function security_review_check_executable_php in Security Review 7
Check if PHP files written to the files directory can be executed.
1 string reference to 'security_review_check_executable_php'
- _security_review_security_checks in ./
security_review.inc - Core Security Review's checks.
File
- ./
security_review.inc, line 630 - Stand-alone security checks and review system.
Code
function security_review_check_executable_php($last_check = NULL) {
global $base_url;
$result = TRUE;
$check_result_value = array();
$message = 'Security review test ' . date('Ymdhis');
$content = "<?php\necho '" . $message . "';";
$directory = variable_get('file_public_path', 'sites/default/files');
$file = '/security_review_test.php';
if ($file_create = @fopen('./' . $directory . $file, 'w')) {
$create_status = fwrite($file_create, $content);
fclose($file_create);
}
$response = drupal_http_request($base_url . '/' . $directory . $file);
if ($response->code == 200 && $response->data === $message) {
$result = FALSE;
$check_result_value[] = 'executable_php';
}
if (file_exists('./' . $directory . $file)) {
@unlink('./' . $directory . $file);
}
// Check for presence of the .htaccess file and if the contents are correct.
if (!file_exists($directory . '/.htaccess')) {
$result = FALSE;
$check_result_value[] = 'missing_htaccess';
}
elseif (!function_exists('file_htaccess_lines')) {
$result = FALSE;
$check_result_value[] = 'outdated_core';
}
else {
$contents = file_get_contents($directory . '/.htaccess');
// Text from includes/file.inc.
$expected = file_htaccess_lines(FALSE);
if (trim($contents) !== trim($expected)) {
$result = FALSE;
$check_result_value[] = 'incorrect_htaccess';
}
if (is_writable($directory . '/.htaccess')) {
// Don't modify $result.
$check_result_value[] = 'writable_htaccess';
}
}
return array(
'result' => $result,
'value' => $check_result_value,
);
}