CRM_Utils_Check_Component_Security

Should these checks be run?

Run all checks in this class.

CMS have a different pattern to their default file path and URL.

Check if our logfile is directly accessible.

Per CiviCRM default the logfile sits in a folder which is web-accessible, and is protected by a default .htaccess configuration. If server config causes the .htaccess not to function as intended, there may be information disclosure.

The debug log may be jam-packed with sensitive data, we don't want that.

Being able to be retrieved directly doesn't mean the logfile is browseable or visible to search engines; it means it can be requested directly.

Check if our uploads directory has accessible files.

We'll test a handful of files randomly. Hazard a guess at the URL of the uploads dir, based on common CiviCRM layouts. Try and request the files, and if any are successfully retrieved, warn.

Being retrievable doesn't mean the files are browseable or visible to search engines; it only means they can be requested directly.

Check if our uploads or ConfigAndLog directories have browseable listings.

Retrieve a listing of files from the local filesystem, and the corresponding path via HTTP. Then check and see if the local files are represented in the HTTP result; if so then warn. This MAY trigger false positives (if you have files named 'a', 'e' we'll probably match that).

Check that some files are not present.

These files have generally been deleted but Civi source tree but could be left online if one does a faulty upgrade.

Discourage use of remote profile forms.

Check that the sysadmin has not modified the Cxn security setup.

Determine whether $url is a public, browsable listing for $dir

Determine whether $url is a public version of $dir in which files are remotely accessible.

Make a guess about the URL that corresponds to $targetDir.