You are here

Home » API reference » Security Review 8 » ExecutablePhp.php » ExecutablePhp

public function ExecutablePhp::run in Security Review 8

The actual procedure of carrying out the check.

Return value

\Drupal\security_review\CheckResult The result of running the check.

Overrides Check::run

1 call to ExecutablePhp::run()
ExecutablePhp::runCli in src/Checks/ExecutablePhp.php
Same as run(), but used in CLI context such as Drush.

File

src/Checks/ExecutablePhp.php, line 48

Class

ExecutablePhp
Checks if PHP files written to the files directory can be executed.

Namespace

Drupal\security_review\Checks

Code

public function run($cli = FALSE) {
  global $base_url;
  $result = CheckResult::SUCCESS;
  $findings = [];

  // Set up test file data.
  $message = 'Security review test ' . date('Ymdhis');
  $content = "<?php\necho '" . $message . "';";
  $file_path = PublicStream::basePath() . '/security_review_test.php';

  // Create the test file.
  if ($test_file = @fopen('./' . $file_path, 'w')) {
    fwrite($test_file, $content);
    fclose($test_file);
  }

  // Try to access the test file.
  try {
    $response = $this->httpClient
      ->get($base_url . '/' . $file_path);
    if ($response
      ->getStatusCode() == 200 && $response
      ->getBody() === $message) {
      $result = CheckResult::FAIL;
      $findings[] = 'executable_php';
    }
  } catch (RequestException $e) {

    // Access was denied to the file.
  }

  // Remove the test file.
  if (file_exists('./' . $file_path)) {
    @unlink('./' . $file_path);
  }

  // Check for presence of the .htaccess file and if the contents are correct.
  $htaccess_path = PublicStream::basePath() . '/.htaccess';
  if (!file_exists($htaccess_path)) {
    $result = CheckResult::FAIL;
    $findings[] = 'missing_htaccess';
  }
  else {

    // Check whether the contents of .htaccess are correct.
    $contents = file_get_contents($htaccess_path);
    $expected = FileSecurity::htaccessLines(FALSE);

    // Trim each line separately then put them back together.
    $contents = implode("\n", array_map('trim', explode("\n", trim($contents))));
    $expected = implode("\n", array_map('trim', explode("\n", trim($expected))));
    if ($contents !== $expected) {
      $result = CheckResult::FAIL;
      $findings[] = 'incorrect_htaccess';
    }

    // Check whether .htaccess is writable.
    if (!$cli) {
      $writable_htaccess = is_writable($htaccess_path);
    }
    else {
      $writable = $this
        ->security()
        ->findWritableFiles([
        $htaccess_path,
      ], TRUE);
      $writable_htaccess = !empty($writable);
    }
    if ($writable_htaccess) {
      $findings[] = 'writable_htaccess';
      if ($result !== CheckResult::FAIL) {
        $result = CheckResult::WARN;
      }
    }
  }
  return $this
    ->createResult($result, $findings);
}