Commit b34dc3f7 authored by xjm's avatar xjm

SA-CORE-2020-005 by lorenzo_gre, jazzy2fives, xjm, samuel.mortenson, pwolanin,...

SA-CORE-2020-005 by lorenzo_gre, jazzy2fives, xjm, samuel.mortenson, pwolanin, larowlan, greggles, cashwilliams, Heine, mcdruid, alexpott, Gábor Hojtsy
parent 3999b8f6
......@@ -382,11 +382,17 @@ function drupal_valid_test_ua($new_prefix = NULL) {
// Ensure that no information leaks on production sites.
$test_db = new TestDatabase($prefix);
$key_file = DRUPAL_ROOT . '/' . $test_db->getTestSitePath() . '/.htkey';
if (!is_readable($key_file)) {
if (!is_readable($key_file) || is_dir($key_file)) {
header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden');
exit;
}
$private_key = file_get_contents($key_file);
// The string from drupal_generate_test_ua() is 74 bytes long. If we don't
// have it, tests cannot be allowed.
if (empty($private_key) || strlen($private_key) < 74) {
header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden');
exit;
}
// The file properties add more entropy not easily accessible to others.
$key = $private_key . filectime(__FILE__) . fileinode(__FILE__);
$time_diff = REQUEST_TIME - $time;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment