ($webServers as $webServer) { - if (strpos($_SERVER['SERVER_SOFTWARE'], $webServer) === 0) { - return $_SERVER['SERVER_SOFTWARE']; - } - } - } - - return false; - } - - - - /** - * Checks to see if cgi.force_redirect is enabled - * - */ - function _execTest() { - if ($this->current_value == $this->recommended_value) { - return PHPSECINFO_TEST_RESULT_OK; - } - - if ($this->skipTest()) - { - return PHPSECINFO_TEST_RESULT_NOTICE; - } - - return PHPSECINFO_TEST_RESULT_WARN; - } - - - - /** - * Set the messages specific to this test - * - */ - function _setMessages() { - parent::_setMessages(); - - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', "force_redirect is enabled, which is the recommended setting"); - $ini = ini_get_all(); - if (isset($ini['cgi.force_redirect'])) { - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', "force_redirect is disabled. In most cases, this is a security vulnerability, but it appears this is not needed because you are running " . $this->skipTest()); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', "force_redirect is disabled. In most cases, this is a <strong>serious</strong> security vulnerability. Unless you are absolutely sure this is not needed, enable this setting"); - } else { - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', "force_redirect is disabled because php was not compiled with --enable-force-cgi-redirect. In most cases, this is a security vulnerability, but it appears this is not needed because you are running " . $this->skipTest()); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', "force_redirect is disabled because php was not compiled with --enable-force-cgi-redirect. In most cases, this is a <strong>serious</strong> security vulnerability. Unless you are absolutely sure this is not needed, recompile php with --enable-force-cgi-redirect and enable cgi.force_redirect"); - } - } + /** + * This should be a <b>unique</b>, human-readable identifier for this test + * + * @var string + */ + var $test_name = "force_redirect"; + + /** + * The recommended setting value + * + * @var mixed + */ + var $recommended_value = TRUE; + + + function _retrieveCurrentValue() + { + $this->current_value = $this->getBooleanIniValue('cgi.force_redirect'); + } + + + private function skipTest() + { + if (strpos(PHP_SAPI, 'cgi') === false) { + return PHP_SAPI . ' SAPI for php'; + } + + // these web servers require cgi.force_redirect = 0 + $webServers = array('Microsoft-IIS', 'OmniHTTPd', 'Xitami'); + if (isset($_SERVER['SERVER_SOFTWARE'])) { + foreach ($webServers as $webServer) { + if (strpos($_SERVER['SERVER_SOFTWARE'], $webServer) === 0) { + return $_SERVER['SERVER_SOFTWARE']; + } + } + } + + return false; + } + + + /** + * Checks to see if cgi.force_redirect is enabled + * + */ + function _execTest() + { + if ($this->current_value == $this->recommended_value) { + return PHPSECINFO_TEST_RESULT_OK; + } + + if ($this->skipTest()) { + return PHPSECINFO_TEST_RESULT_NOTICE; + } + + return PHPSECINFO_TEST_RESULT_WARN; + } + + + /** + * Set the messages specific to this test + * + */ + function _setMessages() + { + parent::_setMessages(); + + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', "force_redirect is enabled, which is the recommended setting"); + $ini = ini_get_all(); + if (isset($ini['cgi.force_redirect'])) { + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', "force_redirect is disabled. In most cases, this is a security vulnerability, but it appears this is not needed because you are running " . $this->skipTest()); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', "force_redirect is disabled. In most cases, this is a <strong>serious</strong> security vulnerability. Unless you are absolutely sure this is not needed, enable this setting"); + } else { + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', "force_redirect is disabled because php was not compiled with --enable-force-cgi-redirect. In most cases, this is a security vulnerability, but it appears this is not needed because you are running " . $this->skipTest()); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', "force_redirect is disabled because php was not compiled with --enable-force-cgi-redirect. In most cases, this is a <strong>serious</strong> security vulnerability. Unless you are absolutely sure this is not needed, recompile php with --enable-force-cgi-redirect and enable cgi.force_redirect"); + } + } } diff --git a/plugins/SecurityInfo/PhpSecInfo/Test/Core/allow_url_fopen.php b/plugins/SecurityInfo/PhpSecInfo/Test/Core/allow_url_fopen.php index 799bb88110..b6df400148 100644 --- a/plugins/SecurityInfo/PhpSecInfo/Test/Core/allow_url_fopen.php +++ b/plugins/SecurityInfo/PhpSecInfo/Test/Core/allow_url_fopen.php @@ -10,7 +10,7 @@ /** * require the PhpSecInfo_Test_Core class */ -require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Core.php'); +require_once(PHPSECINFO_BASE_DIR . '/Test/Test_Core.php'); /** * Test Class for allow_url_fopen @@ -21,59 +21,61 @@ require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Core.php'); */ class PhpSecInfo_Test_Core_Allow_Url_Fopen extends PhpSecInfo_Test_Core { - /** - * This should be a <b>unique</b>, human-readable identifier for this test - * - * @var string - */ - var $test_name = "allow_url_fopen"; - - /** - * The recommended setting value - * - * @var mixed - */ - var $recommended_value = FALSE; + /** + * This should be a <b>unique</b>, human-readable identifier for this test + * + * @var string + */ + var $test_name = "allow_url_fopen"; + /** + * The recommended setting value + * + * @var mixed + */ + var $recommended_value = FALSE; - - function _retrieveCurrentValue() { - $this->current_value = $this->getBooleanIniValue('allow_url_fopen'); - } - - - /** - * Checks to see if allow_url_fopen is enabled - * - */ - function _execTest() { - if ( version_compare(PHP_VERSION, '5.2', '<') ) { /* this is much more severe if we're running < 5.2 */ - if ($this->current_value == $this->recommended_value) { - return PHPSECINFO_TEST_RESULT_OK; - } - return PHPSECINFO_TEST_RESULT_WARN; - } else { /* In 5.2, we'll consider allow_url_fopen "safe" */ - $this->recommended_value = TRUE; - return PHPSECINFO_TEST_RESULT_OK; - } - } + function _retrieveCurrentValue() + { + $this->current_value = $this->getBooleanIniValue('allow_url_fopen'); + } - /** - * Set the messages specific to this test - * - */ - function _setMessages() { - parent::_setMessages(); - if ( version_compare(PHP_VERSION, '5.2', '<') ) { /* this is much more severe if we're running < 5.2 */ - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'allow_url_fopen is disabled, which is the recommended setting'); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', 'allow_url_fopen is enabled. This could be a serious security risk. You should disable allow_url_fopen and consider using the <a href="http://php.net/manual/en/ref.curl.php" target="_blank">PHP cURL functions</a> instead.'); - - } else { - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'You are running PHP 5.2 or greater, which makes allow_url_fopen significantly safer. Make sure allow_url_include is <em>disabled</em>, though'); - } - } + /** + * Checks to see if allow_url_fopen is enabled + * + */ + function _execTest() + { + if (version_compare(PHP_VERSION, '5.2', '<')) { /* this is much more severe if we're running < 5.2 */ + if ($this->current_value == $this->recommended_value) { + return PHPSECINFO_TEST_RESULT_OK; + } + + return PHPSECINFO_TEST_RESULT_WARN; + } else { /* In 5.2, we'll consider allow_url_fopen "safe" */ + $this->recommended_value = TRUE; + return PHPSECINFO_TEST_RESULT_OK; + } + } + + + /** + * Set the messages specific to this test + * + */ + function _setMessages() + { + parent::_setMessages(); + if (version_compare(PHP_VERSION, '5.2', '<')) { /* this is much more severe if we're running < 5.2 */ + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'allow_url_fopen is disabled, which is the recommended setting'); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', 'allow_url_fopen is enabled. This could be a serious security risk. You should disable allow_url_fopen and consider using the <a href="http://php.net/manual/en/ref.curl.php" target="_blank">PHP cURL functions</a> instead.'); + + } else { + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'You are running PHP 5.2 or greater, which makes allow_url_fopen significantly safer. Make sure allow_url_include is <em>disabled</em>, though'); + } + } }
\ No newline at end of file diff --git a/plugins/SecurityInfo/PhpSecInfo/Test/Core/allow_url_include.php b/plugins/SecurityInfo/PhpSecInfo/Test/Core/allow_url_include.php index c9bea4d74d..d80b04753c 100644 --- a/plugins/SecurityInfo/PhpSecInfo/Test/Core/allow_url_include.php +++ b/plugins/SecurityInfo/PhpSecInfo/Test/Core/allow_url_include.php @@ -10,7 +10,7 @@ /** * require the PhpSecInfo_Test_Core class */ -require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Core.php'); +require_once(PHPSECINFO_BASE_DIR . '/Test/Test_Core.php'); /** * Test Class for allow_url_include @@ -21,57 +21,60 @@ require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Core.php'); */ class PhpSecInfo_Test_Core_Allow_Url_Include extends PhpSecInfo_Test_Core { - /** - * This should be a <b>unique</b>, human-readable identifier for this test - * - * @var string - */ - var $test_name = "allow_url_include"; - - - var $recommended_value = FALSE; - - - function _retrieveCurrentValue() { - $this->current_value = $this->getBooleanIniValue('allow_url_include'); - } - - - /** - * Checks to see if allow_url_fopen is enabled - * - */ - function _execTest() { - if ($this->current_value == $this->recommended_value) { - return PHPSECINFO_TEST_RESULT_OK; - } - - return PHPSECINFO_TEST_RESULT_WARN; - } - - - /** - * allow_url_include is only available since PHP 5.2 - * - * @return boolean - */ - function isTestable() { - return version_compare(PHP_VERSION, '5.2', '>='); - } - - - - /** - * Set the messages specific to this test - * - */ - function _setMessages() { - parent::_setMessages(); - - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTRUN, 'en', 'You are running a version of PHP older than 5.2, and allow_url_include is not available'); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'allow_url_include is disabled, which is the recommended setting'); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', 'allow_url_include is enabled. This could be a serious security risk. You should disable allow_url_include and consider using the <a href="http://php.net/manual/en/ref.curl.php" target="_blank">PHP cURL functions</a> instead.'); - } + /** + * This should be a <b>unique</b>, human-readable identifier for this test + * + * @var string + */ + var $test_name = "allow_url_include"; + + + var $recommended_value = FALSE; + + + function _retrieveCurrentValue() + { + $this->current_value = $this->getBooleanIniValue('allow_url_include'); + } + + + /** + * Checks to see if allow_url_fopen is enabled + * + */ + function _execTest() + { + if ($this->current_value == $this->recommended_value) { + return PHPSECINFO_TEST_RESULT_OK; + } + + return PHPSECINFO_TEST_RESULT_WARN; + } + + + /** + * allow_url_include is only available since PHP 5.2 + * + * @return boolean + */ + function isTestable() + { + return version_compare(PHP_VERSION, '5.2', '>='); + } + + + /** + * Set the messages specific to this test + * + */ + function _setMessages() + { + parent::_setMessages(); + + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTRUN, 'en', 'You are running a version of PHP older than 5.2, and allow_url_include is not available'); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'allow_url_include is disabled, which is the recommended setting'); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', 'allow_url_include is enabled. This could be a serious security risk. You should disable allow_url_include and consider using the <a href="http://php.net/manual/en/ref.curl.php" target="_blank">PHP cURL functions</a> instead.'); + } }
\ No newline at end of file diff --git a/plugins/SecurityInfo/PhpSecInfo/Test/Core/display_errors.php b/plugins/SecurityInfo/PhpSecInfo/Test/Core/display_errors.php index e0e93d6748..3908b289a3 100644 --- a/plugins/SecurityInfo/PhpSecInfo/Test/Core/display_errors.php +++ b/plugins/SecurityInfo/PhpSecInfo/Test/Core/display_errors.php @@ -1,7 +1,7 @@ <?php /** * Test class for display_errors - * + * * @package PhpSecInfo * @author Ed Finkler <coj@funkatron.com> */ @@ -10,53 +10,56 @@ /** * require the PhpSecInfo_Test_Core class */ -require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Core.php'); +require_once(PHPSECINFO_BASE_DIR . '/Test/Test_Core.php'); /** * Test class for display_errors - * + * * @package PhpSecInfo */ class PhpSecInfo_Test_Core_Display_Errors extends PhpSecInfo_Test_Core { - /** - * This should be a <b>unique</b>, human-readable identifier for this test - * - * @var string - */ - var $test_name = "display_errors"; - - var $recommended_value = FALSE; - - function _retrieveCurrentValue() { - $this->current_value = $this->getBooleanIniValue('display_errors'); - } - - - /** - * Checks to see if display_errors is enabled - * - */ - function _execTest() { - if ($this->current_value == $this->recommended_value) { - return PHPSECINFO_TEST_RESULT_OK; - } - - return PHPSECINFO_TEST_RESULT_NOTICE; - } - - - /** - * Set the messages specific to this test - * - */ - function _setMessages() { - parent::_setMessages(); - - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'display_errors is disabled, which is the recommended setting'); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', 'display_errors is enabled. This is not recommended on "production" servers, as it could reveal sensitive information. You should consider disabling this feature'); - } - + /** + * This should be a <b>unique</b>, human-readable identifier for this test + * + * @var string + */ + var $test_name = "display_errors"; + + var $recommended_value = FALSE; + + function _retrieveCurrentValue() + { + $this->current_value = $this->getBooleanIniValue('display_errors'); + } + + + /** + * Checks to see if display_errors is enabled + * + */ + function _execTest() + { + if ($this->current_value == $this->recommended_value) { + return PHPSECINFO_TEST_RESULT_OK; + } + + return PHPSECINFO_TEST_RESULT_NOTICE; + } + + + /** + * Set the messages specific to this test + * + */ + function _setMessages() + { + parent::_setMessages(); + + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'display_errors is disabled, which is the recommended setting'); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', 'display_errors is enabled. This is not recommended on "production" servers, as it could reveal sensitive information. You should consider disabling this feature'); + } + }
\ No newline at end of file diff --git a/plugins/SecurityInfo/PhpSecInfo/Test/Core/expose_php.php b/plugins/SecurityInfo/PhpSecInfo/Test/Core/expose_php.php index 3f26648193..da1666eeff 100644 --- a/plugins/SecurityInfo/PhpSecInfo/Test/Core/expose_php.php +++ b/plugins/SecurityInfo/PhpSecInfo/Test/Core/expose_php.php @@ -1,7 +1,7 @@ <?php /** * Test class for expose_php - * + * * @package PhpSecInfo * @author Ed Finkler <coj@funkatron.com> */ @@ -10,55 +10,58 @@ /** * require the PhpSecInfo_Test_Core class */ -require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Core.php'); +require_once(PHPSECINFO_BASE_DIR . '/Test/Test_Core.php'); /** * Test class for expose_php - * + * * @package PhpSecInfo */ class PhpSecInfo_Test_Core_Expose_Php extends PhpSecInfo_Test_Core { - /** - * This should be a <b>unique</b>, human-readable identifier for this test - * - * @var string - */ - var $test_name = "expose_php"; - - var $recommended_value = FALSE; - - function _retrieveCurrentValue() { - $this->current_value = $this->returnBytes(ini_get('expose_php')); - } - - /** - * Checks to see if expose_php is enabled - * - */ - function _execTest() { - - if ($this->current_value == $this->recommended_value) { - return PHPSECINFO_TEST_RESULT_OK; - } - - return PHPSECINFO_TEST_RESULT_NOTICE; - } - - - /** - * Set the messages specific to this test - * - */ - function _setMessages() { - parent::_setMessages(); - - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'expose_php is disabled, which is the recommended setting'); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', 'expose_php is enabled. This adds + /** + * This should be a <b>unique</b>, human-readable identifier for this test + * + * @var string + */ + var $test_name = "expose_php"; + + var $recommended_value = FALSE; + + function _retrieveCurrentValue() + { + $this->current_value = $this->returnBytes(ini_get('expose_php')); + } + + /** + * Checks to see if expose_php is enabled + * + */ + function _execTest() + { + + if ($this->current_value == $this->recommended_value) { + return PHPSECINFO_TEST_RESULT_OK; + } + + return PHPSECINFO_TEST_RESULT_NOTICE; + } + + + /** + * Set the messages specific to this test + * + */ + function _setMessages() + { + parent::_setMessages(); + + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'expose_php is disabled, which is the recommended setting'); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', 'expose_php is enabled. This adds the PHP "signature" to the web server header, including the PHP version number. This could attract attackers looking for vulnerable versions of PHP'); - } - + } + }
\ No newline at end of file diff --git a/plugins/SecurityInfo/PhpSecInfo/Test/Core/file_uploads.php b/plugins/SecurityInfo/PhpSecInfo/Test/Core/file_uploads.php index 6a3c822aae..fc4f17e07c 100644 --- a/plugins/SecurityInfo/PhpSecInfo/Test/Core/file_uploads.php +++ b/plugins/SecurityInfo/PhpSecInfo/Test/Core/file_uploads.php @@ -1,7 +1,7 @@ <?php /** * Test Class for file_uploads - * + * * @package PhpSecInfo * @author Ed Finkler <coj@funkatron.com> */ @@ -10,54 +10,56 @@ /** * require the PhpSecInfo_Test_Core class */ -require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Core.php'); +require_once(PHPSECINFO_BASE_DIR . '/Test/Test_Core.php'); /** * Test Class for file_uploads - * + * * @package PhpSecInfo */ class PhpSecInfo_Test_Core_File_Uploads extends PhpSecInfo_Test_Core { - /** - * This should be a <b>unique</b>, human-readable identifier for this test - * - * @var string - */ - var $test_name = "file_uploads"; - - var $recommended_value = FALSE; - - function _retrieveCurrentValue() { - $this->current_value = $this->returnBytes(ini_get('file_uploads')); - } - - /** - * Checks to see if expose_php is enabled - * - */ - function _execTest() { - - if ($this->current_value == $this->recommended_value) { - return PHPSECINFO_TEST_RESULT_OK; - } - - return PHPSECINFO_TEST_RESULT_NOTICE; - } - - - - /** - * Set the messages specific to this test - * - */ - function _setMessages() { - parent::_setMessages(); - - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'file_uploads are disabled. Unless you\'re sure you need them, this is the recommended setting'); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', 'file_uploads are enabled. If you do not require file upload capability, consider disabling them.'); - } - + /** + * This should be a <b>unique</b>, human-readable identifier for this test + * + * @var string + */ + var $test_name = "file_uploads"; + + var $recommended_value = FALSE; + + function _retrieveCurrentValue() + { + $this->current_value = $this->returnBytes(ini_get('file_uploads')); + } + + /** + * Checks to see if expose_php is enabled + * + */ + function _execTest() + { + + if ($this->current_value == $this->recommended_value) { + return PHPSECINFO_TEST_RESULT_OK; + } + + return PHPSECINFO_TEST_RESULT_NOTICE; + } + + + /** + * Set the messages specific to this test + * + */ + function _setMessages() + { + parent::_setMessages(); + + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'file_uploads are disabled. Unless you\'re sure you need them, this is the recommended setting'); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', 'file_uploads are enabled. If you do not require file upload capability, consider disabling them.'); + } + }
\ No newline at end of file diff --git a/plugins/SecurityInfo/PhpSecInfo/Test/Core/gid.php b/plugins/SecurityInfo/PhpSecInfo/Test/Core/gid.php index 88a6f3c6c1..89265da2c1 100644 --- a/plugins/SecurityInfo/PhpSecInfo/Test/Core/gid.php +++ b/plugins/SecurityInfo/PhpSecInfo/Test/Core/gid.php @@ -10,7 +10,7 @@ /** * require the PhpSecInfo_Test_Core class */ -require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Core.php'); +require_once(PHPSECINFO_BASE_DIR . '/Test/Test_Core.php'); /** @@ -28,32 +28,34 @@ define ('PHPSECINFO_MIN_SAFE_GID', 100); class PhpSecInfo_Test_Core_Gid extends PhpSecInfo_Test_Core { - /** - * This should be a <b>unique</b>, human-readable identifier for this test - * - * @var string - */ - var $test_name = "group_id"; - - var $recommended_value = PHPSECINFO_MIN_SAFE_GID; - - - /** - * This test only works under Unix OSes - * - * @return boolean - */ - function isTestable() { - if ($this->osIsWindows()) { - return false; - } elseif ($this->getUnixId() === false) { - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTRUN, 'en', 'Functions required to retrieve group ID not available'); - return false; - } - return true; - } - - function _retrieveCurrentValue() { + /** + * This should be a <b>unique</b>, human-readable identifier for this test + * + * @var string + */ + var $test_name = "group_id"; + + var $recommended_value = PHPSECINFO_MIN_SAFE_GID; + + + /** + * This test only works under Unix OSes + * + * @return boolean + */ + function isTestable() + { + if ($this->osIsWindows()) { + return false; + } elseif ($this->getUnixId() === false) { + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTRUN, 'en', 'Functions required to retrieve group ID not available'); + return false; + } + return true; + } + + function _retrieveCurrentValue() + { $id = $this->getUnixId(); if (is_array($id)) { $lowest_gid = key($id['groups']); @@ -61,33 +63,35 @@ class PhpSecInfo_Test_Core_Gid extends PhpSecInfo_Test_Core } else { $this->current_value = false; } - } - - /** - * Checks the GID of the PHP process to make sure it is above PHPSECINFO_MIN_SAFE_GID - * - * @see PHPSECINFO_MIN_SAFE_GID - */ - function _execTest() { - if ($this->current_value >= $this->recommended_value) { - return PHPSECINFO_TEST_RESULT_OK; - } - - return PHPSECINFO_TEST_RESULT_WARN; - } - - - /** - * Set the messages specific to this test - * - */ - function _setMessages() { - parent::_setMessages(); - - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'PHP is executing as what is probably a non-privileged group'); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', 'PHP may be executing as a "privileged" group, which could be a serious security vulnerability.'); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTRUN, 'en', 'This test will not run on Windows OSes'); - } + } + + /** + * Checks the GID of the PHP process to make sure it is above PHPSECINFO_MIN_SAFE_GID + * + * @see PHPSECINFO_MIN_SAFE_GID + */ + function _execTest() + { + if ($this->current_value >= $this->recommended_value) { + return PHPSECINFO_TEST_RESULT_OK; + } + + return PHPSECINFO_TEST_RESULT_WARN; + } + + + /** + * Set the messages specific to this test + * + */ + function _setMessages() + { + parent::_setMessages(); + + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'PHP is executing as what is probably a non-privileged group'); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', 'PHP may be executing as a "privileged" group, which could be a serious security vulnerability.'); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTRUN, 'en', 'This test will not run on Windows OSes'); + } }
\ No newline at end of file diff --git a/plugins/SecurityInfo/PhpSecInfo/Test/Core/magic_quotes_gpc.php b/plugins/SecurityInfo/PhpSecInfo/Test/Core/magic_quotes_gpc.php index 89a0ff6f0d..2a69954f0e 100644 --- a/plugins/SecurityInfo/PhpSecInfo/Test/Core/magic_quotes_gpc.php +++ b/plugins/SecurityInfo/PhpSecInfo/Test/Core/magic_quotes_gpc.php @@ -7,11 +7,10 @@ */ - /** * require the PhpSecInfo_Test_Core class */ -require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Core.php'); +require_once(PHPSECINFO_BASE_DIR . '/Test/Test_Core.php'); /** * Test Class for magic_quotes_gpc @@ -20,61 +19,65 @@ require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Core.php'); */ class PhpSecInfo_Test_Core_Magic_Quotes_GPC extends PhpSecInfo_Test_Core { - /** - * This should be a <b>unique</b>, human-readable identifier for this test - * - * @var string - */ - var $test_name = "magic_quotes_gpc"; + /** + * This should be a <b>unique</b>, human-readable identifier for this test + * + * @var string + */ + var $test_name = "magic_quotes_gpc"; - var $recommended_value = FALSE; + var $recommended_value = FALSE; - function _retrieveCurrentValue() { - $this->current_value = $this->getBooleanIniValue('magic_quotes_gpc'); - } + function _retrieveCurrentValue() + { + $this->current_value = $this->getBooleanIniValue('magic_quotes_gpc'); + } - /** - * magic_quotes_gpc has been removed since PHP 6.0 - * - * @return boolean - */ - function isTestable() { - return version_compare(PHP_VERSION, '6', '<') ; - } + /** + * magic_quotes_gpc has been removed since PHP 6.0 + * + * @return boolean + */ + function isTestable() + { + return version_compare(PHP_VERSION, '6', '<'); + } - /** - * Checks to see if allow_url_fopen is enabled - * - */ - function _execTest() { - if ($this->current_value == $this->recommended_value) { - return PHPSECINFO_TEST_RESULT_OK; - } + /** + * Checks to see if allow_url_fopen is enabled + * + */ + function _execTest() + { + if ($this->current_value == $this->recommended_value) { + return PHPSECINFO_TEST_RESULT_OK; + } - return PHPSECINFO_TEST_RESULT_NOTICE; - } + return PHPSECINFO_TEST_RESULT_NOTICE; + } - /** - * Set the messages specific to this test - * - */ - function _setMessages() { - parent::_setMessages(); + /** + * Set the messages specific to this test + * + */ + function _setMessages() + { + parent::_setMessages(); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTRUN, 'en', 'You are running PHP 6 or later and magic_quotes_gpc has been removed'); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'magic_quotes_gpc is disabled, which is the recommended setting'); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', 'magic_quotes_gpc is enabled. This + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTRUN, 'en', 'You are running PHP 6 or later and magic_quotes_gpc has been removed'); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'magic_quotes_gpc is disabled, which is the recommended setting'); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', 'magic_quotes_gpc is enabled. This feature is inconsistent in blocking attacks, and can in some cases cause data loss with uploaded files. You should <i>not</i> rely on magic_quotes_gpc to block attacks. It is recommended that magic_quotes_gpc be disabled, and input filtering be handled by your PHP scripts'); - } + } }
\ No newline at end of file diff --git a/plugins/SecurityInfo/PhpSecInfo/Test/Core/memory_limit.php b/plugins/SecurityInfo/PhpSecInfo/Test/Core/memory_limit.php index 82a33d8db9..cd76ecd3a8 100644 --- a/plugins/SecurityInfo/PhpSecInfo/Test/Core/memory_limit.php +++ b/plugins/SecurityInfo/PhpSecInfo/Test/Core/memory_limit.php @@ -12,13 +12,13 @@ /** * require the PhpSecInfo_Test_Core class */ -require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Core.php'); +require_once(PHPSECINFO_BASE_DIR . '/Test/Test_Core.php'); /** * The max recommended size for the memory_limit setting, in bytes * */ -define ('PHPSECINFO_MEMORY_LIMIT', 8*1024*1024); +define ('PHPSECINFO_MEMORY_LIMIT', 8 * 1024 * 1024); /** * Test Class for memory_limit setting @@ -29,60 +29,63 @@ class PhpSecInfo_Test_Core_Memory_Limit extends PhpSecInfo_Test_Core { - /** - * This should be a <b>unique</b>, human-readable identifier for this test - * - * @var string - */ - var $test_name = "memory_limit"; + /** + * This should be a <b>unique</b>, human-readable identifier for this test + * + * @var string + */ + var $test_name = "memory_limit"; - var $recommended_value = PHPSECINFO_MEMORY_LIMIT; + var $recommended_value = PHPSECINFO_MEMORY_LIMIT; - function _retrieveCurrentValue() { - $this->current_value = $this->returnBytes(ini_get('memory_limit')); - } + function _retrieveCurrentValue() + { + $this->current_value = $this->returnBytes(ini_get('memory_limit')); + } - /** - * Check to see if the memory_limit setting is enabled. - * - * Test conditions and results: - * OK: memory_limit enabled and set to a value of 8MB or less. - * NOTICE: memory_limit enabled and set to a value greater than 8MB. - * WARNING: memory_limit disabled (compile time option). - * - * @return integer - */ - function _execTest() { - if (!$this->current_value) { - return PHPSECINFO_TEST_RESULT_WARN; - } else if ($this->returnBytes($this->current_value) <= PHPSECINFO_MEMORY_LIMIT) { - return PHPSECINFO_TEST_RESULT_OK; - } - return PHPSECINFO_TEST_RESULT_NOTICE; - } + /** + * Check to see if the memory_limit setting is enabled. + * + * Test conditions and results: + * OK: memory_limit enabled and set to a value of 8MB or less. + * NOTICE: memory_limit enabled and set to a value greater than 8MB. + * WARNING: memory_limit disabled (compile time option). + * + * @return integer + */ + function _execTest() + { + if (!$this->current_value) { + return PHPSECINFO_TEST_RESULT_WARN; + } else if ($this->returnBytes($this->current_value) <= PHPSECINFO_MEMORY_LIMIT) { + return PHPSECINFO_TEST_RESULT_OK; + } + return PHPSECINFO_TEST_RESULT_NOTICE; + } - /** - * Set the messages specific to this test - * - * @access public - * @return null - */ - function _setMessages() { - parent::_setMessages(); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'memory_limit is enabled, and appears to be set + /** + * Set the messages specific to this test + * + * @access public + * @return null + */ + function _setMessages() + { + parent::_setMessages(); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'memory_limit is enabled, and appears to be set to a realistic value.'); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', 'memory_limit is set to a very high value. Are + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', 'memory_limit is set to a very high value. Are you sure your apps require this much memory? If not, lower the limit, as certain attacks or poor programming practices can lead to exhaustion of server resources. It is recommended that you set this to a realistic value (8M for example) from which it can be expanded as required.'); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', 'memory_limit does not appear to be enabled. This + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', 'memory_limit does not appear to be enabled. This leaves the server vulnerable to attacks that attempt to exhaust resources and creates an environment where poor programming practices can propagate unchecked. This must be enabled at compile time by including the parameter "--enable-memory-limit" in the configure line. Once enabled "memory_limit" may be set in php.ini to define the maximum amount of memory a script is allowed to allocate.'); - } + } }
\ No newline at end of file diff --git a/plugins/SecurityInfo/PhpSecInfo/Test/Core/open_basedir.php b/plugins/SecurityInfo/PhpSecInfo/Test/Core/open_basedir.php index d5b0d282f6..4363dbdda4 100644 --- a/plugins/SecurityInfo/PhpSecInfo/Test/Core/open_basedir.php +++ b/plugins/SecurityInfo/PhpSecInfo/Test/Core/open_basedir.php @@ -1,7 +1,7 @@ <?php /** * Test Class for open_basedir - * + * * @package PhpSecInfo * @author Ed Finkler <coj@funkatron.com> */ @@ -10,60 +10,63 @@ /** * require the PhpSecInfo_Test_Core class */ -require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Core.php'); +require_once(PHPSECINFO_BASE_DIR . '/Test/Test_Core.php'); /** * Test Class for open_basedir - * + * * @package PhpSecInfo */ class PhpSecInfo_Test_Core_Open_Basedir extends PhpSecInfo_Test_Core { - /** - * This should be a <b>unique</b>, human-readable identifier for this test - * - * @var string - */ - var $test_name = "open_basedir"; + /** + * This should be a <b>unique</b>, human-readable identifier for this test + * + * @var string + */ + var $test_name = "open_basedir"; - var $recommended_value = TRUE; + var $recommended_value = TRUE; - - function _retrieveCurrentValue() { - $this->current_value = $this->getBooleanIniValue('open_basedir'); - } - - - /** - * Checks to see if allow_url_fopen is enabled - * - */ - function _execTest() { - if ($this->current_value == $this->recommended_value) { - return PHPSECINFO_TEST_RESULT_OK; - } - return PHPSECINFO_TEST_RESULT_NOTICE; - } - - - /** - * Set the messages specific to this test - * - */ - function _setMessages() { - parent::_setMessages(); - - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'open_basedir is enabled, which is the + function _retrieveCurrentValue() + { + $this->current_value = $this->getBooleanIniValue('open_basedir'); + } + + + /** + * Checks to see if allow_url_fopen is enabled + * + */ + function _execTest() + { + if ($this->current_value == $this->recommended_value) { + return PHPSECINFO_TEST_RESULT_OK; + } + + return PHPSECINFO_TEST_RESULT_NOTICE; + } + + + /** + * Set the messages specific to this test + * + */ + function _setMessages() + { + parent::_setMessages(); + + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'open_basedir is enabled, which is the recommended setting. Keep in mind that other web applications not written in PHP will not be restricted by this setting.'); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', 'open_basedir is disabled. When + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', 'open_basedir is disabled. When this is enabled, only files that are in the given directory/directories and their subdirectories can be read by PHP scripts. You should consider turning this on. Keep in mind that other web applications not written in PHP will not be restricted by this setting.'); - } - + } + }
\ No newline at end of file diff --git a/plugins/SecurityInfo/PhpSecInfo/Test/Core/post_max_size.php b/plugins/SecurityInfo/PhpSecInfo/Test/Core/post_max_size.php index 09bd2474ec..c2d9b633be 100644 --- a/plugins/SecurityInfo/PhpSecInfo/Test/Core/post_max_size.php +++ b/plugins/SecurityInfo/PhpSecInfo/Test/Core/post_max_size.php @@ -10,13 +10,13 @@ /** * require the PhpSecInfo_Test_Core class */ -require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Core.php'); +require_once(PHPSECINFO_BASE_DIR . '/Test/Test_Core.php'); /** * The max recommended size for the post_max_size setting, in bytes * */ -define ('PHPSECINFO_POST_MAXLIMIT', 1024*256); +define ('PHPSECINFO_POST_MAXLIMIT', 1024 * 256); /** * Test Class for post_max_size @@ -26,46 +26,50 @@ define ('PHPSECINFO_POST_MAXLIMIT', 1024*256); class PhpSecInfo_Test_Core_Post_Max_Size extends PhpSecInfo_Test_Core { - /** - * This should be a <b>unique</b>, human-readable identifier for this test - * - * @var string - */ - var $test_name = "post_max_size"; + /** + * This should be a <b>unique</b>, human-readable identifier for this test + * + * @var string + */ + var $test_name = "post_max_size"; - var $recommended_value = PHPSECINFO_POST_MAXLIMIT; + var $recommended_value = PHPSECINFO_POST_MAXLIMIT; - function _retrieveCurrentValue() { - $this->current_value = $this->returnBytes(ini_get('post_max_size')); - } + function _retrieveCurrentValue() + { + $this->current_value = $this->returnBytes(ini_get('post_max_size')); + } - /** - * Check to see if the post_max_size setting is enabled. - */ - function _execTest() { + /** + * Check to see if the post_max_size setting is enabled. + */ + function _execTest() + { - if ($this->current_value - && $this->current_value <= $this->recommended_value - && $post_max_size != -1) { - return PHPSECINFO_TEST_RESULT_OK; - } + if ($this->current_value + && $this->current_value <= $this->recommended_value + && $post_max_size != -1 + ) { + return PHPSECINFO_TEST_RESULT_OK; + } - return PHPSECINFO_TEST_RESULT_NOTICE; - } + return PHPSECINFO_TEST_RESULT_NOTICE; + } - /** - * Set the messages specific to this test - * - */ - function _setMessages() { - parent::_setMessages(); + /** + * Set the messages specific to this test + * + */ + function _setMessages() + { + parent::_setMessages(); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'post_max_size is enabled, and appears to + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'post_max_size is enabled, and appears to be a relatively low value'); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', 'post_max_size is not enabled, or is set to + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', 'post_max_size is not enabled, or is set to a high value. Allowing a large value may open up your server to denial-of-service attacks'); - } + } }
\ No newline at end of file diff --git a/plugins/SecurityInfo/PhpSecInfo/Test/Core/register_globals.php b/plugins/SecurityInfo/PhpSecInfo/Test/Core/register_globals.php index 1caa7e8e30..522813e94b 100644 --- a/plugins/SecurityInfo/PhpSecInfo/Test/Core/register_globals.php +++ b/plugins/SecurityInfo/PhpSecInfo/Test/Core/register_globals.php @@ -10,7 +10,7 @@ /** * require the PhpSecInfo_Test_Core class */ -require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Core.php'); +require_once(PHPSECINFO_BASE_DIR . '/Test/Test_Core.php'); /** @@ -21,57 +21,60 @@ require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Core.php'); class PhpSecInfo_Test_Core_Register_Globals extends PhpSecInfo_Test_Core { - /** - * This should be a <b>unique</b>, human-readable identifier for this test - * - * @var string - */ - var $test_name = "register_globals"; + /** + * This should be a <b>unique</b>, human-readable identifier for this test + * + * @var string + */ + var $test_name = "register_globals"; - var $recommended_value = FALSE; + var $recommended_value = FALSE; - function _retrieveCurrentValue() { - $this->current_value = $this->getBooleanIniValue('register_globals'); - } + function _retrieveCurrentValue() + { + $this->current_value = $this->getBooleanIniValue('register_globals'); + } - /** - * register_globals has been removed since PHP 6.0 - * - * @return boolean - */ - function isTestable() { - return version_compare(PHP_VERSION, '6', '<') ; - } + /** + * register_globals has been removed since PHP 6.0 + * + * @return boolean + */ + function isTestable() + { + return version_compare(PHP_VERSION, '6', '<'); + } + /** + * Checks to see if allow_url_fopen is enabled + * + */ + function _execTest() + { + if ($this->current_value == $this->recommended_value) { + return PHPSECINFO_TEST_RESULT_OK; + } - /** - * Checks to see if allow_url_fopen is enabled - * - */ - function _execTest() { - if ($this->current_value == $this->recommended_value) { - return PHPSECINFO_TEST_RESULT_OK; - } + return PHPSECINFO_TEST_RESULT_WARN; + } - return PHPSECINFO_TEST_RESULT_WARN; - } + /** + * Set the messages specific to this test + * + */ + function _setMessages() + { + parent::_setMessages(); - /** - * Set the messages specific to this test - * - */ - function _setMessages() { - parent::_setMessages(); - - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTRUN, 'en', 'You are running PHP 6 or later and register_globals has been removed'); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'register_globals is disabled, which is the recommended setting'); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', 'register_globals is enabled. This could be a serious security risk. You should disable register_globals immediately'); - } + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTRUN, 'en', 'You are running PHP 6 or later and register_globals has been removed'); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'register_globals is disabled, which is the recommended setting'); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', 'register_globals is enabled. This could be a serious security risk. You should disable register_globals immediately'); + } }
\ No newline at end of file diff --git a/plugins/SecurityInfo/PhpSecInfo/Test/Core/uid.php b/plugins/SecurityInfo/PhpSecInfo/Test/Core/uid.php index cbc3ae13ec..a07f268836 100644 --- a/plugins/SecurityInfo/PhpSecInfo/Test/Core/uid.php +++ b/plugins/SecurityInfo/PhpSecInfo/Test/Core/uid.php @@ -10,7 +10,7 @@ /** * require the PhpSecInfo_Test_Core class */ -require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Core.php'); +require_once(PHPSECINFO_BASE_DIR . '/Test/Test_Core.php'); /** @@ -28,66 +28,70 @@ define ('PHPSECINFO_MIN_SAFE_UID', 100); class PhpSecInfo_Test_Core_Uid extends PhpSecInfo_Test_Core { - /** - * This should be a <b>unique</b>, human-readable identifier for this test - * - * @var string - */ - var $test_name = "user_id"; - - var $recommended_value = PHPSECINFO_MIN_SAFE_UID; - - /** - * This test only works under Unix OSes - * - * @return boolean - */ - function isTestable() { - if ($this->osIsWindows()) { - return false; - } elseif ($this->getUnixId() === false) { - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTRUN, 'en', 'Functions required to retrieve user ID not available'); - return false; - } - return true; - } - - - function _retrieveCurrentValue() { - $id = $this->getUnixId(); + /** + * This should be a <b>unique</b>, human-readable identifier for this test + * + * @var string + */ + var $test_name = "user_id"; + + var $recommended_value = PHPSECINFO_MIN_SAFE_UID; + + /** + * This test only works under Unix OSes + * + * @return boolean + */ + function isTestable() + { + if ($this->osIsWindows()) { + return false; + } elseif ($this->getUnixId() === false) { + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTRUN, 'en', 'Functions required to retrieve user ID not available'); + return false; + } + return true; + } + + + function _retrieveCurrentValue() + { + $id = $this->getUnixId(); if (is_array($id)) { $this->current_value = $id['uid']; } else { $this->current_value = false; } - } - - /** - * Checks the GID of the PHP process to make sure it is above PHPSECINFO_MIN_SAFE_UID - * - * @see PHPSECINFO_MIN_SAFE_UID - */ - function _execTest() { - if ($this->current_value >= $this->recommended_value) { - return PHPSECINFO_TEST_RESULT_OK; - } - - return PHPSECINFO_TEST_RESULT_WARN; - } - - - /** - * Set the messages specific to this test - * - */ - function _setMessages() { - parent::_setMessages(); - - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'PHP is executing as what is probably a non-privileged user'); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', 'PHP may be executing as a "privileged" user, which could be a serious security vulnerability.'); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTRUN, 'en', 'This test will not run on Windows OSes'); - } + } + + /** + * Checks the GID of the PHP process to make sure it is above PHPSECINFO_MIN_SAFE_UID + * + * @see PHPSECINFO_MIN_SAFE_UID + */ + function _execTest() + { + if ($this->current_value >= $this->recommended_value) { + return PHPSECINFO_TEST_RESULT_OK; + } + + return PHPSECINFO_TEST_RESULT_WARN; + } + + + /** + * Set the messages specific to this test + * + */ + function _setMessages() + { + parent::_setMessages(); + + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'PHP is executing as what is probably a non-privileged user'); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', 'PHP may be executing as a "privileged" user, which could be a serious security vulnerability.'); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTRUN, 'en', 'This test will not run on Windows OSes'); + } }
\ No newline at end of file diff --git a/plugins/SecurityInfo/PhpSecInfo/Test/Core/upload_max_filesize.php b/plugins/SecurityInfo/PhpSecInfo/Test/Core/upload_max_filesize.php index bc0b66b42b..07502a4153 100644 --- a/plugins/SecurityInfo/PhpSecInfo/Test/Core/upload_max_filesize.php +++ b/plugins/SecurityInfo/PhpSecInfo/Test/Core/upload_max_filesize.php @@ -9,13 +9,13 @@ /** * require the PhpSecInfo_Test_Core class */ -require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Core.php'); +require_once(PHPSECINFO_BASE_DIR . '/Test/Test_Core.php'); /** * The max recommended size for the upload_max_filesize setting, in bytes * */ -define ('PHPSECINFO_UPLOAD_MAXLIMIT', 1024*256); +define ('PHPSECINFO_UPLOAD_MAXLIMIT', 1024 * 256); /** @@ -27,44 +27,48 @@ class PhpSecInfo_Test_Core_Upload_Max_Filesize extends PhpSecInfo_Test_Core { - /** - * This should be a <b>unique</b>, human-readable identifier for this test - * - * @var string - */ - var $test_name = "upload_max_filesize"; - - var $recommended_value = PHPSECINFO_UPLOAD_MAXLIMIT; - - function _retrieveCurrentValue() { - $this->current_value = $this->returnBytes(ini_get('upload_max_filesize')); - } - - /** - * Check to see if the post_max_size setting is enabled. - */ - function _execTest() { - - if ($this->current_value - && $this->current_value <= $this->recommended_value - && $post_max_size != -1) { - return PHPSECINFO_TEST_RESULT_OK; - } - - return PHPSECINFO_TEST_RESULT_NOTICE; - } - - - /** - * Set the messages specific to this test - * - */ - function _setMessages() { - parent::_setMessages(); - - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'upload_max_filesize is enabled, and appears to be a relatively low value.'); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', 'upload_max_filesize is not enabled, or is set to a high value. Are you sure your apps require uploading files of this size? If not, lower the limit, as large file uploads can impact server performance'); - } + /** + * This should be a <b>unique</b>, human-readable identifier for this test + * + * @var string + */ + var $test_name = "upload_max_filesize"; + + var $recommended_value = PHPSECINFO_UPLOAD_MAXLIMIT; + + function _retrieveCurrentValue() + { + $this->current_value = $this->returnBytes(ini_get('upload_max_filesize')); + } + + /** + * Check to see if the post_max_size setting is enabled. + */ + function _execTest() + { + + if ($this->current_value + && $this->current_value <= $this->recommended_value + && $post_max_size != -1 + ) { + return PHPSECINFO_TEST_RESULT_OK; + } + + return PHPSECINFO_TEST_RESULT_NOTICE; + } + + + /** + * Set the messages specific to this test + * + */ + function _setMessages() + { + parent::_setMessages(); + + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'upload_max_filesize is enabled, and appears to be a relatively low value.'); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', 'upload_max_filesize is not enabled, or is set to a high value. Are you sure your apps require uploading files of this size? If not, lower the limit, as large file uploads can impact server performance'); + } }
\ No newline at end of file diff --git a/plugins/SecurityInfo/PhpSecInfo/Test/Core/upload_tmp_dir.php b/plugins/SecurityInfo/PhpSecInfo/Test/Core/upload_tmp_dir.php index e0b173dbea..4a83e0f7cd 100644 --- a/plugins/SecurityInfo/PhpSecInfo/Test/Core/upload_tmp_dir.php +++ b/plugins/SecurityInfo/PhpSecInfo/Test/Core/upload_tmp_dir.php @@ -9,7 +9,7 @@ /** * require the PhpSecInfo_Test_Core class */ -require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Core.php'); +require_once(PHPSECINFO_BASE_DIR . '/Test/Test_Core.php'); /** * Test Class for upload_tmp_dir @@ -19,82 +19,87 @@ require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Core.php'); class PhpSecInfo_Test_Core_Upload_Tmp_Dir extends PhpSecInfo_Test_Core { - /** - * This should be a <b>unique</b>, human-readable identifier for this test - * - * @var string - */ - var $test_name = "upload_tmp_dir"; + /** + * This should be a <b>unique</b>, human-readable identifier for this test + * + * @var string + */ + var $test_name = "upload_tmp_dir"; - var $recommended_value = "A non-world readable/writable directory"; + var $recommended_value = "A non-world readable/writable directory"; - function _retrieveCurrentValue() { - $this->current_value = ini_get('upload_tmp_dir'); + function _retrieveCurrentValue() + { + $this->current_value = ini_get('upload_tmp_dir'); - if( empty($this->current_value) ) { - if (function_exists("sys_get_temp_dir")) { - $this->current_value = sys_get_temp_dir(); - } else { - $this->current_value = $this->sys_get_temp_dir(); - } - } - } + if (empty($this->current_value)) { + if (function_exists("sys_get_temp_dir")) { + $this->current_value = sys_get_temp_dir(); + } else { + $this->current_value = $this->sys_get_temp_dir(); + } + } + } - /** - * We are disabling this function on Windows OSes right now until - * we can be certain of the proper way to check world-readability - * - * @return unknown - */ - function isTestable() { - if ($this->osIsWindows()) { - return FALSE; - } else { - return TRUE; - } - } + /** + * We are disabling this function on Windows OSes right now until + * we can be certain of the proper way to check world-readability + * + * @return unknown + */ + function isTestable() + { + if ($this->osIsWindows()) { + return FALSE; + } else { + return TRUE; + } + } - /** - * Check if upload_tmp_dir matches PHPSECINFO_TEST_COMMON_TMPDIR, or is word-writable - * - * This is still unix-specific, and it's possible that for now - * this test should be disabled under Windows builds. - * - * @see PHPSECINFO_TEST_COMMON_TMPDIR - */ - function _execTest() { + /** + * Check if upload_tmp_dir matches PHPSECINFO_TEST_COMMON_TMPDIR, or is word-writable + * + * This is still unix-specific, and it's possible that for now + * this test should be disabled under Windows builds. + * + * @see PHPSECINFO_TEST_COMMON_TMPDIR + */ + function _execTest() + { - $perms = @fileperms($this->current_value); - if ($perms === false) { - return PHPSECINFO_TEST_RESULT_WARN; - } else if ($this->current_value - && !preg_match("|".PHPSECINFO_TEST_COMMON_TMPDIR."/?|", $this->current_value) - && ! ($perms & 0x0004) - && ! ($perms & 0x0002) ) { - return PHPSECINFO_TEST_RESULT_OK; - } + $perms = @fileperms($this->current_value); + if ($perms === false) { + return PHPSECINFO_TEST_RESULT_WARN; + } else if ($this->current_value + && !preg_match("|" . PHPSECINFO_TEST_COMMON_TMPDIR . "/?|", $this->current_value) + && !($perms & 0x0004) + && !($perms & 0x0002) + ) { + return PHPSECINFO_TEST_RESULT_OK; + } - // rewrite current_value to display perms - $this->current_value .= " (".substr(sprintf('%o', $perms), -4).")"; + // rewrite current_value to display perms + $this->current_value .= " (" . substr(sprintf('%o', $perms), -4) . ")"; - return PHPSECINFO_TEST_RESULT_NOTICE; - } + return PHPSECINFO_TEST_RESULT_NOTICE; + } - /** - * Set the messages specific to this test - * - */ - function _setMessages() { - parent::_setMessages(); + /** + * Set the messages specific to this test + * + */ + function _setMessages() + { + parent::_setMessages(); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTRUN, 'en', 'Test not run -- currently disabled on Windows OSes'); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'upload_tmp_dir is enabled, which is the + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTRUN, 'en', 'Test not run -- currently disabled on Windows OSes'); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'upload_tmp_dir is enabled, which is the recommended setting. Make sure your upload_tmp_dir path is not world-readable'); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', 'unable to retrieve file permissions on upload_tmp_dir'); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', 'upload_tmp_dir is disabled, or is set to a + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', 'unable to retrieve file permissions on upload_tmp_dir'); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', 'upload_tmp_dir is disabled, or is set to a common world-writable directory. This typically allows other users on this server to access temporary copies of files uploaded via your PHP scripts. You should set upload_tmp_dir to a non-world-readable directory'); - } + } }
\ No newline at end of file diff --git a/plugins/SecurityInfo/PhpSecInfo/Test/Curl/file_support.php b/plugins/SecurityInfo/PhpSecInfo/Test/Curl/file_support.php index 816d747259..b02428f62f 100644 --- a/plugins/SecurityInfo/PhpSecInfo/Test/Curl/file_support.php +++ b/plugins/SecurityInfo/PhpSecInfo/Test/Curl/file_support.php @@ -9,7 +9,7 @@ /** * require the PhpSecInfo_Test_Curl class */ -require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Curl.php'); +require_once(PHPSECINFO_BASE_DIR . '/Test/Test_Curl.php'); /** * Test class for CURL file_support @@ -24,52 +24,54 @@ require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Curl.php'); class PhpSecInfo_Test_Curl_File_Support extends PhpSecInfo_Test_Curl { - /** - * This should be a <b>unique</b>, human-readable identifier for this test - * - * @var string - */ - var $test_name = "file_support"; + /** + * This should be a <b>unique</b>, human-readable identifier for this test + * + * @var string + */ + var $test_name = "file_support"; - var $recommended_value = '5.1.6+ or 4.4.4+'; + var $recommended_value = '5.1.6+ or 4.4.4+'; - function _retrieveCurrentValue() { - $this->current_value = PHP_VERSION; - } - + function _retrieveCurrentValue() + { + $this->current_value = PHP_VERSION; + } - /** - * Checks to see if libcurl's "file://" support is enabled by examining the "protocols" array - * in the info returned from curl_version() - * @return integer - * - */ - function _execTest() { - $curlinfo = curl_version(); + /** + * Checks to see if libcurl's "file://" support is enabled by examining the "protocols" array + * in the info returned from curl_version() + * @return integer + * + */ + function _execTest() + { - if ( version_compare($this->current_value, '5.1.6', '>=') || - (version_compare($this->current_value, '4.4.4', '>=')) && ( version_compare($this->current_value, '5', '<') ) - ) { - return PHPSECINFO_TEST_RESULT_OK; - } else { - return PHPSECINFO_TEST_RESULT_WARN; - } + $curlinfo = curl_version(); - } + if (version_compare($this->current_value, '5.1.6', '>=') || + (version_compare($this->current_value, '4.4.4', '>=')) && (version_compare($this->current_value, '5', '<')) + ) { + return PHPSECINFO_TEST_RESULT_OK; + } else { + return PHPSECINFO_TEST_RESULT_WARN; + } + } - /** - * Set the messages specific to this test - * - */ - function _setMessages() { - parent::_setMessages(); + /** + * Set the messages specific to this test + * + */ + function _setMessages() + { + parent::_setMessages(); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', "You are running PHP 4.4.4 or higher, or PHP 5.1.6 or higher. These versions fix the security hole present in the cURL functions that allow it to bypass safe_mode and open_basedir restrictions."); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', "A security hole present in your version of PHP allows the cURL functions to bypass safe_mode and open_basedir restrictions. You should upgrade to the latest version of PHP."); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', "You are running PHP 4.4.4 or higher, or PHP 5.1.6 or higher. These versions fix the security hole present in the cURL functions that allow it to bypass safe_mode and open_basedir restrictions."); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', "A security hole present in your version of PHP allows the cURL functions to bypass safe_mode and open_basedir restrictions. You should upgrade to the latest version of PHP."); - } + } }
\ No newline at end of file diff --git a/plugins/SecurityInfo/PhpSecInfo/Test/Session/save_path.php b/plugins/SecurityInfo/PhpSecInfo/Test/Session/save_path.php index 910e5c7fd2..f04d087802 100644 --- a/plugins/SecurityInfo/PhpSecInfo/Test/Session/save_path.php +++ b/plugins/SecurityInfo/PhpSecInfo/Test/Session/save_path.php @@ -9,7 +9,7 @@ /** * require the PhpSecInfo_Test_Core class */ -require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Session.php'); +require_once(PHPSECINFO_BASE_DIR . '/Test/Test_Session.php'); /** * Test class for session save_path @@ -19,87 +19,92 @@ require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Session.php'); class PhpSecInfo_Test_Session_Save_Path extends PhpSecInfo_Test_Session { - /** - * This should be a <b>unique</b>, human-readable identifier for this test - * - * @var string - */ - var $test_name = "save_path"; - - var $recommended_value = "A non-world readable/writable directory"; - - function _retrieveCurrentValue() { - $this->current_value = ini_get('session.save_path'); - - if( empty($this->current_value) ) { - if (function_exists("sys_get_temp_dir")) { - $this->current_value = sys_get_temp_dir(); - } else { - $this->current_value = $this->sys_get_temp_dir(); - } - } - - if( preg_match('/^[0-9]+;(.+)/', $this->current_value, $matches) ) { - $this->current_value = $matches[1]; - } - } - - - /** - * We are disabling this function on Windows OSes right now until - * we can be certain of the proper way to check world-readability - * - * @return unknown - */ - function isTestable() { - if ($this->osIsWindows()) { - return FALSE; - } else { - return TRUE; - } - } - - - /** - * Check if session.save_path matches PHPSECINFO_TEST_COMMON_TMPDIR, or is word-writable - * - * This is still unix-specific, and it's possible that for now - * this test should be disabled under Windows builds. - * - * @see PHPSECINFO_TEST_COMMON_TMPDIR - */ - function _execTest() { - - $perms = @fileperms($this->current_value); - if ($perms === false) { - return PHPSECINFO_TEST_RESULT_WARN; - } else if ($this->current_value - && !preg_match("|".PHPSECINFO_TEST_COMMON_TMPDIR."/?|", $this->current_value) - && ! ($perms & 0x0004) - && ! ($perms & 0x0002) ) { - return PHPSECINFO_TEST_RESULT_OK; - } - - // rewrite current_value to display perms - $this->current_value .= " (".substr(sprintf('%o', $perms), -4).")"; - - return PHPSECINFO_TEST_RESULT_NOTICE; - } - - /** - * Set the messages specific to this test - * - */ - function _setMessages() { - parent::_setMessages(); - - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTRUN, 'en', 'Test not run -- currently disabled on Windows OSes'); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'save_path is enabled, which is the + /** + * This should be a <b>unique</b>, human-readable identifier for this test + * + * @var string + */ + var $test_name = "save_path"; + + var $recommended_value = "A non-world readable/writable directory"; + + function _retrieveCurrentValue() + { + $this->current_value = ini_get('session.save_path'); + + if (empty($this->current_value)) { + if (function_exists("sys_get_temp_dir")) { + $this->current_value = sys_get_temp_dir(); + } else { + $this->current_value = $this->sys_get_temp_dir(); + } + } + + if (preg_match('/^[0-9]+;(.+)/', $this->current_value, $matches)) { + $this->current_value = $matches[1]; + } + } + + + /** + * We are disabling this function on Windows OSes right now until + * we can be certain of the proper way to check world-readability + * + * @return unknown + */ + function isTestable() + { + if ($this->osIsWindows()) { + return FALSE; + } else { + return TRUE; + } + } + + + /** + * Check if session.save_path matches PHPSECINFO_TEST_COMMON_TMPDIR, or is word-writable + * + * This is still unix-specific, and it's possible that for now + * this test should be disabled under Windows builds. + * + * @see PHPSECINFO_TEST_COMMON_TMPDIR + */ + function _execTest() + { + + $perms = @fileperms($this->current_value); + if ($perms === false) { + return PHPSECINFO_TEST_RESULT_WARN; + } else if ($this->current_value + && !preg_match("|" . PHPSECINFO_TEST_COMMON_TMPDIR . "/?|", $this->current_value) + && !($perms & 0x0004) + && !($perms & 0x0002) + ) { + return PHPSECINFO_TEST_RESULT_OK; + } + + // rewrite current_value to display perms + $this->current_value .= " (" . substr(sprintf('%o', $perms), -4) . ")"; + + return PHPSECINFO_TEST_RESULT_NOTICE; + } + + /** + * Set the messages specific to this test + * + */ + function _setMessages() + { + parent::_setMessages(); + + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTRUN, 'en', 'Test not run -- currently disabled on Windows OSes'); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'save_path is enabled, which is the recommended setting. Make sure your save_path path is not world-readable'); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', 'unable to retrieve file permissions on save_path'); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', 'save_path is disabled, or is set to a + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', 'unable to retrieve file permissions on save_path'); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', 'save_path is disabled, or is set to a common world-writable directory. This typically allows other users on this server to access session files. You should set save_path to a non-world-readable directory'); - } + } }
\ No newline at end of file diff --git a/plugins/SecurityInfo/PhpSecInfo/Test/Session/use_trans_sid.php b/plugins/SecurityInfo/PhpSecInfo/Test/Session/use_trans_sid.php index f7f3f2e4a9..c3a61e5d59 100644 --- a/plugins/SecurityInfo/PhpSecInfo/Test/Session/use_trans_sid.php +++ b/plugins/SecurityInfo/PhpSecInfo/Test/Session/use_trans_sid.php @@ -10,7 +10,7 @@ /** * require the PhpSecInfo_Test_Session class */ -require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Session.php'); +require_once(PHPSECINFO_BASE_DIR . '/Test/Test_Session.php'); /** * Test class for session use_trans_sid @@ -21,46 +21,49 @@ require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Session.php'); class PhpSecInfo_Test_Session_Use_Trans_Sid extends PhpSecInfo_Test_Session { - /** - * This should be a <b>unique</b>, human-readable identifier for this test - * - * @var string - */ - var $test_name = "use_trans_sid"; + /** + * This should be a <b>unique</b>, human-readable identifier for this test + * + * @var string + */ + var $test_name = "use_trans_sid"; - var $recommended_value = FALSE; + var $recommended_value = FALSE; - function _retrieveCurrentValue() { - $this->current_value = $this->getBooleanIniValue('session.use_trans_sid'); - } + function _retrieveCurrentValue() + { + $this->current_value = $this->getBooleanIniValue('session.use_trans_sid'); + } - /** - * Checks to see if allow_url_fopen is enabled - * - */ - function _execTest() { - if ($this->current_value == $this->recommended_value) { - return PHPSECINFO_TEST_RESULT_OK; - } + /** + * Checks to see if allow_url_fopen is enabled + * + */ + function _execTest() + { + if ($this->current_value == $this->recommended_value) { + return PHPSECINFO_TEST_RESULT_OK; + } - return PHPSECINFO_TEST_RESULT_NOTICE; - } + return PHPSECINFO_TEST_RESULT_NOTICE; + } - /** - * Set the messages specific to this test - * - */ - function _setMessages() { - parent::_setMessages(); + /** + * Set the messages specific to this test + * + */ + function _setMessages() + { + parent::_setMessages(); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'use_trans_sid is disabled, which is the recommended setting'); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', 'use_trans_sid is enabled. This makes session hijacking easier. Consider disabling this feature'); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'use_trans_sid is disabled, which is the recommended setting'); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', 'use_trans_sid is enabled. This makes session hijacking easier. Consider disabling this feature'); - } + } }
\ No newline at end of file diff --git a/plugins/SecurityInfo/PhpSecInfo/Test/Suhosin/extension.php b/plugins/SecurityInfo/PhpSecInfo/Test/Suhosin/extension.php index 50e4d05359..f6a0d340d2 100644 --- a/plugins/SecurityInfo/PhpSecInfo/Test/Suhosin/extension.php +++ b/plugins/SecurityInfo/PhpSecInfo/Test/Suhosin/extension.php @@ -9,7 +9,7 @@ /** * require the PhpSecInfo_Test_Suhosin class */ -require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Suhosin.php'); +require_once(PHPSECINFO_BASE_DIR . '/Test/Test_Suhosin.php'); /** * Test class for Suhosin extension @@ -21,26 +21,29 @@ require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Suhosin.php'); */ class PhpSecInfo_Test_Suhosin_Extension extends PhpSecInfo_Test_Suhosin { - var $test_name = "Suhosin extension"; + var $test_name = "Suhosin extension"; - var $recommended_value = true; + var $recommended_value = true; - function _retrieveCurrentValue() { - $this->current_value = extension_loaded('suhosin'); - } + function _retrieveCurrentValue() + { + $this->current_value = extension_loaded('suhosin'); + } - function _execTest() { - if ( $this->current_value === true ) { - return PHPSECINFO_TEST_RESULT_OK; - } else { - return PHPSECINFO_TEST_RESULT_NOTICE; - } - } + function _execTest() + { + if ($this->current_value === true) { + return PHPSECINFO_TEST_RESULT_OK; + } else { + return PHPSECINFO_TEST_RESULT_NOTICE; + } + } - function _setMessages() { - parent::_setMessages(); + function _setMessages() + { + parent::_setMessages(); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', "You are running PHP with the Suhosin extension loaded. This extension provides high-level runtime protections, and additional filtering and logging features."); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', "You are not running PHP with the Suhosin extension loaded. We recommend both the patch and extension for low- and high-level protections including transparent cookie encryption and remote inclusion vulnerabilities."); - } + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', "You are running PHP with the Suhosin extension loaded. This extension provides high-level runtime protections, and additional filtering and logging features."); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', "You are not running PHP with the Suhosin extension loaded. We recommend both the patch and extension for low- and high-level protections including transparent cookie encryption and remote inclusion vulnerabilities."); + } } diff --git a/plugins/SecurityInfo/PhpSecInfo/Test/Suhosin/patch.php b/plugins/SecurityInfo/PhpSecInfo/Test/Suhosin/patch.php index 6e982edae2..ec475281bd 100644 --- a/plugins/SecurityInfo/PhpSecInfo/Test/Suhosin/patch.php +++ b/plugins/SecurityInfo/PhpSecInfo/Test/Suhosin/patch.php @@ -9,7 +9,7 @@ /** * require the PhpSecInfo_Test_Suhosin class */ -require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Suhosin.php'); +require_once(PHPSECINFO_BASE_DIR . '/Test/Test_Suhosin.php'); /** * Test class for Suhosin @@ -21,35 +21,38 @@ require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Suhosin.php'); */ class PhpSecInfo_Test_Suhosin_Patch extends PhpSecInfo_Test_Suhosin { - var $test_name = "Suhosin patch"; - - var $recommended_value = true; - - function _retrieveCurrentValue() { - if (preg_match('/Suhosin/', $_SERVER['SERVER_SOFTWARE'])) { - $this->current_value = true; - } else { - $this->current_value = false; - - $constants = get_defined_constants(); - if(isset($constants['SUHOSIN_PATCH']) && $constants['SUHOSIN_PATCH'] == 1) { - $this->current_value = true; - } - } - } - - function _execTest() { - if ( $this->current_value === true ) { - return PHPSECINFO_TEST_RESULT_OK; - } else { - return PHPSECINFO_TEST_RESULT_NOTICE; - } - } - - function _setMessages() { - parent::_setMessages(); - - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', "You are running PHP with the Suhosin patch applied against the PHP core. This patch implements various low-level protections against (for example) buffer overflows and format string vulnerabilities."); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', "You are not running PHP with the Suhosin patch applied. We recommend both the patch and extension for low- and high-level protections against (for example) buffer overflows and format string vulnerabilities."); - } + var $test_name = "Suhosin patch"; + + var $recommended_value = true; + + function _retrieveCurrentValue() + { + if (preg_match('/Suhosin/', $_SERVER['SERVER_SOFTWARE'])) { + $this->current_value = true; + } else { + $this->current_value = false; + + $constants = get_defined_constants(); + if (isset($constants['SUHOSIN_PATCH']) && $constants['SUHOSIN_PATCH'] == 1) { + $this->current_value = true; + } + } + } + + function _execTest() + { + if ($this->current_value === true) { + return PHPSECINFO_TEST_RESULT_OK; + } else { + return PHPSECINFO_TEST_RESULT_NOTICE; + } + } + + function _setMessages() + { + parent::_setMessages(); + + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', "You are running PHP with the Suhosin patch applied against the PHP core. This patch implements various low-level protections against (for example) buffer overflows and format string vulnerabilities."); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', "You are not running PHP with the Suhosin patch applied. We recommend both the patch and extension for low- and high-level protections against (for example) buffer overflows and format string vulnerabilities."); + } } diff --git a/plugins/SecurityInfo/PhpSecInfo/Test/Test.php b/plugins/SecurityInfo/PhpSecInfo/Test/Test.php index b4902a718c..978309879d 100644 --- a/plugins/SecurityInfo/PhpSecInfo/Test/Test.php +++ b/plugins/SecurityInfo/PhpSecInfo/Test/Test.php @@ -9,8 +9,7 @@ /** * require the main PhpSecInfo class */ -require_once(PHPSECINFO_BASE_DIR.'/PhpSecInfo.php'); - +require_once(PHPSECINFO_BASE_DIR . '/PhpSecInfo.php'); define ('PHPSECINFO_TEST_RESULT_OK', -1); @@ -36,540 +35,554 @@ define ('PHPSECINFO_TEST_MOREINFO_BASEURL', 'http://phpsec.org/projects/phpsecin class PhpSecInfo_Test { - /** - * This value is used to group test results together. - * - * For example, all tests related to the mysql lib should be grouped under "mysql." - * - * @var string - */ - var $test_group = 'misc'; - - - /** - * This should be a <b>unique</b>, human-readable identifier for this test - * - * @var string - */ - var $test_name = 'misc_test'; - - - /** - * This is the recommended value the test will be looking for - * - * @var mixed - */ - var $recommended_value = "bar"; - - - /** - * The result returned from the test - * - * @var integer - */ - var $_result = PHPSECINFO_TEST_RESULT_NOTRUN; - - - /** - * The message corresponding to the result of the test - * - * @var string - */ - var $_message; - - - /** - * the language code. Should be a pointer to the setting in the PhpSecInfo object - * - * @var string - */ - var $_language = PHPSECINFO_LANG_DEFAULT; - - /** - * Enter description here... - * - * @var mixed - */ - var $current_value; - - /** - * This is a hash of messages that correspond to various test result levels. - * - * There are five messages, each corresponding to one of the result constants - * (PHPSECINFO_TEST_RESULT_OK, PHPSECINFO_TEST_RESULT_NOTICE, PHPSECINFO_TEST_RESULT_WARN, - * PHPSECINFO_TEST_RESULT_ERROR, PHPSECINFO_TEST_RESULT_NOTRUN) - * - * - * @var array array - */ - var $_messages = array(); - - - - - /** - * Constructor for Test skeleton class - * - * @return PhpSecInfo_Test - */ - function PhpSecInfo_Test() { - //$this->_setTestValues(); - - $this->_retrieveCurrentValue(); - //$this->setRecommendedValue(); - - $this->_setMessages(); - } - - - /** - * Determines whether or not it's appropriate to run this test (for example, if - * this test is for a particular library, it shouldn't be run if the lib isn't - * loaded). - * - * This is a terrible name, but I couldn't think of a better one atm. - * - * @return boolean - */ - function isTestable() { - - return true; - } - - - /** - * The "meat" of the test. This is where the real test code goes. You should override this when extending - * - * @return integer - */ - function _execTest() { - - return PHPSECINFO_TEST_RESULT_NOTRUN; - } - - - /** - * This function loads up result messages into the $this->_messages array. - * - * Using this method rather than setting $this->_messages directly allows result - * messages to be inherited. This is broken out into a separate function rather - * than the constructor for ease of extension purposes (php4 is whack, man). - * - */ - function _setMessages() { - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'This setting should be safe'); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', 'This could potentially be a security issue'); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', 'This setting may be a serious security problem'); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_ERROR, 'en', 'There was an error running this test'); - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTRUN, 'en', 'This test cannot be run'); - } - - - /** - * Placeholder - extend for tests - * - */ - function _retrieveCurrentValue() { - $this->current_value = "foo"; - } - - - - /** - * This is the wrapper that executes the test and sets the result code and message - */ - function test() { - $result = $this->_execTest(); - $this->_setResult($result); - - } - - - - /** - * Retrieves the result - * - * @return integer - */ - function getResult() { - return $this->_result; - } - - - - - /** - * Retrieves the message for the current result - * - * @return string - */ - function getMessage() { - if (!isset($this->_message) || empty($this->_message)) { - $this->_setMessage($this->_result, $this->_language); - } - - return $this->_message; - } - - - - /** - * Sets the message for a given result code and language - * - * <code> - * $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTRUN, 'en', 'This test cannot be run'); - * </code> - * - * @param integer $result_code - * @param string $language_code - * @param string $message - * - */ - function setMessageForResult($result_code, $language_code, $message) { - - if ( !isset($this->_messages[$result_code]) ) { - $this->_messages[$result_code] = array(); - } - - if ( !is_array($this->_messages[$result_code]) ) { - $this->_messages[$result_code] = array(); - } - - $this->_messages[$result_code][$language_code] = $message; - - } - - - - - /** - * returns the current value. This function should be used to access the - * value for display. All values are cast as strings - * - * @return string - */ - function getCurrentTestValue() { - return $this->getStringValue($this->current_value); - } - - /** - * returns the recommended value. This function should be used to access the - * value for display. All values are cast as strings - * - * @return string - */ - function getRecommendedTestValue() { - return $this->getStringValue($this->recommended_value); - } - - - /** - * Sets the result code - * - * @param integer $result_code - */ - function _setResult($result_code) { - $this->_result = $result_code; - } - - - /** - * Sets the $this->_message variable based on the passed result and language codes - * - * @param integer $result_code - * @param string $language_code - */ - function _setMessage($result_code, $language_code) { - $messages = $this->_messages[$result_code]; - $message = $messages[$language_code]; - $this->_message = $message; - } - - - /** - * Returns a link to a page with detailed information about the test - * - * URL is formatted as PHPSECINFO_TEST_MOREINFO_BASEURL + testName - * - * @see PHPSECINFO_TEST_MOREINFO_BASEURL - * - * @return string|boolean - */ - function getMoreInfoURL() { - if ($tn = $this->getTestName()) { - return PHPSECINFO_TEST_MOREINFO_BASEURL.strtolower("{$tn}.html"); - } else { - return false; - } - } - - - - - /** - * This retrieves the name of this test. - * - * If a name has not been set, this returns a formatted version of the class name. - * - * @return string - */ - function getTestName() { - if (isset($this->test_name) && !empty($this->test_name)) { - return $this->test_name; - } else { - return ucwords( - str_replace('_', ' ', - get_class($this) - ) - ); - } - - } - - - /** - * sets the test name - * - * @param string $test_name - */ - function setTestName($test_name) { - $this->test_name = $test_name; - } - - - /** - * Returns the test group this test belongs to - * - * @return string - */ - function getTestGroup() { - return $this->test_group; - } - - - /** - * sets the test group - * - * @param string $test_group - */ - function setTestGroup($test_group) { - $this->test_group = $test_group; - } - - - /** - * This function takes the shorthand notation used in memory limit settings for PHP - * and returns the byte value. Totally stolen from http://us3.php.net/manual/en/function.ini-get.php - * - * <code> - * echo 'post_max_size in bytes = ' . $this->return_bytes(ini_get('post_max_size')); - * </code> - * - * @link http://php.net/manual/en/function.ini-get.php - * @param string $val - * @return integer - */ - function returnBytes($val) { - $val = trim($val); - - if ( (int)$val === 0 ) { - return 0; - } - - $last = strtolower($val{strlen($val)-1}); - switch($last) { - // The 'G' modifier is available since PHP 5.1.0 - case 'g': - $val *= 1024; - case 'm': - $val *= 1024; - case 'k': - $val *= 1024; - } - - return $val; - } - - - /** - * This just does the usual PHP string casting, except for - * the boolean FALSE value, where the string "0" is returned - * instead of an empty string - * - * @param mixed $val - * @return string - */ - function getStringValue($val) { - if ($val === FALSE) { - return "0"; - } else { - return (string)$val; - } - } - - - /** - * This method converts the several possible return values from - * allegedly "boolean" ini settings to proper booleans - * - * Properly converted input values are: 'off', 'on', 'false', 'true', '', '0', '1' - * (the last two might not be neccessary, but I'd rather be safe) - * - * If the ini_value doesn't match any of those, the value is returned as-is. - * - * @param string $ini_key the ini_key you need the value of - * @return boolean|mixed - */ - function getBooleanIniValue($ini_key) { - - $ini_val = ini_get($ini_key); - - switch ( strtolower($ini_val) ) { - - case 'off': - return false; - break; - case 'on': - return true; - break; - case 'false': - return false; - break; - case 'true': - return true; - break; - case '0': - return false; - break; - case '1': - return true; - break; - case '': - return false; - break; - default: - return $ini_val; - - } - - } - - /** - * sys_get_temp_dir provides some temp dir detection capability - * that is lacking in versions of PHP that do not have the - * sys_get_temp_dir() function - * - * @return string|NULL - */ - function sys_get_temp_dir() { - // Try to get from environment variable - $vars = array('TMP', 'TMPDIR', 'TEMP'); - foreach($vars as $var) { - $tmp = getenv($var); - if ( !empty($tmp) ) { - return realpath( $tmp ); - } - } - return NULL; - } - - - /** - * A quick function to determine whether we're running on Windows. - * Uses the PHP_OS constant. - * - * @return boolean - */ - function osIsWindows() { - if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') { - return true; - } else { - return false; - } - } - - - /** - * Returns an array of data returned from the UNIX 'id' command - * - * includes uid, username, gid, groupname, and groups (if "exec" - * is enabled). Groups is an array of all the groups the user - * belongs to. Keys are the group ids, values are the group names. - * - * returns FALSE if no suitable function is available to retrieve - * the data - * - * @return array|boolean - */ - function getUnixId() { - - if ($this->osIsWindows()) { - return false; - } - - $success = false; - - - if (function_exists("exec") && !PhpSecInfo_Test::getBooleanIniValue('safe_mode')) { - $id_raw = exec('id'); - // uid=1000(coj) gid=1000(coj) groups=1000(coj),1001(admin) - preg_match( "|uid=(\d+)\((\S+)\)\s+gid=(\d+)\((\S+)\)\s+groups=(.+)|i", - $id_raw, - $matches); - - if (!$matches) { - /** - * for some reason the output from 'id' wasn't as we expected. - * return false so the test doesn't run. - */ - $success = false; - } else { - $id_data = array( 'uid'=>$matches[1], - 'username'=>$matches[2], - 'gid'=>$matches[3], - 'group'=>$matches[4] ); - - $groups = array(); - if ($matches[5]) { - $gs = $matches[5]; - $gs = explode(',', $gs); - foreach ($gs as $groupstr) { - if (preg_match("/(\d+)\(([^\)]+)\)/", $groupstr, $subs)) { - $groups[$subs[1]] = $subs[2]; - } else { - $groups[$groupstr] = ''; - } - } - ksort($groups); - } - $id_data['groups'] = $groups; - $success = true; - } - - } - - if (!$success && function_exists("posix_getpwuid") && function_exists("posix_geteuid") - && function_exists('posix_getgrgid') && function_exists('posix_getgroups') ) { - $data = posix_getpwuid( posix_getuid() ); - $id_data['uid'] = $data['uid']; - $id_data['username'] = $data['name']; - $id_data['gid'] = $data['gid']; - //$group_data = posix_getgrgid( posix_getegid() ); - //$id_data['group'] = $group_data['name']; - $id_data['groups'] = array(); - $groups = posix_getgroups(); - foreach ( $groups as $gid ) { - //$group_data = posix_getgrgid(posix_getgid()); - $id_data['groups'][$gid] = '<unknown>'; - } - $success = true; - } - - if ($success) { - return $id_data; - } else { - return false; - } - } + /** + * This value is used to group test results together. + * + * For example, all tests related to the mysql lib should be grouped under "mysql." + * + * @var string + */ + var $test_group = 'misc'; + + + /** + * This should be a <b>unique</b>, human-readable identifier for this test + * + * @var string + */ + var $test_name = 'misc_test'; + + + /** + * This is the recommended value the test will be looking for + * + * @var mixed + */ + var $recommended_value = "bar"; + + + /** + * The result returned from the test + * + * @var integer + */ + var $_result = PHPSECINFO_TEST_RESULT_NOTRUN; + + + /** + * The message corresponding to the result of the test + * + * @var string + */ + var $_message; + + + /** + * the language code. Should be a pointer to the setting in the PhpSecInfo object + * + * @var string + */ + var $_language = PHPSECINFO_LANG_DEFAULT; + + /** + * Enter description here... + * + * @var mixed + */ + var $current_value; + + /** + * This is a hash of messages that correspond to various test result levels. + * + * There are five messages, each corresponding to one of the result constants + * (PHPSECINFO_TEST_RESULT_OK, PHPSECINFO_TEST_RESULT_NOTICE, PHPSECINFO_TEST_RESULT_WARN, + * PHPSECINFO_TEST_RESULT_ERROR, PHPSECINFO_TEST_RESULT_NOTRUN) + * + * + * @var array array + */ + var $_messages = array(); + + + /** + * Constructor for Test skeleton class + * + * @return PhpSecInfo_Test + */ + function PhpSecInfo_Test() + { + //$this->_setTestValues(); + + $this->_retrieveCurrentValue(); + //$this->setRecommendedValue(); + + $this->_setMessages(); + } + + + /** + * Determines whether or not it's appropriate to run this test (for example, if + * this test is for a particular library, it shouldn't be run if the lib isn't + * loaded). + * + * This is a terrible name, but I couldn't think of a better one atm. + * + * @return boolean + */ + function isTestable() + { + + return true; + } + + + /** + * The "meat" of the test. This is where the real test code goes. You should override this when extending + * + * @return integer + */ + function _execTest() + { + + return PHPSECINFO_TEST_RESULT_NOTRUN; + } + + + /** + * This function loads up result messages into the $this->_messages array. + * + * Using this method rather than setting $this->_messages directly allows result + * messages to be inherited. This is broken out into a separate function rather + * than the constructor for ease of extension purposes (php4 is whack, man). + * + */ + function _setMessages() + { + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'This setting should be safe'); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', 'This could potentially be a security issue'); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', 'This setting may be a serious security problem'); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_ERROR, 'en', 'There was an error running this test'); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTRUN, 'en', 'This test cannot be run'); + } + + + /** + * Placeholder - extend for tests + * + */ + function _retrieveCurrentValue() + { + $this->current_value = "foo"; + } + + + /** + * This is the wrapper that executes the test and sets the result code and message + */ + function test() + { + $result = $this->_execTest(); + $this->_setResult($result); + + } + + + /** + * Retrieves the result + * + * @return integer + */ + function getResult() + { + return $this->_result; + } + + + /** + * Retrieves the message for the current result + * + * @return string + */ + function getMessage() + { + if (!isset($this->_message) || empty($this->_message)) { + $this->_setMessage($this->_result, $this->_language); + } + + return $this->_message; + } + + + /** + * Sets the message for a given result code and language + * + * <code> + * $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTRUN, 'en', 'This test cannot be run'); + * </code> + * + * @param integer $result_code + * @param string $language_code + * @param string $message + * + */ + function setMessageForResult($result_code, $language_code, $message) + { + + if (!isset($this->_messages[$result_code])) { + $this->_messages[$result_code] = array(); + } + + if (!is_array($this->_messages[$result_code])) { + $this->_messages[$result_code] = array(); + } + + $this->_messages[$result_code][$language_code] = $message; + + } + + + /** + * returns the current value. This function should be used to access the + * value for display. All values are cast as strings + * + * @return string + */ + function getCurrentTestValue() + { + return $this->getStringValue($this->current_value); + } + + /** + * returns the recommended value. This function should be used to access the + * value for display. All values are cast as strings + * + * @return string + */ + function getRecommendedTestValue() + { + return $this->getStringValue($this->recommended_value); + } + + + /** + * Sets the result code + * + * @param integer $result_code + */ + function _setResult($result_code) + { + $this->_result = $result_code; + } + + + /** + * Sets the $this->_message variable based on the passed result and language codes + * + * @param integer $result_code + * @param string $language_code + */ + function _setMessage($result_code, $language_code) + { + $messages = $this->_messages[$result_code]; + $message = $messages[$language_code]; + $this->_message = $message; + } + + + /** + * Returns a link to a page with detailed information about the test + * + * URL is formatted as PHPSECINFO_TEST_MOREINFO_BASEURL + testName + * + * @see PHPSECINFO_TEST_MOREINFO_BASEURL + * + * @return string|boolean + */ + function getMoreInfoURL() + { + if ($tn = $this->getTestName()) { + return PHPSECINFO_TEST_MOREINFO_BASEURL . strtolower("{$tn}.html"); + } else { + return false; + } + } + + + /** + * This retrieves the name of this test. + * + * If a name has not been set, this returns a formatted version of the class name. + * + * @return string + */ + function getTestName() + { + if (isset($this->test_name) && !empty($this->test_name)) { + return $this->test_name; + } else { + return ucwords( + str_replace('_', ' ', + get_class($this) + ) + ); + } + + } + + + /** + * sets the test name + * + * @param string $test_name + */ + function setTestName($test_name) + { + $this->test_name = $test_name; + } + + + /** + * Returns the test group this test belongs to + * + * @return string + */ + function getTestGroup() + { + return $this->test_group; + } + + + /** + * sets the test group + * + * @param string $test_group + */ + function setTestGroup($test_group) + { + $this->test_group = $test_group; + } + + + /** + * This function takes the shorthand notation used in memory limit settings for PHP + * and returns the byte value. Totally stolen from http://us3.php.net/manual/en/function.ini-get.php + * + * <code> + * echo 'post_max_size in bytes = ' . $this->return_bytes(ini_get('post_max_size')); + * </code> + * + * @link http://php.net/manual/en/function.ini-get.php + * @param string $val + * @return integer + */ + function returnBytes($val) + { + $val = trim($val); + + if ((int)$val === 0) { + return 0; + } + + $last = strtolower($val{strlen($val) - 1}); + switch ($last) { + // The 'G' modifier is available since PHP 5.1.0 + case 'g': + $val *= 1024; + case 'm': + $val *= 1024; + case 'k': + $val *= 1024; + } + + return $val; + } + + + /** + * This just does the usual PHP string casting, except for + * the boolean FALSE value, where the string "0" is returned + * instead of an empty string + * + * @param mixed $val + * @return string + */ + function getStringValue($val) + { + if ($val === FALSE) { + return "0"; + } else { + return (string)$val; + } + } + + + /** + * This method converts the several possible return values from + * allegedly "boolean" ini settings to proper booleans + * + * Properly converted input values are: 'off', 'on', 'false', 'true', '', '0', '1' + * (the last two might not be neccessary, but I'd rather be safe) + * + * If the ini_value doesn't match any of those, the value is returned as-is. + * + * @param string $ini_key the ini_key you need the value of + * @return boolean|mixed + */ + function getBooleanIniValue($ini_key) + { + + $ini_val = ini_get($ini_key); + + switch (strtolower($ini_val)) { + + case 'off': + return false; + break; + case 'on': + return true; + break; + case 'false': + return false; + break; + case 'true': + return true; + break; + case '0': + return false; + break; + case '1': + return true; + break; + case '': + return false; + break; + default: + return $ini_val; + + } + + } + + /** + * sys_get_temp_dir provides some temp dir detection capability + * that is lacking in versions of PHP that do not have the + * sys_get_temp_dir() function + * + * @return string|NULL + */ + function sys_get_temp_dir() + { + // Try to get from environment variable + $vars = array('TMP', 'TMPDIR', 'TEMP'); + foreach ($vars as $var) { + $tmp = getenv($var); + if (!empty($tmp)) { + return realpath($tmp); + } + } + return NULL; + } + + + /** + * A quick function to determine whether we're running on Windows. + * Uses the PHP_OS constant. + * + * @return boolean + */ + function osIsWindows() + { + if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') { + return true; + } else { + return false; + } + } + + + /** + * Returns an array of data returned from the UNIX 'id' command + * + * includes uid, username, gid, groupname, and groups (if "exec" + * is enabled). Groups is an array of all the groups the user + * belongs to. Keys are the group ids, values are the group names. + * + * returns FALSE if no suitable function is available to retrieve + * the data + * + * @return array|boolean + */ + function getUnixId() + { + + if ($this->osIsWindows()) { + return false; + } + + $success = false; + + + if (function_exists("exec") && !PhpSecInfo_Test::getBooleanIniValue('safe_mode')) { + $id_raw = exec('id'); + // uid=1000(coj) gid=1000(coj) groups=1000(coj),1001(admin) + preg_match("|uid=(\d+)\((\S+)\)\s+gid=(\d+)\((\S+)\)\s+groups=(.+)|i", + $id_raw, + $matches); + + if (!$matches) { + /** + * for some reason the output from 'id' wasn't as we expected. + * return false so the test doesn't run. + */ + $success = false; + } else { + $id_data = array('uid' => $matches[1], + 'username' => $matches[2], + 'gid' => $matches[3], + 'group' => $matches[4]); + + $groups = array(); + if ($matches[5]) { + $gs = $matches[5]; + $gs = explode(',', $gs); + foreach ($gs as $groupstr) { + if (preg_match("/(\d+)\(([^\)]+)\)/", $groupstr, $subs)) { + $groups[$subs[1]] = $subs[2]; + } else { + $groups[$groupstr] = ''; + } + } + ksort($groups); + } + $id_data['groups'] = $groups; + $success = true; + } + + } + + if (!$success && function_exists("posix_getpwuid") && function_exists("posix_geteuid") + && function_exists('posix_getgrgid') && function_exists('posix_getgroups') + ) { + $data = posix_getpwuid(posix_getuid()); + $id_data['uid'] = $data['uid']; + $id_data['username'] = $data['name']; + $id_data['gid'] = $data['gid']; + //$group_data = posix_getgrgid( posix_getegid() ); + //$id_data['group'] = $group_data['name']; + $id_data['groups'] = array(); + $groups = posix_getgroups(); + foreach ($groups as $gid) { + //$group_data = posix_getgrgid(posix_getgid()); + $id_data['groups'][$gid] = '<unknown>'; + } + $success = true; + } + + if ($success) { + return $id_data; + } else { + return false; + } + } } diff --git a/plugins/SecurityInfo/PhpSecInfo/Test/Test_Application.php b/plugins/SecurityInfo/PhpSecInfo/Test/Test_Application.php index af7a2f9926..af97310aad 100644 --- a/plugins/SecurityInfo/PhpSecInfo/Test/Test_Application.php +++ b/plugins/SecurityInfo/PhpSecInfo/Test/Test_Application.php @@ -1,7 +1,7 @@ <?php /** * Skeleton Test class file for Application group - * + * * @package PhpSecInfo * @author Anthon Pang */ @@ -9,8 +9,7 @@ /** * require the main PhpSecInfo class */ -require_once(PHPSECINFO_BASE_DIR.'/Test/Test.php'); - +require_once(PHPSECINFO_BASE_DIR . '/Test/Test.php'); /** @@ -19,36 +18,38 @@ require_once(PHPSECINFO_BASE_DIR.'/Test/Test.php'); */ class PhpSecInfo_Test_Application extends PhpSecInfo_Test { - - /** - * This value is used to group test results together. - * - * For example, all tests related to the mysql lib should be grouped under "mysql." - * - * @var string - */ - var $test_group = 'Application'; - - - /** - * "Application" tests should pretty much be always testable, so the default is just to return true - * - * @return boolean - */ - function isTestable() { - return Piwik_Http::getTransportMethod() !== null; - } - - function getMoreInfoURL() { - $urls = array( - 'Piwik' => 'http://piwik.org/changelog', - 'PHP' => 'http://php.net/', - ); - - if ($tn = $this->getTestName()) { - return $urls[$tn]; - } else { - return false; - } - } + + /** + * This value is used to group test results together. + * + * For example, all tests related to the mysql lib should be grouped under "mysql." + * + * @var string + */ + var $test_group = 'Application'; + + + /** + * "Application" tests should pretty much be always testable, so the default is just to return true + * + * @return boolean + */ + function isTestable() + { + return Piwik_Http::getTransportMethod() !== null; + } + + function getMoreInfoURL() + { + $urls = array( + 'Piwik' => 'http://piwik.org/changelog', + 'PHP' => 'http://php.net/', + ); + + if ($tn = $this->getTestName()) { + return $urls[$tn]; + } else { + return false; + } + } } diff --git a/plugins/SecurityInfo/PhpSecInfo/Test/Test_Cgi.php b/plugins/SecurityInfo/PhpSecInfo/Test/Test_Cgi.php index 1a4156a3f4..5384bfbf50 100644 --- a/plugins/SecurityInfo/PhpSecInfo/Test/Test_Cgi.php +++ b/plugins/SecurityInfo/PhpSecInfo/Test/Test_Cgi.php @@ -9,8 +9,7 @@ /** * require the main PhpSecInfo class */ -require_once(PHPSECINFO_BASE_DIR.'/Test/Test.php'); - +require_once(PHPSECINFO_BASE_DIR . '/Test/Test.php'); /** @@ -20,42 +19,43 @@ require_once(PHPSECINFO_BASE_DIR.'/Test/Test.php'); class PhpSecInfo_Test_Cgi extends PhpSecInfo_Test { - /** - * This value is used to group test results together. - * - * For example, all tests related to the mysql lib should be grouped under "mysql." - * - * @var string - */ - var $test_group = 'CGI'; - - - - /** - * "CGI" tests should only be run if we're running as a CGI. The best way I could think of - * to test this was to preg against the php_sapi_name() return value. - * - * @return boolean - */ - function isTestable() { - /*if ( preg_match('/^cgi.*$/', PHP_SAPI) ) { - return true; - } else { - return false; - }*/ - return !strncmp(PHP_SAPI, 'cgi', 3); - } - - - /** - * Set the messages for CGI tests - * - */ - function _setMessages() { - parent::_setMessages(); - - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTRUN, 'en', "You don't seem to be using the CGI SAPI"); - - } + /** + * This value is used to group test results together. + * + * For example, all tests related to the mysql lib should be grouped under "mysql." + * + * @var string + */ + var $test_group = 'CGI'; + + + /** + * "CGI" tests should only be run if we're running as a CGI. The best way I could think of + * to test this was to preg against the php_sapi_name() return value. + * + * @return boolean + */ + function isTestable() + { + /*if ( preg_match('/^cgi.*$/', PHP_SAPI) ) { + return true; + } else { + return false; + }*/ + return !strncmp(PHP_SAPI, 'cgi', 3); + } + + + /** + * Set the messages for CGI tests + * + */ + function _setMessages() + { + parent::_setMessages(); + + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTRUN, 'en', "You don't seem to be using the CGI SAPI"); + + } }
\ No newline at end of file diff --git a/plugins/SecurityInfo/PhpSecInfo/Test/Test_Core.php b/plugins/SecurityInfo/PhpSecInfo/Test/Test_Core.php index 58230794d2..4778394f6f 100644 --- a/plugins/SecurityInfo/PhpSecInfo/Test/Test_Core.php +++ b/plugins/SecurityInfo/PhpSecInfo/Test/Test_Core.php @@ -1,7 +1,7 @@ <?php /** * Skeleton Test class file for Core group - * + * * @package PhpSecInfo * @author Ed Finkler <coj@funkatron.com> */ @@ -9,8 +9,7 @@ /** * require the main PhpSecInfo class */ -require_once(PHPSECINFO_BASE_DIR.'/Test/Test.php'); - +require_once(PHPSECINFO_BASE_DIR . '/Test/Test.php'); /** @@ -19,26 +18,27 @@ require_once(PHPSECINFO_BASE_DIR.'/Test/Test.php'); */ class PhpSecInfo_Test_Core extends PhpSecInfo_Test { - - /** - * This value is used to group test results together. - * - * For example, all tests related to the mysql lib should be grouped under "mysql." - * - * @var string - */ - var $test_group = 'Core'; - - - /** - * "Core" tests should pretty much be always testable, so the default is just to return true - * - * @return boolean - */ - function isTestable() { - - return true; - } - - + + /** + * This value is used to group test results together. + * + * For example, all tests related to the mysql lib should be grouped under "mysql." + * + * @var string + */ + var $test_group = 'Core'; + + + /** + * "Core" tests should pretty much be always testable, so the default is just to return true + * + * @return boolean + */ + function isTestable() + { + + return true; + } + + }
\ No newline at end of file diff --git a/plugins/SecurityInfo/PhpSecInfo/Test/Test_Curl.php b/plugins/SecurityInfo/PhpSecInfo/Test/Test_Curl.php index a1e7d57a6f..78deeaea6c 100644 --- a/plugins/SecurityInfo/PhpSecInfo/Test/Test_Curl.php +++ b/plugins/SecurityInfo/PhpSecInfo/Test/Test_Curl.php @@ -9,8 +9,7 @@ /** * require the main PhpSecInfo class */ -require_once(PHPSECINFO_BASE_DIR.'/Test/Test.php'); - +require_once(PHPSECINFO_BASE_DIR . '/Test/Test.php'); /** @@ -20,43 +19,44 @@ require_once(PHPSECINFO_BASE_DIR.'/Test/Test.php'); class PhpSecInfo_Test_Curl extends PhpSecInfo_Test { - /** - * This value is used to group test results together. - * - * For example, all tests related to the mysql lib should be grouped under "mysql." - * - * @var string - */ - var $test_group = 'Curl'; - - - - /** - * "Curl" tests should only be run if the curl extension is installed. We can check - * for this by seeing if the function curl_init() is defined - * - * @return boolean - */ - function isTestable() { -/* if ( function_exists('curl_init') ) { - return true; - } else { - return false; - } -*/ - return extension_loaded('curl'); - } - - - /** - * Set the messages for Curl tests - * - */ - function _setMessages() { - parent::_setMessages(); - - $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTRUN, 'en', "CURL support is not enabled in your PHP install"); - - } + /** + * This value is used to group test results together. + * + * For example, all tests related to the mysql lib should be grouped under "mysql." + * + * @var string + */ + var $test_group = 'Curl'; + + + /** + * "Curl" tests should only be run if the curl extension is installed. We can check + * for this by seeing if the function curl_init() is defined + * + * @return boolean + */ + function isTestable() + { + /* if ( function_exists('curl_init') ) { + return true; + } else { + return false; + } + */ + return extension_loaded('curl'); + } + + + /** + * Set the messages for Curl tests + * + */ + function _setMessages() + { + parent::_setMessages(); + + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTRUN, 'en', "CURL support is not enabled in your PHP install"); + + } }
\ No newline at end of file diff --git a/plugins/SecurityInfo/PhpSecInfo/Test/Test_Session.php b/plugins/SecurityInfo/PhpSecInfo/Test/Test_Session.php index 5270fa62c4..32185eee89 100644 --- a/plugins/SecurityInfo/PhpSecInfo/Test/Test_Session.php +++ b/plugins/SecurityInfo/PhpSecInfo/Test/Test_Session.php @@ -1,7 +1,7 @@ <?php /** * Skeleton Test class file for Session group - * + * * @package PhpSecInfo * @author Ed Finkler <coj@funkatron.com> */ @@ -10,8 +10,7 @@ /** * require the main PhpSecInfo class */ -require_once(PHPSECINFO_BASE_DIR.'/Test/Test.php'); - +require_once(PHPSECINFO_BASE_DIR . '/Test/Test.php'); /** @@ -20,27 +19,28 @@ require_once(PHPSECINFO_BASE_DIR.'/Test/Test.php'); */ class PhpSecInfo_Test_Session extends PhpSecInfo_Test { - - /** - * This value is used to group test results together. - * - * For example, all tests related to the mysql lib should be grouped under "mysql." - * - * @var string - */ - var $test_group = 'Session'; - - - /** - * "Session" tests should pretty much be always testable, so the default is - * just to return true - * - * @return boolean - */ - function isTestable() { - - return true; - } - - + + /** + * This value is used to group test results together. + * + * For example, all tests related to the mysql lib should be grouped under "mysql." + * + * @var string + */ + var $test_group = 'Session'; + + + /** + * "Session" tests should pretty much be always testable, so the default is + * just to return true + * + * @return boolean + */ + function isTestable() + { + + return true; + } + + }
\ No newline at end of file diff --git a/plugins/SecurityInfo/PhpSecInfo/Test/Test_Suhosin.php b/plugins/SecurityInfo/PhpSecInfo/Test/Test_Suhosin.php index 1f8883eeba..7228fde5e0 100644 --- a/plugins/SecurityInfo/PhpSecInfo/Test/Test_Suhosin.php +++ b/plugins/SecurityInfo/PhpSecInfo/Test/Test_Suhosin.php @@ -1,7 +1,7 @@ <?php /** * Skeleton Test class file for Suhosin group - * + * * @package PhpSecInfo * @author Anthon Pang */ @@ -9,8 +9,7 @@ /** * require the main PhpSecInfo class */ -require_once(PHPSECINFO_BASE_DIR.'/Test/Test.php'); - +require_once(PHPSECINFO_BASE_DIR . '/Test/Test.php'); /** @@ -19,34 +18,36 @@ require_once(PHPSECINFO_BASE_DIR.'/Test/Test.php'); */ class PhpSecInfo_Test_Suhosin extends PhpSecInfo_Test { - - /** - * This value is used to group test results together. - * - * For example, all tests related to the mysql lib should be grouped under "mysql." - * - * @var string - */ - var $test_group = 'Suhosin'; - - - /** - * "Suhosin" tests should pretty much be always testable, so the default is just to return true - * - * @return boolean - */ - function isTestable() { - if (version_compare(PHP_VERSION, '5.3.9') >= 0) { - return false; - } - return true; - } - function getMoreInfoURL() { - if ($tn = $this->getTestName()) { - return 'http://www.hardened-php.net/suhosin/index.html'; - } else { - return false; - } - } + /** + * This value is used to group test results together. + * + * For example, all tests related to the mysql lib should be grouped under "mysql." + * + * @var string + */ + var $test_group = 'Suhosin'; + + + /** + * "Suhosin" tests should pretty much be always testable, so the default is just to return true + * + * @return boolean + */ + function isTestable() + { + if (version_compare(PHP_VERSION, '5.3.9') >= 0) { + return false; + } + return true; + } + + function getMoreInfoURL() + { + if ($tn = $this->getTestName()) { + return 'http://www.hardened-php.net/suhosin/index.html'; + } else { + return false; + } + } } |