Home Explore Help
Sign In
bachir
/
edlp_d8
1
0
Fork 0
Files Issues 8 Pull Requests 0 Wiki
Tree: 5c71ef4c46
Branches Tags
edlp_d8
/
core
/
tests
/
Drupal
/
Tests
/
Component
/
PhpStorage
/
MTimeProtectedFileStorageBase.php

MTimeProtectedFileStorageBase.php 4.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131 
  1. <?php
    2. 

  2. 

  3. namespace Drupal\Tests\Component\PhpStorage;
    4. 

  4. 

  5. use Drupal\Component\Utility\Crypt;
    6. 

  6. use Drupal\Component\Utility\Random;
    7. 

  7. 

  8. /**
    9. 

  9.  * Base test class for MTime protected storage.
    10. 

  10.  */
    11. 

  11. abstract class MTimeProtectedFileStorageBase extends PhpStorageTestBase {
    12. 

  12. 

  13.   /**
    14. 

  14.    * The PHP storage class to test.
    15. 

  15.    *
    16. 

  16.    * This should be overridden by extending classes.
    17. 

  17.    */
    18. 

  18.   protected $storageClass;
    19. 

  19. 

  20.   /**
    21. 

  21.    * The secret string to use for file creation.
    22. 

  22.    *
    23. 

  23.    * @var string
    24. 

  24.    */
    25. 

  25.   protected $secret;
    26. 

  26. 

  27.   /**
    28. 

  28.    * Test settings to pass to storage instances.
    29. 

  29.    *
    30. 

  30.    * @var array
    31. 

  31.    */
    32. 

  32.   protected $settings;
    33. 

  33. 

  34.   /**
    35. 

  35.    * {@inheritdoc}
    36. 

  36.    */
    37. 

  37.   protected function setUp() {
    38. 

  38.     parent::setUp();
    39. 

  39. 

  40.     // Random generator.
    41. 

  41.     $random = new Random();
    42. 

  42. 

  43.     $this->secret = $random->name(8, TRUE);
    44. 

  44. 

  45.     $this->settings = [
    46. 

  46.       'directory' => $this->directory,
    47. 

  47.       'bin' => 'test',
    48. 

  48.       'secret' => $this->secret,
    49. 

  49.     ];
    50. 

  50.   }
    51. 

  51. 

  52.   /**
    53. 

  53.    * Tests basic load/save/delete operations.
    54. 

  54.    *
    55. 

  55.    * @covers ::load
    56. 

  56.    * @covers ::save
    57. 

  57.    * @covers ::delete
    58. 

  58.    * @covers ::exists
    59. 

  59.    */
    60. 

  60.   public function testCRUD() {
    61. 

  61.     $php = new $this->storageClass($this->settings);
    62. 

  62.     $this->assertCRUD($php);
    63. 

  63.   }
    64. 

  64. 

  65.   /**
    66. 

  66.    * Tests the security of the MTimeProtectedFileStorage implementation.
    67. 

  67.    *
    68. 

  68.    * We test two attacks: first changes the file mtime, then the directory
    69. 

  69.    * mtime too.
    70. 

  70.    *
    71. 

  71.    * We need to delay over 1 second for mtime test.
    72. 

  72.    * @medium
    73. 

  73.    */
    74. 

  74.   public function testSecurity() {
    75. 

  75.     $php = new $this->storageClass($this->settings);
    76. 

  76.     $name = 'simpletest.php';
    77. 

  77.     $php->save($name, '<?php');
    78. 

  78.     $expected_root_directory = $this->directory . '/test';
    79. 

  79.     if (substr($name, -4) === '.php') {
    80. 

  80.       $expected_directory = $expected_root_directory . '/' . substr($name, 0, -4);
    81. 

  81.     }
    82. 

  82.     else {
    83. 

  83.       $expected_directory = $expected_root_directory . '/' . $name;
    84. 

  84.     }
    85. 

  85.     $directory_mtime = filemtime($expected_directory);
    86. 

  86.     $expected_filename = $expected_directory . '/' . Crypt::hmacBase64($name, $this->secret . $directory_mtime) . '.php';
    87. 

  87. 

  88.     // Ensure the file exists and that it and the containing directory have
    89. 

  89.     // minimal permissions. fileperms() can return high bits unrelated to
    90. 

  90.     // permissions, so mask with 0777.
    91. 

  91.     $this->assertTrue(file_exists($expected_filename));
    92. 

  92.     $this->assertSame(0444, fileperms($expected_filename) & 0777);
    93. 

  93.     $this->assertSame(0777, fileperms($expected_directory) & 0777);
    94. 

  94. 

  95.     // Ensure the root directory for the bin has a .htaccess file denying web
    96. 

  96.     // access.
    97. 

  97.     $this->assertSame(file_get_contents($expected_root_directory . '/.htaccess'), call_user_func([$this->storageClass, 'htaccessLines']));
    98. 

  98. 

  99.     // Ensure that if the file is replaced with an untrusted one (due to another
    100. 

  100.     // script's file upload vulnerability), it does not get loaded. Since mtime
    101. 

  101.     // granularity is 1 second, we cannot prevent an attack that happens within
    102. 

  102.     // a second of the initial save().
    103. 

  103.     sleep(1);
    104. 

  104.     for ($i = 0; $i < 2; $i++) {
    105. 

  105.       $php = new $this->storageClass($this->settings);
    106. 

  106.       $GLOBALS['hacked'] = FALSE;
    107. 

  107.       $untrusted_code = "<?php\n" . '$GLOBALS["hacked"] = TRUE;';
    108. 

  108.       chmod($expected_directory, 0700);
    109. 

  109.       chmod($expected_filename, 0700);
    110. 

  110.       if ($i) {
    111. 

  111.         // Now try to write the file in such a way that the directory mtime
    112. 

  112.         // changes and invalidates the hash.
    113. 

  113.         file_put_contents($expected_filename . '.tmp', $untrusted_code);
    114. 

  114.         rename($expected_filename . '.tmp', $expected_filename);
    115. 

  115.       }
    116. 

  116.       else {
    117. 

  117.         // On the first try do not change the directory mtime but the filemtime
    118. 

  118.         // is now larger than the directory mtime.
    119. 

  119.         file_put_contents($expected_filename, $untrusted_code);
    120. 

  120.       }
    121. 

  121.       chmod($expected_filename, 0400);
    122. 

  122.       chmod($expected_directory, 0100);
    123. 

  123.       $this->assertSame(file_get_contents($expected_filename), $untrusted_code);
    124. 

  124.       $this->assertSame($this->expected[$i], $php->exists($name));
    125. 

  125.       $this->assertSame($this->expected[$i], $php->load($name));
    126. 

  126.       $this->assertSame($this->expected[$i], $GLOBALS['hacked']);
    127. 

  127.     }
    128. 

  128.     unset($GLOBALS['hacked']);
    129. 

  129.   }
    130. 

  130. 

  131. }
    132.