diff options
Diffstat (limited to 'plugins/SecurityInfo/PhpSecInfo/Test/Session/save_path.php')
-rw-r--r-- | plugins/SecurityInfo/PhpSecInfo/Test/Session/save_path.php | 99 |
1 files changed, 99 insertions, 0 deletions
diff --git a/plugins/SecurityInfo/PhpSecInfo/Test/Session/save_path.php b/plugins/SecurityInfo/PhpSecInfo/Test/Session/save_path.php new file mode 100644 index 0000000000..5a7ae7752e --- /dev/null +++ b/plugins/SecurityInfo/PhpSecInfo/Test/Session/save_path.php @@ -0,0 +1,99 @@ +<?php +/** + * Test class for session save_path + * + * @package PhpSecInfo + * @author Thomas CORBIERE <thomas@votre-grandeur-celeste.com> + */ + +/** + * require the PhpSecInfo_Test_Core class + */ +require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Session.php'); + +/** + * Test class for session save_path + * + * @package PhpSecInfo + */ +class PhpSecInfo_Test_Session_Save_Path extends PhpSecInfo_Test_Session +{ + + /** + * This should be a <b>unique</b>, human-readable identifier for this test + * + * @var string + */ + var $test_name = "save_path"; + + var $recommended_value = "A non-world readable/writable directory"; + + function _retrieveCurrentValue() { + $this->current_value = ini_get('session.save_path'); + + if( empty($this->current_value) ) { + if (function_exists("sys_get_temp_dir")) { + $this->current_value = sys_get_temp_dir(); + } else { + $this->current_value = $this->sys_get_temp_dir(); + } + } + } + + + /** + * We are disabling this function on Windows OSes right now until + * we can be certain of the proper way to check world-readability + * + * @return unknown + */ + function isTestable() { + if ($this->osIsWindows()) { + return FALSE; + } else { + return TRUE; + } + } + + + /** + * Check if session.save_path matches PHPSECINFO_TEST_COMMON_TMPDIR, or is word-writable + * + * This is still unix-specific, and it's possible that for now + * this test should be disabled under Windows builds. + * + * @see PHPSECINFO_TEST_COMMON_TMPDIR + */ + function _execTest() { + + $perms = fileperms($this->current_value); + + if ($this->current_value + && !preg_match("|".PHPSECINFO_TEST_COMMON_TMPDIR."/?|", $this->current_value) + && ! ($perms & 0x0004) + && ! ($perms & 0x0002) ) { + return PHPSECINFO_TEST_RESULT_OK; + } + + // rewrite current_value to display perms + $this->current_value .= " (".substr(sprintf('%o', $perms), -4).")"; + + return PHPSECINFO_TEST_RESULT_NOTICE; + } + + /** + * Set the messages specific to this test + * + */ + function _setMessages() { + parent::_setMessages(); + + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTRUN, 'en', 'Test not run -- currently disabled on Windows OSes'); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'save_path is enabled, which is the + recommended setting. Make sure your save_path path is not world-readable'); + $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', 'save_path is disabled, or is set to a + common world-writable directory. This typically allows other users on this server + to access session files. You should set save_path to a non-world-readable directory'); + } + +} |