You are here

public function MTimeProtectedFileStorageBase::testSecurity in Zircon Profile 8

Same name and namespace in other branches
  1. 8.0 core/tests/Drupal/Tests/Component/PhpStorage/MTimeProtectedFileStorageBase.php \Drupal\Tests\Component\PhpStorage\MTimeProtectedFileStorageBase::testSecurity()

Tests the security of the MTimeProtectedFileStorage implementation.

We test two attacks: first changes the file mtime, then the directory mtime too.

We need to delay over 1 second for mtime test. @medium

File

core/tests/Drupal/Tests/Component/PhpStorage/MTimeProtectedFileStorageBase.php, line 73
Contains \Drupal\Tests\Component\PhpStorage\MTimeProtectedFileStorageBase.

Class

MTimeProtectedFileStorageBase
Base test class for MTime protected storage.

Namespace

Drupal\Tests\Component\PhpStorage

Code

public function testSecurity() {
  $php = new $this->storageClass($this->settings);
  $name = 'simpletest.php';
  $php
    ->save($name, '<?php');
  $expected_root_directory = $this->directory . '/test';
  if (substr($name, -4) === '.php') {
    $expected_directory = $expected_root_directory . '/' . substr($name, 0, -4);
  }
  else {
    $expected_directory = $expected_root_directory . '/' . $name;
  }
  $directory_mtime = filemtime($expected_directory);
  $expected_filename = $expected_directory . '/' . hash_hmac('sha256', $name, $this->secret . $directory_mtime) . '.php';

  // Ensure the file exists and that it and the containing directory have
  // minimal permissions. fileperms() can return high bits unrelated to
  // permissions, so mask with 0777.
  $this
    ->assertTrue(file_exists($expected_filename));
  $this
    ->assertSame(fileperms($expected_filename) & 0777, 0444);
  $this
    ->assertSame(fileperms($expected_directory) & 0777, 0777);

  // Ensure the root directory for the bin has a .htaccess file denying web
  // access.
  $this
    ->assertSame(file_get_contents($expected_root_directory . '/.htaccess'), call_user_func(array(
    $this->storageClass,
    'htaccessLines',
  )));

  // Ensure that if the file is replaced with an untrusted one (due to another
  // script's file upload vulnerability), it does not get loaded. Since mtime
  // granularity is 1 second, we cannot prevent an attack that happens within
  // a second of the initial save().
  sleep(1);
  for ($i = 0; $i < 2; $i++) {
    $php = new $this->storageClass($this->settings);
    $GLOBALS['hacked'] = FALSE;
    $untrusted_code = "<?php\n" . '$GLOBALS["hacked"] = TRUE;';
    chmod($expected_directory, 0700);
    chmod($expected_filename, 0700);
    if ($i) {

      // Now try to write the file in such a way that the directory mtime
      // changes and invalidates the hash.
      file_put_contents($expected_filename . '.tmp', $untrusted_code);
      rename($expected_filename . '.tmp', $expected_filename);
    }
    else {

      // On the first try do not change the directory mtime but the filemtime
      // is now larger than the directory mtime.
      file_put_contents($expected_filename, $untrusted_code);
    }
    chmod($expected_filename, 0400);
    chmod($expected_directory, 0100);
    $this
      ->assertSame(file_get_contents($expected_filename), $untrusted_code);
    $this
      ->assertSame($php
      ->exists($name), $this->expected[$i]);
    $this
      ->assertSame($php
      ->load($name), $this->expected[$i]);
    $this
      ->assertSame($GLOBALS['hacked'], $this->expected[$i]);
  }
  unset($GLOBALS['hacked']);
}