You are here

Home » API reference » Security Review 7 » security_review.help.inc

function security_review_check_executable_php_help in Security Review 7

File

./security_review.help.inc, line 357
Main help definition.

Code

function security_review_check_executable_php_help($check = NULL, $skipped_message = NULL) {
  $element = array();
  $element['title'] = t('Executable PHP in files directory');
  $element['descriptions'][] = t("The Drupal files directory is for user-uploaded files and by default provides some protection against a malicious user executing arbitrary PHP code against your site.");
  $element['descriptions'][] = t('Read more about the <a href="!link">risk of PHP code execution on Drupal.org</a>.', array(
    '!link' => 'https://drupal.org/node/615888',
  ));
  if (!empty($skipped_message)) {
    $element['findings']['descriptions'][] = $skipped_message;
  }
  if (!empty($check['value'])) {
    foreach ($check['value'] as $label) {
      switch ($label) {
        case 'executable_php':
          $element['findings']['descriptions'][] = t('Security Review was able to execute a PHP file written to your files directory.');
          break;
        case 'missing_htaccess':
          $directory = variable_get('file_public_path', 'sites/default/files');
          $element['findings']['descriptions'][] = t("The .htaccess file is missing from the files directory at !path", array(
            '!path' => $directory,
          ));
          $element['findings']['descriptions'][] = t("Note, if you are using a webserver other than Apache you should consult your server's documentation on how to limit the execution of PHP scripts in this directory.");
          break;
        case 'incorrect_htaccess':
          $element['findings']['descriptions'][] = t("The .htaccess file exists but does not contain the correct content. It is possible it's been maliciously altered.");
          break;
        case 'outdated_core':
          $element['findings']['descriptions'][] = t("You are running a out-of-date Drupal installation that is vulnerable to arbitrary code execution via weak htaccess protection. Upgrade to the latest version of Drupal. See <a href='https://drupal.org/SA-CORE-2013-003'>SA-CORE-2013-003 - Drupal core - Multiple vulnerabilities</a> for the full report.");
          break;
        case 'writable_htaccess':
          $element['findings']['descriptions'][] = t("The .htaccess file is writeable which poses a risk should a malious user find a way to execute PHP code they could alter the htaccess file to allow further PHP code execution.");
          break;
      }
    }
  }
  return $element;
}