Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/matomo-org/matomo.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/plugins/SecurityInfo/PhpSecInfo/Test/Session/save_path.php
diff options
context:
space:
mode:
Diffstat (limited to 'plugins/SecurityInfo/PhpSecInfo/Test/Session/save_path.php')
-rw-r--r--plugins/SecurityInfo/PhpSecInfo/Test/Session/save_path.php99
1 files changed, 99 insertions, 0 deletions
diff --git a/plugins/SecurityInfo/PhpSecInfo/Test/Session/save_path.php b/plugins/SecurityInfo/PhpSecInfo/Test/Session/save_path.php
new file mode 100644
index 0000000000..5a7ae7752e
--- /dev/null
+++ b/plugins/SecurityInfo/PhpSecInfo/Test/Session/save_path.php
@@ -0,0 +1,99 @@
+<?php
+/**
+ * Test class for session save_path
+ *
+ * @package PhpSecInfo
+ * @author Thomas CORBIERE <thomas@votre-grandeur-celeste.com>
+ */
+
+/**
+ * require the PhpSecInfo_Test_Core class
+ */
+require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Session.php');
+
+/**
+ * Test class for session save_path
+ *
+ * @package PhpSecInfo
+ */
+class PhpSecInfo_Test_Session_Save_Path extends PhpSecInfo_Test_Session
+{
+
+ /**
+ * This should be a <b>unique</b>, human-readable identifier for this test
+ *
+ * @var string
+ */
+ var $test_name = "save_path";
+
+ var $recommended_value = "A non-world readable/writable directory";
+
+ function _retrieveCurrentValue() {
+ $this->current_value = ini_get('session.save_path');
+
+ if( empty($this->current_value) ) {
+ if (function_exists("sys_get_temp_dir")) {
+ $this->current_value = sys_get_temp_dir();
+ } else {
+ $this->current_value = $this->sys_get_temp_dir();
+ }
+ }
+ }
+
+
+ /**
+ * We are disabling this function on Windows OSes right now until
+ * we can be certain of the proper way to check world-readability
+ *
+ * @return unknown
+ */
+ function isTestable() {
+ if ($this->osIsWindows()) {
+ return FALSE;
+ } else {
+ return TRUE;
+ }
+ }
+
+
+ /**
+ * Check if session.save_path matches PHPSECINFO_TEST_COMMON_TMPDIR, or is word-writable
+ *
+ * This is still unix-specific, and it's possible that for now
+ * this test should be disabled under Windows builds.
+ *
+ * @see PHPSECINFO_TEST_COMMON_TMPDIR
+ */
+ function _execTest() {
+
+ $perms = fileperms($this->current_value);
+
+ if ($this->current_value
+ && !preg_match("|".PHPSECINFO_TEST_COMMON_TMPDIR."/?|", $this->current_value)
+ && ! ($perms & 0x0004)
+ && ! ($perms & 0x0002) ) {
+ return PHPSECINFO_TEST_RESULT_OK;
+ }
+
+ // rewrite current_value to display perms
+ $this->current_value .= " (".substr(sprintf('%o', $perms), -4).")";
+
+ return PHPSECINFO_TEST_RESULT_NOTICE;
+ }
+
+ /**
+ * Set the messages specific to this test
+ *
+ */
+ function _setMessages() {
+ parent::_setMessages();
+
+ $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTRUN, 'en', 'Test not run -- currently disabled on Windows OSes');
+ $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'save_path is enabled, which is the
+ recommended setting. Make sure your save_path path is not world-readable');
+ $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', 'save_path is disabled, or is set to a
+ common world-writable directory. This typically allows other users on this server
+ to access session files. You should set save_path to a non-world-readable directory');
+ }
+
+}
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-28 12:20:47 +0300