function acquia_spi_security_review_check_private_files in Acquia Connector 6.2
Same name and namespace in other branches
- 7.3 acquia_spi/security_review.inc \acquia_spi_security_review_check_private_files()
- 7.2 acquia_spi/security_review.inc \acquia_spi_security_review_check_private_files()
If private files is enabled check that the directory is not under the web root.
There is ample room for the user to get around this check. @TODO get more sophisticated?
1 string reference to 'acquia_spi_security_review_check_private_files'
- _acquia_spi_security_review_security_checks in acquia_spi/
security_review.inc - Checks for acquia_spi_security_review_get_checks().
File
- acquia_spi/
security_review.inc, line 385 - Stand-alone security checks and review system.
Code
function acquia_spi_security_review_check_private_files() {
$file_downloads = variable_get('file_downloads', FILE_DOWNLOADS_PUBLIC);
if ($file_downloads == FILE_DOWNLOADS_PRIVATE) {
$file_directory_path = file_directory_path();
if (strpos($file_directory_path, '/') === 0) {
// Path begins at root.
$result = TRUE;
}
elseif (strpos($file_directory_path, '../') === 0) {
// Path begins by moving up the system.
$result = FALSE;
}
else {
// Directory is relative (or crafty).
$result = FALSE;
}
}
else {
$result = NULL;
}
return array(
'result' => $result,
'value' => $file_downloads,
);
}