Documentation

CRM_Utils_Check_Component_Security extends CRM_Utils_Check_Component
in package

Tags
copyright

CiviCRM LLC https://civicrm.org/licensing

Table of Contents

Methods

checkAll()  : array<string|int, CRM_Utils_Check_Message>
Run all checks in this class.
checkAnonPermissions()  : array<string|int, CRM_Utils_Check_Message>
Check to see if anonymous user has excessive permissions.
checkCxnOverrides()  : array<string|int, CRM_Utils_Check_Message>
Check that the sysadmin has not modified the Cxn security setup.
checkDirectoriesAreNotBrowseable()  : array<string|int, CRM_Utils_Check_Message>
Check if our uploads or ConfigAndLog directories have browseable listings.
checkFilesAreNotPresent()  : array<string|int, CRM_Utils_Check_Message>
Check that some files are not present.
checkHttpAuditable()  : array<string|int, CRM_Utils_Check_Message>
Some security checks require sending a real HTTP request. This breaks the single-threading model historically used by the PHP built-in webserver (for local development). There is some experimental support for multi-threading in PHP 7.4+. Anecdotally, this is still insufficient on PHP 7.4 -- but it works well enough on PHP 8.1.
checkLogFileIsNotAccessible()  : array<string|int, CRM_Utils_Check_Message>
Check if our logfile is directly accessible.
checkRemoteProfile()  : array<string|int, CRM_Utils_Check_Message>
Discourage use of remote profile forms.
checkSigningKey()  : array<string|int, CRM_Utils_Check_Message>
Check that the site is configured with a signing-key.
checkUploadsAreNotAccessible()  : array<string|int, CRM_Utils_Check_Message>
Check if our uploads directory has accessible files.
createDocUrl()  : string
fileExists()  : bool
Check if file exists on given URL.
getAllChecks()  : array<string|int, string>
Get the names of all check functions in this class
getChecksConfig()  : array<string|int, mixed>
Get the configured status checks.
getFilePathMarker()  : string
CMS have a different pattern to their default file path and URL.
guessUrl()  : string
Make a guess about the URL that corresponds to $targetDir.
isBrowsable()  : bool
Determine whether $url is a public, browsable listing for $dir
isDirAccessible()  : bool
Determine whether $url is a public version of $dir in which files are remotely accessible.
isDisabled()  : bool
Is the specified check disabled.
isEnabled()  : bool
Should these checks be run?
isLimitedDevelopmentServer()  : bool
isRequested()  : bool
Is this check one of those requested

Methods

checkAll()

Run all checks in this class.

public checkAll([array<string|int, mixed> $requestedChecks = [] ][, bool $includeDisabled = FALSE ]) : array<string|int, CRM_Utils_Check_Message>
Parameters
$requestedChecks : array<string|int, mixed> = []

Optionally specify the names of specific checks requested, or leave empty to run all

$includeDisabled : bool = FALSE

Run checks that have been explicitly disabled (default false)

Tags
throws
CRM_Core_Exception
throws
UnauthorizedException
Return values
array<string|int, CRM_Utils_Check_Message>

checkDirectoriesAreNotBrowseable()

Check if our uploads or ConfigAndLog directories have browseable listings.

public checkDirectoriesAreNotBrowseable() : array<string|int, CRM_Utils_Check_Message>

Retrieve a listing of files from the local filesystem, and the corresponding path via HTTP. Then check and see if the local files are represented in the HTTP result; if so then warn. This MAY trigger false positives (if you have files named 'a', 'e' we'll probably match that).

Tags
see

CRM-14091

todo

Test with WordPress, Joomla.

Return values
array<string|int, CRM_Utils_Check_Message>

checkFilesAreNotPresent()

Check that some files are not present.

public checkFilesAreNotPresent() : array<string|int, CRM_Utils_Check_Message>

These files have generally been deleted but Civi source tree but could be left online if one does a faulty upgrade.

Return values
array<string|int, CRM_Utils_Check_Message>

checkHttpAuditable()

Some security checks require sending a real HTTP request. This breaks the single-threading model historically used by the PHP built-in webserver (for local development). There is some experimental support for multi-threading in PHP 7.4+. Anecdotally, this is still insufficient on PHP 7.4 -- but it works well enough on PHP 8.1.

public checkHttpAuditable() : array<string|int, CRM_Utils_Check_Message>
Return values
array<string|int, CRM_Utils_Check_Message>

checkLogFileIsNotAccessible()

Check if our logfile is directly accessible.

public checkLogFileIsNotAccessible() : array<string|int, CRM_Utils_Check_Message>

Per CiviCRM default the logfile sits in a folder which is web-accessible, and is protected by a default .htaccess configuration. If server config causes the .htaccess not to function as intended, there may be information disclosure.

The debug log may be jam-packed with sensitive data, we don't want that.

Being able to be retrieved directly doesn't mean the logfile is browseable or visible to search engines; it means it can be requested directly.

Tags
see

CRM-14091

Return values
array<string|int, CRM_Utils_Check_Message>

checkSigningKey()

Check that the site is configured with a signing-key.

public checkSigningKey() : array<string|int, CRM_Utils_Check_Message>

The current infrastructure for signatures was introduced circa 5.36. Specifically, most sites should now define CIVICRM_SIGN_KEYS. However, this could be missing for sites which either (a) upgraded from an earlier release or (b) used an unpatched installer.

Return values
array<string|int, CRM_Utils_Check_Message>

checkUploadsAreNotAccessible()

Check if our uploads directory has accessible files.

public checkUploadsAreNotAccessible() : array<string|int, CRM_Utils_Check_Message>

We'll test a handful of files randomly. Hazard a guess at the URL of the uploads dir, based on common CiviCRM layouts. Try and request the files, and if any are successfully retrieved, warn.

Being retrievable doesn't mean the files are browseable or visible to search engines; it only means they can be requested directly.

Tags
see

CRM-14091

todo

Test with WordPress, Joomla.

Return values
array<string|int, CRM_Utils_Check_Message>

createDocUrl()

public createDocUrl(string $topic) : string
Parameters
$topic : string
Return values
string

fileExists()

Check if file exists on given URL.

public fileExists(string $url[, float|bool $timeoutOverride = FALSE ]) : bool
Parameters
$url : string
$timeoutOverride : float|bool = FALSE
Tags
throws
GuzzleException
Return values
bool

getAllChecks()

Get the names of all check functions in this class

public getAllChecks() : array<string|int, string>
Return values
array<string|int, string>

getFilePathMarker()

CMS have a different pattern to their default file path and URL.

public getFilePathMarker() : string
Tags
todo

Use Civi::paths instead?

Return values
string

guessUrl()

Make a guess about the URL that corresponds to $targetDir.

public guessUrl(string $targetDir) : string
Parameters
$targetDir : string

Local path to a directory.

Return values
string

a guessed URL for $realDir

isBrowsable()

Determine whether $url is a public, browsable listing for $dir

public isBrowsable(string $dir, string $url) : bool
Parameters
$dir : string

Local dir path.

$url : string

Public URL.

Return values
bool

isDirAccessible()

Determine whether $url is a public version of $dir in which files are remotely accessible.

public isDirAccessible(string $dir, string $url) : bool
Parameters
$dir : string

Local dir path.

$url : string

Public URL.

Return values
bool

isEnabled()

Should these checks be run?

public isEnabled() : bool
Return values
bool

isLimitedDevelopmentServer()

public isLimitedDevelopmentServer() : bool
Return values
bool

isRequested()

Is this check one of those requested

private isRequested(string $method, array<string|int, mixed> $requestedChecks) : bool
Parameters
$method : string
$requestedChecks : array<string|int, mixed>
Return values
bool 

        

        
    




    

    

                                

                

                                
    

        On this page

        
    


                

                            

            

    

        

            
Search results