You are here

Home » API reference » Security Review 6 » security_review.help.inc

function security_review_check_filefield_extensions_help in Security Review 6

Help for the Security Review check for allowed extensions on Filefield fields.

File

./security_review.help.inc, line 365
Main help definition.

Code

function security_review_check_filefield_extensions_help($results = NULL) {
  $element['title'] = t('Filefield allowed uploads');
  $element['descriptions'][] = t("The Filefield module allows users to attach files to content. Some extensions are considered dangerous because the files can be evaluated and then executued in the browser. A malicious user could use this opening to gain control of your site.");
  $last_check = security_review_get_last_check('filefield', 'filefield_extensions');
  if ($last_check['skip'] == '1') {
    $element['findings']['descriptions'][] = _security_review_check_skipped($last_check);
  }
  elseif ($last_check['result'] == '0') {
    $element['findings']['descriptions'][] = t('The following Filefield fields have unsafe extensions allowed for uploaded files.');
    if (is_null($results)) {
      $results = security_review_check_filefield_extensions();
    }
    $fields = filefield_get_field_list();
    foreach ($results['value'] as $field_name => $value) {
      $edit_url = "admin/content/node-type/" . str_replace('_', '-', $fields[$field_name]['type_name']) . "/fields/{$field_name}";
      if (isset($value['empty']) && $value['empty'] == TRUE) {
        $html = t('<a href="!url">%field_name</a> has all extensions allowed and should be corrected to limit uploads to safe extensions only', array(
          '%field_name' => $field_name,
          '!url' => url($edit_url),
        ));
        $item = t('%field_name has all extensions allowed and should be corrected to limit uploads to safe extensions only', array(
          '%field_name' => $field_name,
        ));
        $element['findings']['items'][] = array(
          'html' => $html,
          'safe' => $item,
          'raw' => $field_name,
        );
      }
      else {
        $extensions = implode(', ', $value['extensions']);
        $html = t('<a href="!url">%field_name</a> has the unsafe extensions: @extensions', array(
          '%field_name' => $field_name,
          '@extensions' => $extensions,
          '!url' => url($edit_url),
        ));
        $item = t('%field_name has the unsafe extensions: @extensions', array(
          '%field_name' => $field_name,
          '@extensions' => $extensions,
        ));
        $element['findings']['items'][] = array(
          'html' => $html,
          'safe' => $item,
          'raw' => $field_name . ' : ' . $extensions,
        );
      }
    }
  }
  return $element;
}