CRM_Utils_Check_Component_Security
class CRM_Utils_Check_Component_Security extends CRM_Utils_Check_Component
Properties
| array | $checksConfig | from CRM_Utils_Check_Component |
Methods
Check if file exists on given URL.
CMS have a different pattern to their default file path and URL.
Check if our logfile is directly accessible.
Check if our uploads directory has accessible files.
Check if our uploads or ConfigAndLog directories have browseable listings.
Check that some files are not present.
Discourage use of remote profile forms.
Check that the sysadmin has not modified the Cxn security setup.
Determine whether $url is a public, browsable listing for $dir
Determine whether $url is a public version of $dir in which files are remotely accessible.
No description
Make a guess about the URL that corresponds to $targetDir.
Details
in CRM_Utils_Check_Component at line 50
array
getChecksConfig()
Get the configured status checks.
in CRM_Utils_Check_Component at line 63
setChecksConfig(array $checksConfig)
in CRM_Utils_Check_Component at line 72
bool
isEnabled()
Should these checks be run?
in CRM_Utils_Check_Component at line 85
array
checkAll()
Run all checks in this class.
in CRM_Utils_Check_Component at line 106
bool
isDisabled(string $method)
Is the specified check disabled.
in CRM_Utils_Check_Component at line 132
bool
fileExists(string $url, float|bool $timeoutOverride = FALSE)
Check if file exists on given URL.
at line 40
getFilePathMarker()
CMS have a different pattern to their default file path and URL.
at line 70
array
checkLogFileIsNotAccessible()
Check if our logfile is directly accessible.
Per CiviCRM default the logfile sits in a folder which is web-accessible, and is protected by a default .htaccess configuration. If server config causes the .htaccess not to function as intended, there may be information disclosure.
The debug log may be jam-packed with sensitive data, we don't want that.
Being able to be retrieved directly doesn't mean the logfile is browseable or visible to search engines; it means it can be requested directly.
at line 125
array
checkUploadsAreNotAccessible()
Check if our uploads directory has accessible files.
We'll test a handful of files randomly. Hazard a guess at the URL of the uploads dir, based on common CiviCRM layouts. Try and request the files, and if any are successfully retrieved, warn.
Being retrievable doesn't mean the files are browseable or visible to search engines; it only means they can be requested directly.
at line 173
array
checkDirectoriesAreNotBrowseable()
Check if our uploads or ConfigAndLog directories have browseable listings.
Retrieve a listing of files from the local filesystem, and the corresponding path via HTTP. Then check and see if the local files are represented in the HTTP result; if so then warn. This MAY trigger false positives (if you have files named 'a', 'e' we'll probably match that).
at line 213
array
checkFilesAreNotPresent()
Check that some files are not present.
These files have generally been deleted but Civi source tree but could be left online if one does a faulty upgrade.
at line 260
checkRemoteProfile()
Discourage use of remote profile forms.
at line 282
checkCxnOverrides()
Check that the sysadmin has not modified the Cxn security setup.
at line 317
bool
isBrowsable(string $dir, string $url)
Determine whether $url is a public, browsable listing for $dir
at line 351
bool
isDirAccessible(string $dir, string $url)
Determine whether $url is a public version of $dir in which files are remotely accessible.
at line 382
string
createDocUrl($topic)
at line 394
string
guessUrl(string $targetDir)
Make a guess about the URL that corresponds to $targetDir.