Implemented insecure file check in File Inspector

Bugs fixed: * Security failure status is now prioritized in file_inspector::getStatusForValidationCode() * File Inspector list view now supports filters
2025-07-31 03:40:37 +02:00 · 2020-03-27 17:04:14 -05:00
parent aca78c086b
commit 03dfb5cce3
3 changed files with 64 additions and 32 deletions
--- a/e107_admin/admin.php
+++ b/e107_admin/admin.php
@@ -127,32 +127,8 @@ class admin_start
 		}

 		// Files that can cause comflicts and problems.
-		$this->deprecated = array(
-			e_ADMIN."ad_links.php",
-			e_PLUGIN."tinymce4/e_meta.php",
-			e_THEME."bootstrap3/css/bootstrap_dark.css",
-			e_PLUGIN."search_menu/languages/English.php",
-			e_LANGUAGEDIR.e_LANGUAGE."/lan_parser_functions.php",
-			e_LANGUAGEDIR.e_LANGUAGE."/admin/help/theme.php",
-			e_HANDLER."np_class.php",
-			e_CORE."shortcodes/single/user_extended.sc",
-			e_ADMIN."download.php",
-			e_PLUGIN."banner/config.php",
-			e_PLUGIN."forum/newforumposts_menu_config.php",
-			e_PLUGIN."forum/e_latest.php",
-			e_PLUGIN."forum/e_status.php",
-			e_PLUGIN."forum/forum_post_shortcodes.php",
-			e_PLUGIN."forum/forum_shortcodes.php",
-			e_PLUGIN."forum/forum_update_check.php",
-			e_PLUGIN."online_extended_menu/online_extended_menu.php",
-			e_PLUGIN."online_extended_menu/images/user.png",
-			e_PLUGIN."online_extended_menu/languages/English.php",
-			e_PLUGIN."pm/sendpm.sc",
-			e_PLUGIN."pm/shortcodes/",
-			e_PLUGIN."social/e_header.php",
-		//	e_PLUGIN."download/url/url.php", // removed by download_setup.php
-		//	e_PLUGIN."download/url/sef_url.php",
-		);
+        $fileInspector = e107::getFileInspector();
+		$this->deprecated = $fileInspector->insecureFiles;

 		$this->checkCoreVersion();

--- a/e107_admin/fileinspector.php
+++ b/e107_admin/fileinspector.php
@@ -685,14 +685,14 @@ class file_inspector {
    {
        if ($validationCode & e_file_inspector::VALIDATED)
            return 'check';
+        if (!($validationCode & e_file_inspector::VALIDATED_FILE_EXISTS))
+            return 'missing';
+        if (!($validationCode & e_file_inspector::VALIDATED_FILE_SECURITY))
+            return 'warning';
        if (!($validationCode & e_file_inspector::VALIDATED_PATH_KNOWN))
            return 'unknown';
        if (!($validationCode & e_file_inspector::VALIDATED_PATH_VERSION))
            return 'old';
-        if (!($validationCode & e_file_inspector::VALIDATED_FILE_SECURITY))
-            return 'warning';
-        if (!($validationCode & e_file_inspector::VALIDATED_FILE_EXISTS))
-            return 'missing';
        if (!($validationCode & e_file_inspector::VALIDATED_HASH_CALCULABLE))
            return 'uncalc';
        if (!($validationCode & e_file_inspector::VALIDATED_HASH_CURRENT))
@@ -1004,6 +1004,8 @@ class file_inspector {
            ksort($this->files);
            foreach ($this->files as $relativePath => $validation)
            {
+                if (!$this->displayAllowed($validation)) continue;
+
                list($icon, $title) = $this->getGlyphForValidationCode($validation);
                $text .= '<tr><td class="f" title="'.$title.'">';
                $text .= "$icon ";
--- a/e107_handlers/e_file_inspector.php
+++ b/e107_handlers/e_file_inspector.php
@@ -24,6 +24,35 @@ abstract class e_file_inspector implements e_file_inspector_interface
    protected $customDirsCache;
    private $undeterminable = array();

+    // FIXME: Better place for the insecure file list
+    public $insecureFiles = [
+        e_ADMIN . "ad_links.php",
+        e_PLUGIN . "tinymce4/e_meta.php",
+        e_THEME . "bootstrap3/css/bootstrap_dark.css",
+        e_PLUGIN . "search_menu/languages/English.php",
+        e_LANGUAGEDIR . e_LANGUAGE . "/lan_parser_functions.php",
+        e_LANGUAGEDIR . e_LANGUAGE . "/admin/help/theme.php",
+        e_HANDLER . "np_class.php",
+        e_CORE . "shortcodes/single/user_extended.sc",
+        e_ADMIN . "download.php",
+        e_PLUGIN . "banner/config.php",
+        e_PLUGIN . "forum/newforumposts_menu_config.php",
+        e_PLUGIN . "forum/e_latest.php",
+        e_PLUGIN . "forum/e_status.php",
+        e_PLUGIN . "forum/forum_post_shortcodes.php",
+        e_PLUGIN . "forum/forum_shortcodes.php",
+        e_PLUGIN . "forum/forum_update_check.php",
+        e_PLUGIN . "online_extended_menu/online_extended_menu.php",
+        e_PLUGIN . "online_extended_menu/images/user.png",
+        e_PLUGIN . "online_extended_menu/languages/English.php",
+        e_PLUGIN . "pm/sendpm.sc",
+        e_PLUGIN . "pm/shortcodes/",
+        e_PLUGIN . "social/e_header.php",
+    ];
+
+    private $existingInsecureFiles = array();
+    private $existingInsecureDirectories = array();
+
    /**
     * e_file_inspector constructor
     * @param string $database The database from which integrity data may be read or to which integrity data may be
@@ -43,6 +72,16 @@ abstract class e_file_inspector implements e_file_inspector_interface
                $appRoot . e107::getFolder('admin') . "core_image.php",
            ]
        );
+        $this->existingInsecureFiles = array_filter($this->insecureFiles, function ($path)
+        {
+            return is_file($path);
+        });
+        $this->existingInsecureFiles = array_map('realpath', $this->existingInsecureFiles);
+        $this->existingInsecureDirectories = array_filter($this->insecureFiles, function ($path)
+        {
+            return is_dir($path);
+        });
+        $this->existingInsecureDirectories = array_map('realpath', $this->existingInsecureDirectories);
    }

    /**
@@ -68,7 +107,7 @@ abstract class e_file_inspector implements e_file_inspector_interface
        if ($version === null) $version = $this->getCurrentVersion();

        $bits = 0x0;
-        $absolutePath = realpath(e_BASE . $path);
+        $absolutePath = $this->relativePathToAbsolutePath($path);
        $dbChecksums = $this->getChecksums($path);
        $dbChecksum = $this->getChecksum($path, $version);
        $actualChecksum = !empty($dbChecksums) ? $this->checksumPath($absolutePath) : null;
@@ -174,7 +213,13 @@ abstract class e_file_inspector implements e_file_inspector_interface
     */
    public function isInsecure($path)
    {
-        # TODO
+        $absolutePath = $this->relativePathToAbsolutePath($path);
+        if (in_array($absolutePath, $this->existingInsecureFiles)) return true;
+        foreach ($this->existingInsecureDirectories as $existingInsecureDirectory)
+        {
+            $existingInsecureDirectory .= '/';
+            if (substr($absolutePath, 0, strlen($existingInsecureDirectory)) === $existingInsecureDirectory) return true;
+        }
        return false;
    }

@@ -244,4 +289,13 @@ abstract class e_file_inspector implements e_file_inspector_interface
        $customDirs = e107::getInstance()->e107_dirs ? e107::getInstance()->e107_dirs : [];
        $this->customDirsCache = array_diff_assoc($customDirs, $this->defaultDirsCache);
    }
+
+    /**
+     * @param $path
+     * @return false|string
+     */
+    private function relativePathToAbsolutePath($path)
+    {
+        return realpath(e_BASE . $path);
+    }
 }