mirror/php-e107
1
0
Fork 0
mirror of https://github.com/e107inc/e107.git synced 2025-08-02 12:48:26 +02:00
Code Issues Releases Wiki Activity

Implemented insecure file check in File Inspector

Browse Source 
Bugs fixed:

* Security failure status is now prioritized in
  file_inspector::getStatusForValidationCode()
* File Inspector list view now supports filters
This commit is contained in:
Nick Liu
2020-03-27 17:04:14 -05:00
parent aca78c086b
commit 03dfb5cce3
3 changed files with 64 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
e107_admin/admin.php
View File

@@ -127,32 +127,8 @@ class admin_start
} }
// Files that can cause comflicts and problems. // Files that can cause comflicts and problems.
$this->deprecated = array( $fileInspector = e107::getFileInspector();
e_ADMIN."ad_links.php", $this->deprecated = $fileInspector->insecureFiles;
e_PLUGIN."tinymce4/e_meta.php",
e_THEME."bootstrap3/css/bootstrap_dark.css",
e_PLUGIN."search_menu/languages/English.php",
e_LANGUAGEDIR.e_LANGUAGE."/lan_parser_functions.php",
e_LANGUAGEDIR.e_LANGUAGE."/admin/help/theme.php",
e_HANDLER."np_class.php",
e_CORE."shortcodes/single/user_extended.sc",
e_ADMIN."download.php",
e_PLUGIN."banner/config.php",
e_PLUGIN."forum/newforumposts_menu_config.php",
e_PLUGIN."forum/e_latest.php",
e_PLUGIN."forum/e_status.php",
e_PLUGIN."forum/forum_post_shortcodes.php",
e_PLUGIN."forum/forum_shortcodes.php",
e_PLUGIN."forum/forum_update_check.php",
e_PLUGIN."online_extended_menu/online_extended_menu.php",
e_PLUGIN."online_extended_menu/images/user.png",
e_PLUGIN."online_extended_menu/languages/English.php",
e_PLUGIN."pm/sendpm.sc",
e_PLUGIN."pm/shortcodes/",
e_PLUGIN."social/e_header.php",
// e_PLUGIN."download/url/url.php", // removed by download_setup.php
// e_PLUGIN."download/url/sef_url.php",
);
$this->checkCoreVersion(); $this->checkCoreVersion();

10
e107_admin/fileinspector.php
View File

@@ -685,14 +685,14 @@ class file_inspector {
{ {
if ($validationCode & e_file_inspector::VALIDATED) if ($validationCode & e_file_inspector::VALIDATED)
return 'check'; return 'check';
if (!($validationCode & e_file_inspector::VALIDATED_FILE_EXISTS))
return 'missing';
if (!($validationCode & e_file_inspector::VALIDATED_FILE_SECURITY))
return 'warning';
if (!($validationCode & e_file_inspector::VALIDATED_PATH_KNOWN)) if (!($validationCode & e_file_inspector::VALIDATED_PATH_KNOWN))
return 'unknown'; return 'unknown';
if (!($validationCode & e_file_inspector::VALIDATED_PATH_VERSION)) if (!($validationCode & e_file_inspector::VALIDATED_PATH_VERSION))
return 'old'; return 'old';
if (!($validationCode & e_file_inspector::VALIDATED_FILE_SECURITY))
return 'warning';
if (!($validationCode & e_file_inspector::VALIDATED_FILE_EXISTS))
return 'missing';
if (!($validationCode & e_file_inspector::VALIDATED_HASH_CALCULABLE)) if (!($validationCode & e_file_inspector::VALIDATED_HASH_CALCULABLE))
return 'uncalc'; return 'uncalc';
if (!($validationCode & e_file_inspector::VALIDATED_HASH_CURRENT)) if (!($validationCode & e_file_inspector::VALIDATED_HASH_CURRENT))
@@ -1004,6 +1004,8 @@ class file_inspector {
ksort($this->files); ksort($this->files);
foreach ($this->files as $relativePath => $validation) foreach ($this->files as $relativePath => $validation)
{ {
if (!$this->displayAllowed($validation)) continue;
list($icon, $title) = $this->getGlyphForValidationCode($validation); list($icon, $title) = $this->getGlyphForValidationCode($validation);
$text .= '<tr><td class="f" title="'.$title.'">'; $text .= '<tr><td class="f" title="'.$title.'">';
$text .= "$icon "; $text .= "$icon ";

58
e107_handlers/e_file_inspector.php
View File

@@ -24,6 +24,35 @@ abstract class e_file_inspector implements e_file_inspector_interface
protected $customDirsCache; protected $customDirsCache;
private $undeterminable = array(); private $undeterminable = array();
// FIXME: Better place for the insecure file list
public $insecureFiles = [
e_ADMIN . "ad_links.php",
e_PLUGIN . "tinymce4/e_meta.php",
e_THEME . "bootstrap3/css/bootstrap_dark.css",
e_PLUGIN . "search_menu/languages/English.php",
e_LANGUAGEDIR . e_LANGUAGE . "/lan_parser_functions.php",
e_LANGUAGEDIR . e_LANGUAGE . "/admin/help/theme.php",
e_HANDLER . "np_class.php",
e_CORE . "shortcodes/single/user_extended.sc",
e_ADMIN . "download.php",
e_PLUGIN . "banner/config.php",
e_PLUGIN . "forum/newforumposts_menu_config.php",
e_PLUGIN . "forum/e_latest.php",
e_PLUGIN . "forum/e_status.php",
e_PLUGIN . "forum/forum_post_shortcodes.php",
e_PLUGIN . "forum/forum_shortcodes.php",
e_PLUGIN . "forum/forum_update_check.php",
e_PLUGIN . "online_extended_menu/online_extended_menu.php",
e_PLUGIN . "online_extended_menu/images/user.png",
e_PLUGIN . "online_extended_menu/languages/English.php",
e_PLUGIN . "pm/sendpm.sc",
e_PLUGIN . "pm/shortcodes/",
e_PLUGIN . "social/e_header.php",
];
private $existingInsecureFiles = array();
private $existingInsecureDirectories = array();
/** /**
* e_file_inspector constructor * e_file_inspector constructor
* @param string $database The database from which integrity data may be read or to which integrity data may be * @param string $database The database from which integrity data may be read or to which integrity data may be
@@ -43,6 +72,16 @@ abstract class e_file_inspector implements e_file_inspector_interface
$appRoot . e107::getFolder('admin') . "core_image.php", $appRoot . e107::getFolder('admin') . "core_image.php",
] ]
); );
$this->existingInsecureFiles = array_filter($this->insecureFiles, function ($path)
{
return is_file($path);
});
$this->existingInsecureFiles = array_map('realpath', $this->existingInsecureFiles);
$this->existingInsecureDirectories = array_filter($this->insecureFiles, function ($path)
{
return is_dir($path);
});
$this->existingInsecureDirectories = array_map('realpath', $this->existingInsecureDirectories);
} }
/** /**
@@ -68,7 +107,7 @@ abstract class e_file_inspector implements e_file_inspector_interface
if ($version === null) $version = $this->getCurrentVersion(); if ($version === null) $version = $this->getCurrentVersion();
$bits = 0x0; $bits = 0x0;
$absolutePath = realpath(e_BASE . $path); $absolutePath = $this->relativePathToAbsolutePath($path);
$dbChecksums = $this->getChecksums($path); $dbChecksums = $this->getChecksums($path);
$dbChecksum = $this->getChecksum($path, $version); $dbChecksum = $this->getChecksum($path, $version);
$actualChecksum = !empty($dbChecksums) ? $this->checksumPath($absolutePath) : null; $actualChecksum = !empty($dbChecksums) ? $this->checksumPath($absolutePath) : null;
@@ -174,7 +213,13 @@ abstract class e_file_inspector implements e_file_inspector_interface
*/ */
public function isInsecure($path) public function isInsecure($path)
{ {
# TODO $absolutePath = $this->relativePathToAbsolutePath($path);
if (in_array($absolutePath, $this->existingInsecureFiles)) return true;
foreach ($this->existingInsecureDirectories as $existingInsecureDirectory)
{
$existingInsecureDirectory .= '/';
if (substr($absolutePath, 0, strlen($existingInsecureDirectory)) === $existingInsecureDirectory) return true;
}
return false; return false;
} }
@@ -244,4 +289,13 @@ abstract class e_file_inspector implements e_file_inspector_interface
$customDirs = e107::getInstance()->e107_dirs ? e107::getInstance()->e107_dirs : []; $customDirs = e107::getInstance()->e107_dirs ? e107::getInstance()->e107_dirs : [];
$this->customDirsCache = array_diff_assoc($customDirs, $this->defaultDirsCache); $this->customDirsCache = array_diff_assoc($customDirs, $this->defaultDirsCache);
} }
/**
* @param $path
* @return false|string
*/
private function relativePathToAbsolutePath($path)
{
return realpath(e_BASE . $path);
}
} }