You are here

private function SecurityReviewController::checkExecutablePhp in Acquia Connector 3.x

Same name and namespace in other branches
  1. 8.2 src/Controller/SecurityReviewController.php \Drupal\acquia_connector\Controller\SecurityReviewController::checkExecutablePhp()
  2. 8 src/Controller/SecurityReviewController.php \Drupal\acquia_connector\Controller\SecurityReviewController::checkExecutablePhp()

Check if PHP files written to the files directory can be executed.

File

src/Controller/SecurityReviewController.php, line 308

Class

SecurityReviewController
Acquia Security Review page.

Namespace

Drupal\acquia_connector\Controller

Code

private function checkExecutablePhp($last_check = NULL) {
  global $base_url;
  $result = TRUE;
  $check_result_value = [];
  $message = 'Security review test ' . date('Ymdhis');
  $content = "<?php\necho '" . $message . "';";
  $directory = Settings::get('file_public_path');
  if (empty($directory)) {
    $directory = DrupalKernel::findSitePath(\Drupal::request()) . DIRECTORY_SEPARATOR . 'files';
  }
  if (empty($directory)) {
    $directory = 'sites/default/files';
  }
  $file = '/security_review_test.php';
  if ($file_create = @fopen('./' . $directory . $file, 'w')) {
    fwrite($file_create, $content);
    fclose($file_create);
  }
  try {
    $response = \Drupal::httpClient()
      ->post($base_url . '/' . $directory . $file);
    if ($response
      ->getStatusCode() == 200 && $response
      ->getBody()
      ->read(100) === $message) {
      $result = FALSE;
      $check_result_value[] = 'executable_php';
    }
  } catch (\Exception $e) {

    // Do nothing.
  }
  if (file_exists('./' . $directory . $file)) {
    @unlink('./' . $directory . $file);
  }

  // Check for presence of the .htaccess file and if the contents are correct.
  if (!file_exists($directory . '/.htaccess')) {
    $result = FALSE;
    $check_result_value[] = 'missing_htaccess';
  }
  else {
    $contents = file_get_contents($directory . '/.htaccess');

    // Text from includes/file.inc.
    $expected = '';
    if ($contents !== $expected) {
      $result = FALSE;
      $check_result_value[] = 'incorrect_htaccess';
    }
    if (is_writable($directory . '/.htaccess')) {

      // Don't modify $result.
      $check_result_value[] = 'writable_htaccess';
    }
  }
  return [
    'result' => $result,
    'value' => $check_result_value,
  ];
}