public function MTimeProtectedFileStorageBase::testSecurity in Zircon Profile 8.0
Same name and namespace in other branches
- 8 core/tests/Drupal/Tests/Component/PhpStorage/MTimeProtectedFileStorageBase.php \Drupal\Tests\Component\PhpStorage\MTimeProtectedFileStorageBase::testSecurity()
Tests the security of the MTimeProtectedFileStorage implementation.
We test two attacks: first changes the file mtime, then the directory mtime too.
We need to delay over 1 second for mtime test. @medium
File
- core/
tests/ Drupal/ Tests/ Component/ PhpStorage/ MTimeProtectedFileStorageBase.php, line 73 - Contains \Drupal\Tests\Component\PhpStorage\MTimeProtectedFileStorageBase.
Class
- MTimeProtectedFileStorageBase
- Base test class for MTime protected storage.
Namespace
Drupal\Tests\Component\PhpStorageCode
public function testSecurity() {
$php = new $this->storageClass($this->settings);
$name = 'simpletest.php';
$php
->save($name, '<?php');
$expected_root_directory = $this->directory . '/test';
if (substr($name, -4) === '.php') {
$expected_directory = $expected_root_directory . '/' . substr($name, 0, -4);
}
else {
$expected_directory = $expected_root_directory . '/' . $name;
}
$directory_mtime = filemtime($expected_directory);
$expected_filename = $expected_directory . '/' . hash_hmac('sha256', $name, $this->secret . $directory_mtime) . '.php';
// Ensure the file exists and that it and the containing directory have
// minimal permissions. fileperms() can return high bits unrelated to
// permissions, so mask with 0777.
$this
->assertTrue(file_exists($expected_filename));
$this
->assertSame(fileperms($expected_filename) & 0777, 0444);
$this
->assertSame(fileperms($expected_directory) & 0777, 0777);
// Ensure the root directory for the bin has a .htaccess file denying web
// access.
$this
->assertSame(file_get_contents($expected_root_directory . '/.htaccess'), call_user_func(array(
$this->storageClass,
'htaccessLines',
)));
// Ensure that if the file is replaced with an untrusted one (due to another
// script's file upload vulnerability), it does not get loaded. Since mtime
// granularity is 1 second, we cannot prevent an attack that happens within
// a second of the initial save().
sleep(1);
for ($i = 0; $i < 2; $i++) {
$php = new $this->storageClass($this->settings);
$GLOBALS['hacked'] = FALSE;
$untrusted_code = "<?php\n" . '$GLOBALS["hacked"] = TRUE;';
chmod($expected_directory, 0700);
chmod($expected_filename, 0700);
if ($i) {
// Now try to write the file in such a way that the directory mtime
// changes and invalidates the hash.
file_put_contents($expected_filename . '.tmp', $untrusted_code);
rename($expected_filename . '.tmp', $expected_filename);
}
else {
// On the first try do not change the directory mtime but the filemtime
// is now larger than the directory mtime.
file_put_contents($expected_filename, $untrusted_code);
}
chmod($expected_filename, 0400);
chmod($expected_directory, 0100);
$this
->assertSame(file_get_contents($expected_filename), $untrusted_code);
$this
->assertSame($php
->exists($name), $this->expected[$i]);
$this
->assertSame($php
->load($name), $this->expected[$i]);
$this
->assertSame($GLOBALS['hacked'], $this->expected[$i]);
}
unset($GLOBALS['hacked']);
}