Source for file save_path.php

Documentation is available at save_path.php

  1. <?php
  2. /**
  3. * Test class for session save_path
  4. *
  5. * @package PhpSecInfo
  6. * @author Thomas CORBIERE <thomas@votre-grandeur-celeste.com>
  7. */
  8.  
  9. /**
  10. * require the PhpSecInfo_Test_Core class
  11. */
  12. require_once('PhpSecInfo/Test/Test_Session.php');
  13.  
  14. /**
  15. * Test class for session save_path
  16. *
  17. * @package PhpSecInfo
  18. */
  19. class PhpSecInfo_Test_Session_Save_Path extends PhpSecInfo_Test_Session
  20. {
  21.  
  22. /**
  23. * This should be a <b>unique</b>, human-readable identifier for this test
  24. *
  25. * @var string
  26. */
  27. var $test_name = "save_path";
  28.  
  29. var $recommended_value = "A non-world readable/writable directory";
  30.  
  31. function _retrieveCurrentValue() {
  32. $this->current_value = ini_get('session.save_path');
  33.  
  34. if( empty($this->current_value) ) {
  35. if (function_exists("sys_get_temp_dir")) {
  36. $this->current_value = sys_get_temp_dir();
  37. } else {
  38. $this->current_value = $this->sys_get_temp_dir();
  39. }
  40. }
  41.  
  42. }
  43.  
  44.  
  45. /**
  46. * We are disabling this function on Windows OSes right now until
  47. * we can be certain of the proper way to check world-readability
  48. *
  49. * @return unknown
  50. */
  51. function isTestable() {
  52. if ($this->osIsWindows()) {
  53. return FALSE;
  54. } else {
  55. return TRUE;
  56. }
  57. }
  58.  
  59.  
  60. /**
  61. * Check if session.save_path matches PHPSECINFO_TEST_COMMON_TMPDIR, or is word-writable
  62. *
  63. * This is still unix-specific, and it's possible that for now
  64. * this test should be disabled under Windows builds.
  65. *
  66. * @see PHPSECINFO_TEST_COMMON_TMPDIR
  67. */
  68. function _execTest() {
  69.  
  70. $perms = fileperms($this->current_value);
  71.  
  72. if ($this->current_value
  73. && !preg_match("|".PHPSECINFO_TEST_COMMON_TMPDIR."/?|", $this->current_value)
  74. && ! ($perms & 0x0004)
  75. && ! ($perms & 0x0002) ) {
  76. return PHPSECINFO_TEST_RESULT_OK;
  77. }
  78.  
  79. // rewrite current_value to display perms
  80. $this->current_value .= " (".substr(sprintf('%o', $perms), -4).")";
  81.  
  82. return PHPSECINFO_TEST_RESULT_NOTICE;
  83. }
  84.  
  85. /**
  86. * Set the messages specific to this test
  87. *
  88. */
  89. function _setMessages() {
  90. parent::_setMessages();
  91.  
  92. $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTRUN, 'en', 'Test not run -- currently disabled on Windows OSes');
  93. $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'save_path is enabled, which is the
  94. recommended setting. Make sure your save_path path is not world-readable');
  95. $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', 'save_path is disabled, or is set to a
  96. common world-writable directory. This typically allows other users on this server
  97. to access session files. You should set save_path to a non-world-readable directory');
  98. }
  99.  
  100. }

Documentation generated on Mon, 26 Feb 2007 10:50:04 -0500 by phpDocumentor 1.3.0RC3