class PrivateFiles in Security Review 8
Checks whether the private files' directory is under the web root.
Hierarchy
- class \Drupal\security_review\Check uses DependencySerializationTrait, StringTranslationTrait
- class \Drupal\security_review\Checks\PrivateFiles
Expanded class hierarchy of PrivateFiles
1 file declares its use of PrivateFiles
- security_review.module in ./
security_review.module - Site security review and reporting Drupal module.
File
- src/
Checks/ PrivateFiles.php, line 13
Namespace
Drupal\security_review\ChecksView source
class PrivateFiles extends Check {
/**
* {@inheritdoc}
*/
public function getNamespace() {
return 'Security Review';
}
/**
* {@inheritdoc}
*/
public function getTitle() {
return 'Private files';
}
/**
* {@inheritdoc}
*/
public function run() {
$file_directory_path = PrivateStream::basePath();
$visible = TRUE;
if (empty($file_directory_path)) {
// Private files feature is not enabled.
$result = CheckResult::SUCCESS;
$visible = FALSE;
}
elseif (strpos(realpath($file_directory_path), DRUPAL_ROOT) === 0) {
// Path begins at root.
$result = CheckResult::FAIL;
}
else {
// The private files directory is placed correctly.
$result = CheckResult::SUCCESS;
}
return $this
->createResult($result, [
'path' => $file_directory_path,
], $visible);
}
/**
* {@inheritdoc}
*/
public function help() {
$paragraphs = [];
$paragraphs[] = $this
->t("If you have Drupal's private files feature enabled you should move the files directory outside of the web server's document root. Drupal will secure access to files that it renders the link to, but if a user knows the actual system path they can circumvent Drupal's private files feature. You can protect against this by specifying a files directory outside of the webserver root.");
return [
'#theme' => 'check_help',
'#title' => $this
->t('Private files'),
'#paragraphs' => $paragraphs,
];
}
/**
* {@inheritdoc}
*/
public function evaluate(CheckResult $result) {
if ($result
->result() != CheckResult::FAIL) {
return [];
}
$paragraphs = [];
$paragraphs[] = $this
->t('Your files directory is not outside of the server root.');
$paragraphs[] = Link::createFromRoute($this
->t('Edit the files directory path.'), 'system.file_system_settings');
return [
'#theme' => 'check_evaluation',
'#paragraphs' => $paragraphs,
'#items' => [],
];
}
/**
* {@inheritdoc}
*/
public function evaluatePlain(CheckResult $result) {
if ($result
->result() != CheckResult::FAIL) {
return '';
}
return $this
->t('Private files directory: @path', [
'@path' => $result
->findings()['path'],
]);
}
/**
* {@inheritdoc}
*/
public function getMessage($result_const) {
switch ($result_const) {
case CheckResult::SUCCESS:
return $this
->t('Private files directory is outside the web server root.');
case CheckResult::FAIL:
return $this
->t('Private files is enabled but the specified directory is not secure outside the web server root.');
default:
return $this
->t('Unexpected result.');
}
}
}Members
Name |
Modifiers | Type | Description | Overrides |
|---|---|---|---|---|
|
Check:: |
protected | property | The configuration storage for this check. | |
|
Check:: |
protected | property | The service container. | |
|
Check:: |
protected | property | Settings handler for this check. | |
|
Check:: |
protected | property | The State system. | |
|
Check:: |
protected | property | The check's prefix in the State system. | |
|
Check:: |
protected | function | Returns the Security Review Checklist service. | |
|
Check:: |
protected | function | Returns the Config factory. | |
|
Check:: |
protected | function | Returns the service container. | |
|
Check:: |
public | function | Creates a new CheckResult for this Check. | |
|
Check:: |
protected | function | Returns the current Drupal user. | |
|
Check:: |
protected | function | Returns the database connection. | |
|
Check:: |
public | function | Enables the check. Has no effect if the check was not skipped. | |
|
Check:: |
protected | function | Returns the entity type manager. | |
|
Check:: |
public | function | Returns the namespace of the check. | |
|
Check:: |
public | function | Returns the machine name of the check. | 5 |
|
Check:: |
final public | function | Returns the identifier constructed using the namespace and title values. | |
|
Check:: |
public | function | Returns whether the check is skipped. Checks are not skipped by default. | |
|
Check:: |
protected | function | Returns the Drupal Kernel. | |
|
Check:: |
public | function | Returns the last stored result of the check. | |
|
Check:: |
public | function | Returns the timestamp the check was last run. | |
|
Check:: |
protected | function | Returns the module handler. | |
|
Check:: |
public | function | Same as run(), but used in CLI context such as Drush. | 2 |
|
Check:: |
protected | function | Returns the Security Review Security service. | |
|
Check:: |
protected | function | Returns the Security Review service. | |
|
Check:: |
public | function | Returns the check-specific settings' handler. | |
|
Check:: |
public | function | Marks the check as skipped. | |
|
Check:: |
public | function | Returns the user the check was skipped by. | |
|
Check:: |
public | function | Returns the timestamp the check was last skipped on. | |
|
Check:: |
public | function | Stores a result in the state system. | |
|
Check:: |
public | function | Returns whether the findings should be stored or reproduced when needed. | 2 |
|
Check:: |
public | function | Initializes the configuration storage and the settings handler. | 2 |
|
DependencySerializationTrait:: |
protected | property | An array of entity type IDs keyed by the property name of their storages. | |
|
DependencySerializationTrait:: |
protected | property | An array of service IDs keyed by property name used for serialization. | |
|
DependencySerializationTrait:: |
public | function | 1 | |
|
DependencySerializationTrait:: |
public | function | 2 | |
|
PrivateFiles:: |
public | function |
Returns the evaluation page of a result. Overrides Check:: |
|
|
PrivateFiles:: |
public | function |
Evaluates a CheckResult and returns a plaintext output. Overrides Check:: |
|
|
PrivateFiles:: |
public | function |
Converts a result integer to a human-readable result message. Overrides Check:: |
|
|
PrivateFiles:: |
public | function |
Returns the namespace of the check. Overrides Check:: |
|
|
PrivateFiles:: |
public | function |
Returns the human-readable title of the check. Overrides Check:: |
|
|
PrivateFiles:: |
public | function |
Returns the check-specific help page. Overrides Check:: |
|
|
PrivateFiles:: |
public | function |
The actual procedure of carrying out the check. Overrides Check:: |
|
|
StringTranslationTrait:: |
protected | property | The string translation service. | 1 |
|
StringTranslationTrait:: |
protected | function | Formats a string containing a count of items. | |
|
StringTranslationTrait:: |
protected | function | Returns the number of plurals supported by a given language. | |
|
StringTranslationTrait:: |
protected | function | Gets the string translation service. | |
|
StringTranslationTrait:: |
public | function | Sets the string translation service to use. | 2 |
|
StringTranslationTrait:: |
protected | function | Translates a string to the current language or to a given language. |