You are here

function security_review_check_private_files in Security Review 7

Same name and namespace in other branches
  1. 6 security_review.inc \security_review_check_private_files()

If private files is enabled check that the directory is not under the web root.

There is ample room for the user to get around this check. @TODO get more sophisticated?

1 string reference to 'security_review_check_private_files'
_security_review_security_checks in ./security_review.inc
Core Security Review's checks.

File

./security_review.inc, line 379
Stand-alone security checks and review system.

Code

function security_review_check_private_files() {
  $file_directory_path = variable_get('file_private_path', '');
  if (empty($file_directory_path)) {
    $result = NULL;

    // Ignore this check.
  }
  elseif (strpos(realpath($file_directory_path), DRUPAL_ROOT) === 0) {

    // Path begins at root.
    $result = FALSE;
  }
  else {
    $result = TRUE;
  }
  return array(
    'result' => $result,
    'value' => $file_directory_path,
  );
}