CRM_Utils_Check_Component_Security
class CRM_Utils_Check_Component_Security extends CRM_Utils_Check_Component
Methods
CMS have a different pattern to their default file path and URL.
Check if our logfile is directly accessible.
Check if our uploads directory has accessible files.
Check if our uploads or ConfigAndLog directories have browseable listings.
Check that some files are not present.
Discourage use of remote profile forms.
Check that the sysadmin has not modified the Cxn security setup.
Determine whether $url is a public, browsable listing for $dir
Determine whether $url is a public version of $dir in which files are remotely accessible.
No description
Make a guess about the URL that corresponds to $targetDir.
Details
in CRM_Utils_Check_Component at line 40
bool
isEnabled()
Should these checks be run?
in CRM_Utils_Check_Component at line 50
array
checkAll()
Run all checks in this class.
at line 40
getFilePathMarker()
CMS have a different pattern to their default file path and URL.
at line 70
array
checkLogFileIsNotAccessible()
Check if our logfile is directly accessible.
Per CiviCRM default the logfile sits in a folder which is web-accessible, and is protected by a default .htaccess configuration. If server config causes the .htaccess not to function as intended, there may be information disclosure.
The debug log may be jam-packed with sensitive data, we don't want that.
Being able to be retrieved directly doesn't mean the logfile is browseable or visible to search engines; it means it can be requested directly.
at line 126
array
checkUploadsAreNotAccessible()
Check if our uploads directory has accessible files.
We'll test a handful of files randomly. Hazard a guess at the URL of the uploads dir, based on common CiviCRM layouts. Try and request the files, and if any are successfully retrieved, warn.
Being retrievable doesn't mean the files are browseable or visible to search engines; it only means they can be requested directly.
at line 174
array
checkDirectoriesAreNotBrowseable()
Check if our uploads or ConfigAndLog directories have browseable listings.
Retrieve a listing of files from the local filesystem, and the corresponding path via HTTP. Then check and see if the local files are represented in the HTTP result; if so then warn. This MAY trigger false positives (if you have files named 'a', 'e' we'll probably match that).
at line 215
array
checkFilesAreNotPresent()
Check that some files are not present.
These files have generally been deleted but Civi source tree but could be left online if one does a faulty upgrade.
at line 262
checkRemoteProfile()
Discourage use of remote profile forms.
at line 285
checkCxnOverrides()
Check that the sysadmin has not modified the Cxn security setup.
at line 320
bool
isBrowsable(string $dir, string $url)
Determine whether $url is a public, browsable listing for $dir
at line 354
bool
isDirAccessible(string $dir, string $url)
Determine whether $url is a public version of $dir in which files are remotely accessible.
at line 386
string
createDocUrl($topic)
at line 398
string
guessUrl(string $targetDir)
Make a guess about the URL that corresponds to $targetDir.