function security_review_check_private_files in Security Review 7
Same name and namespace in other branches
- 6 security_review.inc \security_review_check_private_files()
If private files is enabled check that the directory is not under the web root.
There is ample room for the user to get around this check. @TODO get more sophisticated?
1 string reference to 'security_review_check_private_files'
- _security_review_security_checks in ./
security_review.inc - Core Security Review's checks.
File
- ./
security_review.inc, line 379 - Stand-alone security checks and review system.
Code
function security_review_check_private_files() {
$file_directory_path = variable_get('file_private_path', '');
if (empty($file_directory_path)) {
$result = NULL;
// Ignore this check.
}
elseif (strpos(realpath($file_directory_path), DRUPAL_ROOT) === 0) {
// Path begins at root.
$result = FALSE;
}
else {
$result = TRUE;
}
return array(
'result' => $result,
'value' => $file_directory_path,
);
}