MTimeProtectedFileStorageBase.php 3.97 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<?php

/**
 * @file
 * Contains \Drupal\Tests\Component\PhpStorage\MTimeProtectedFileStorageBase.
 */

namespace Drupal\Tests\Component\PhpStorage;

/**
 * Base test class for MTime protected storage.
 */
abstract class MTimeProtectedFileStorageBase extends PhpStorageTestBase {

  /**
   * The PHP storage class to test.
   *
   * This should be overridden by extending classes.
   */
  protected $storageClass;

  /**
   * The secret string to use for file creation.
   *
   * @var string
   */
  protected $secret;

29
30
31
32
33
34
35
  /**
   * Test settings to pass to storage instances.
   *
   * @var array
   */
  protected $settings;

36
37
38
  /**
   * {@inheritdoc}
   */
39
  protected function setUp() {
40
    parent::setUp();
41
    $this->directory = sys_get_temp_dir() . '/php' . str_replace('\\','_', get_class($this));
42

43
    $this->secret = $this->randomMachineName();
44
45

    $this->settings = array(
46
      'directory' =>  $this->directory,
47
      'bin' => 'test',
48
49
50
51
52
53
54
55
      'secret' => $this->secret,
    );
  }

  /**
   * Tests basic load/save/delete operations.
   */
  public function testCRUD() {
56
    $php = new $this->storageClass($this->settings);
57
58
59
60
61
62
63
64
65
66
67
68
69
    $this->assertCRUD($php);
  }

  /**
   * Tests the security of the MTimeProtectedFileStorage implementation.
   *
   * We test two attacks: first changes the file mtime, then the directory
   * mtime too.
   *
   * We need to delay over 1 second for mtime test.
   * @medium
   */
  public function testSecurity() {
70
    $php = new $this->storageClass($this->settings);
71
72
    $name = 'simpletest.php';
    $php->save($name, '<?php');
73
    $expected_root_directory =  $this->directory . '/test';
74
75
76
77
78
79
    if (substr($name, -4) === '.php') {
      $expected_directory = $expected_root_directory . '/' . substr($name, 0, -4);
    }
    else {
      $expected_directory = $expected_root_directory . '/' . $name;
    }
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
    $directory_mtime = filemtime($expected_directory);
    $expected_filename = $expected_directory . '/' . hash_hmac('sha256', $name, $this->secret . $directory_mtime) . '.php';

    // Ensure the file exists and that it and the containing directory have
    // minimal permissions. fileperms() can return high bits unrelated to
    // permissions, so mask with 0777.
    $this->assertTrue(file_exists($expected_filename));
    $this->assertSame(fileperms($expected_filename) & 0777, 0444);
    $this->assertSame(fileperms($expected_directory) & 0777, 0777);

    // Ensure the root directory for the bin has a .htaccess file denying web
    // access.
    $this->assertSame(file_get_contents($expected_root_directory . '/.htaccess'), call_user_func(array($this->storageClass, 'htaccessLines')));

    // Ensure that if the file is replaced with an untrusted one (due to another
    // script's file upload vulnerability), it does not get loaded. Since mtime
    // granularity is 1 second, we cannot prevent an attack that happens within
    // a second of the initial save().
    sleep(1);
    for ($i = 0; $i < 2; $i++) {
100
      $php = new $this->storageClass($this->settings);
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
      $GLOBALS['hacked'] = FALSE;
      $untrusted_code = "<?php\n" . '$GLOBALS["hacked"] = TRUE;';
      chmod($expected_directory, 0700);
      chmod($expected_filename, 0700);
      if ($i) {
        // Now try to write the file in such a way that the directory mtime
        // changes and invalidates the hash.
        file_put_contents($expected_filename . '.tmp', $untrusted_code);
        rename($expected_filename . '.tmp', $expected_filename);
      }
      else {
        // On the first try do not change the directory mtime but the filemtime
        // is now larger than the directory mtime.
        file_put_contents($expected_filename, $untrusted_code);
      }
      chmod($expected_filename, 0400);
      chmod($expected_directory, 0100);
      $this->assertSame(file_get_contents($expected_filename), $untrusted_code);
      $this->assertSame($php->exists($name), $this->expected[$i]);
      $this->assertSame($php->load($name), $this->expected[$i]);
      $this->assertSame($GLOBALS['hacked'], $this->expected[$i]);
    }
  }

}