Source for file upload_tmp_dir.php

Documentation is available at upload_tmp_dir.php

  1. <?php
  2. /**
  3. * Test Class for upload_tmp_dir
  4. *
  5. * @package PhpSecInfo
  6. * @author Ed Finkler <coj@funkatron.com>
  7. */
  8.  
  9. /**
  10. * require the PhpSecInfo_Test_Core class
  11. */
  12. require_once('PhpSecInfo/Test/Test_Core.php');
  13.  
  14. /**
  15. * Test Class for upload_tmp_dir
  16. *
  17. * @package PhpSecInfo
  18. */
  19. class PhpSecInfo_Test_Core_Upload_Tmp_Dir extends PhpSecInfo_Test_Core
  20. {
  21.  
  22. /**
  23. * This should be a <b>unique</b>, human-readable identifier for this test
  24. *
  25. * @var string
  26. */
  27. var $test_name = "upload_tmp_dir";
  28.  
  29. var $recommended_value = "A non-world readable/writable directory";
  30.  
  31. function _retrieveCurrentValue() {
  32. $this->current_value = ini_get('upload_tmp_dir');
  33.  
  34. if( empty($this->current_value) ) {
  35. if (function_exists("sys_get_temp_dir")) {
  36. $this->current_value = sys_get_temp_dir();
  37. } else {
  38. $this->current_value = $this->sys_get_temp_dir();
  39. }
  40. }
  41. }
  42.  
  43. /**
  44. * We are disabling this function on Windows OSes right now until
  45. * we can be certain of the proper way to check world-readability
  46. *
  47. * @return unknown
  48. */
  49. function isTestable() {
  50. if ($this->osIsWindows()) {
  51. return FALSE;
  52. } else {
  53. return TRUE;
  54. }
  55. }
  56.  
  57. /**
  58. * Check if upload_tmp_dir matches PHPSECINFO_TEST_COMMON_TMPDIR, or is word-writable
  59. *
  60. * This is still unix-specific, and it's possible that for now
  61. * this test should be disabled under Windows builds.
  62. *
  63. * @see PHPSECINFO_TEST_COMMON_TMPDIR
  64. */
  65. function _execTest() {
  66.  
  67. $perms = fileperms($this->current_value);
  68.  
  69. if ($this->current_value
  70. && !preg_match("|".PHPSECINFO_TEST_COMMON_TMPDIR."/?|", $this->current_value)
  71. && ! ($perms & 0x0004)
  72. && ! ($perms & 0x0002) ) {
  73. return PHPSECINFO_TEST_RESULT_OK;
  74. }
  75.  
  76. // rewrite current_value to display perms
  77. $this->current_value .= " (".substr(sprintf('%o', $perms), -4).")";
  78.  
  79. return PHPSECINFO_TEST_RESULT_NOTICE;
  80. }
  81.  
  82.  
  83. /**
  84. * Set the messages specific to this test
  85. *
  86. */
  87. function _setMessages() {
  88. parent::_setMessages();
  89.  
  90. $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTRUN, 'en', 'Test not run -- currently disabled on Windows OSes');
  91. $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'upload_tmp_dir is enabled, which is the
  92. recommended setting. Make sure your upload_tmp_dir path is not world-readable');
  93. $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', 'upload_tmp_dir is disabled, or is set to a
  94. common world-writable directory. This typically allows other users on this server
  95. to access temporary copies of files uploaded via your PHP scripts. You should set
  96. upload_tmp_dir to a non-world-readable directory');
  97. }
  98.  
  99. }

Documentation generated on Mon, 26 Feb 2007 10:50:11 -0500 by phpDocumentor 1.3.0RC3