3 namespace Drupal\security_review\Checks;
6 use Drupal\Core\StreamWrapper\PrivateStream;
7 use Drupal\Core\StreamWrapper\PublicStream;
9 use Drupal\security_review\Check;
10 use Drupal\security_review\CheckResult;
13 * Check that files aren't writeable by the server.
15 class FilePermissions extends Check {
20 public function getNamespace() {
21 return 'Security Review';
27 public function getTitle() {
28 return 'File permissions';
34 public function getMachineTitle() {
41 public function storesFindings() {
48 public function run($cli = FALSE) {
49 $result = CheckResult::SUCCESS;
51 $file_list = $this->getFileList('.');
52 $writable = $this->security()->findWritableFiles($file_list, $cli);
54 // Try creating or appending files.
55 // Assume it doesn't work.
56 $create_status = FALSE;
57 $append_status = FALSE;
60 $append_message = $this->t("Your web server should not be able to write to your modules directory. This is a security vulnerable. Consult the Security Review file permissions check help for mitigation steps.");
61 $directory = $this->moduleHandler()
62 ->getModule('security_review')
65 // Write a file with the timestamp.
66 $file = './' . $directory . '/file_write_test.' . date('Ymdhis');
67 if ($file_create = @fopen($file, 'w')) {
68 $create_status = fwrite($file_create, date('Ymdhis') . ' - ' . $append_message . "\n");
72 // Try to append to our IGNOREME file.
73 $file = './' . $directory . '/IGNOREME.txt';
74 if ($file_append = @fopen($file, 'a')) {
75 $append_status = fwrite($file_append, date('Ymdhis') . ' - ' . $append_message . "\n");
80 if (!empty($writable) || $create_status || $append_status) {
81 $result = CheckResult::FAIL;
84 return $this->createResult($result, $writable);
90 public function runCli() {
91 if (!$this->securityReview()->isServerPosix()) {
92 return $this->createResult(CheckResult::INFO);
95 return $this->run(TRUE);
101 public function help() {
103 $paragraphs[] = $this->t('It is dangerous to allow the web server to write to files inside the document root of your server. Doing so could allow Drupal to write files that could then be executed. An attacker might use such a vulnerability to take control of your site. An exception is the Drupal files, private files, and temporary directories which Drupal needs permission to write to in order to provide features like file attachments.');
104 $paragraphs[] = $this->t('In addition to inspecting existing directories, this test attempts to create and write to your file system. Look in your security_review module directory on the server for files named file_write_test.YYYYMMDDHHMMSS and for a file called IGNOREME.txt which gets a timestamp appended to it if it is writeable.');
105 $paragraphs[] = new Link(
106 $this->t('Read more about file system permissions in the handbooks.'),
107 Url::fromUri('http://drupal.org/node/244924')
111 '#theme' => 'check_help',
112 '#title' => $this->t('Web server file system permissions'),
113 '#paragraphs' => $paragraphs,
120 public function evaluate(CheckResult $result) {
121 if ($result->result() == CheckResult::SUCCESS) {
126 $paragraphs[] = $this->t('The following files and directories appear to be writeable by your web server. In most cases you can fix this by simply altering the file permissions or ownership. If you have command-line access to your host try running "chmod 644 [file path]" where [file path] is one of the following paths (relative to your webroot). For more information consult the <a href="http://drupal.org/node/244924">Drupal.org handbooks on file permissions</a>.');
129 '#theme' => 'check_evaluation',
130 '#paragraphs' => $paragraphs,
131 '#items' => $result->findings(),
138 public function evaluatePlain(CheckResult $result) {
139 if ($result->result() == CheckResult::SUCCESS) {
143 $output = $this->t('Writable files:') . "\n";
144 foreach ($result->findings() as $file) {
145 $output .= "\t" . $file . "\n";
154 public function getMessage($result_const) {
155 switch ($result_const) {
156 case CheckResult::SUCCESS:
157 return $this->t('Drupal installation files and directories (except required) are not writable by the server.');
159 case CheckResult::FAIL:
160 return $this->t('Some files and directories in your install are writable by the server.');
162 case CheckResult::INFO:
163 return $this->t('The test cannot be run on this system.');
166 return $this->t('Unexpected result.');
171 * Scans a directory recursively and returns the files and directories inside.
173 * @param string $directory
174 * The directory to scan.
175 * @param string[] $parsed
176 * Array of already parsed real paths.
177 * @param string[] $ignore
178 * Array of file names to ignore.
183 protected function getFileList($directory, array &$parsed = NULL, array &$ignore = NULL) {
184 // Initialize $parsed and $ignore arrays.
185 if ($parsed === NULL) {
186 $parsed = [realpath($directory)];
188 if ($ignore === NULL) {
189 $ignore = $this->getIgnoreList();
194 if ($handle = opendir($directory)) {
195 while (($file = readdir($handle)) !== FALSE) {
196 // Don't check hidden files or ones we said to ignore.
197 $path = $directory . "/" . $file;
198 if ($file[0] != "." && !in_array($file, $ignore) && !in_array(realpath($path), $ignore)) {
199 if (is_dir($path) && !in_array(realpath($path), $parsed)) {
200 $parsed[] = realpath($path);
201 $items = array_merge($items, $this->getFileList($path, $parsed, $ignore));
203 $items[] = preg_replace("/\/\//si", "/", $path);
213 * Returns an array of relative and canonical paths to ignore.
216 * List of relative and canonical file paths to ignore.
218 protected function getIgnoreList() {
219 $file_path = PublicStream::basePath();
220 $ignore = ['..', 'CVS', '.git', '.svn', '.bzr', realpath($file_path)];
222 // Add temporary files directory if it's set.
223 $temp_path = file_directory_temp();
224 if (!empty($temp_path)) {
225 $ignore[] = realpath('./' . rtrim($temp_path, '/'));
228 // Add private files directory if it's set.
229 $private_files = PrivateStream::basePath();
230 if (!empty($private_files)) {
231 // Remove leading slash if set.
232 if (strrpos($private_files, '/') !== FALSE) {
233 $private_files = substr($private_files, strrpos($private_files, '/') + 1);
235 $ignore[] = $private_files;
238 $this->moduleHandler()->alter('security_review_file_ignore', $ignore);