CodeExplorer
You are a developer and looking for Shopware projects?
Apply Now!
htaccessLines example
$expected_filename = $expected_directory . '/' . Crypt::hmacBase64($name, $this->secret . $directory_mtime) . '.php';
// Ensure the file exists and that it and the containing directory have // minimal permissions. fileperms() can return high bits unrelated to // permissions, so mask with 0777. $this->assertFileExists($expected_filename);
$this->assertSame(0444, fileperms($expected_filename) & 0777);
$this->assertSame(0777, fileperms($expected_directory) & 0777);
// Ensure the root directory for the bin has a .htaccess file denying web // access. $this->assertSame(file_get_contents($expected_root_directory . '/.htaccess'), FileSecurity::htaccessLines());
// Ensure that if the file is replaced with an untrusted one (due to another // script's file upload vulnerability), it does not get loaded. Since mtime // granularity is 1 second, we cannot prevent an attack that happens within // a second of the initial save(). sleep(1);
for ($i = 0; $i < 2; $i++) {
$php = new $this->storageClass($this->settings);
$GLOBALS['hacked'] = FALSE;
$untrusted_code = "<?php\n" . '$GLOBALS["hacked"] = TRUE;';
chmod($expected_directory, 0700);
// Ensure the file exists and that it and the containing directory have // minimal permissions. fileperms() can return high bits unrelated to // permissions, so mask with 0777. $this->assertFileExists($expected_filename);
$this->assertSame(0444, fileperms($expected_filename) & 0777);
$this->assertSame(0777, fileperms($expected_directory) & 0777);
// Ensure the root directory for the bin has a .htaccess file denying web // access. $this->assertSame(file_get_contents($expected_root_directory . '/.htaccess'), FileSecurity::htaccessLines());
// Ensure that if the file is replaced with an untrusted one (due to another // script's file upload vulnerability), it does not get loaded. Since mtime // granularity is 1 second, we cannot prevent an attack that happens within // a second of the initial save(). sleep(1);
for ($i = 0; $i < 2; $i++) {
$php = new $this->storageClass($this->settings);
$GLOBALS['hacked'] = FALSE;
$untrusted_code = "<?php\n" . '$GLOBALS["hacked"] = TRUE;';
chmod($expected_directory, 0700);
if (StreamWrapperManager::getScheme($directory)) {
$directory = $this->streamWrapperManager->normalizeUri($directory);
}
else {
$directory = rtrim($directory, '/\\');
}
if (FileSecurity::writeHtaccess($directory, $deny_public_access, $force_overwrite)) {
return TRUE;
}
$this->logger->error("Security warning: Couldn't write .htaccess file. Please create a .htaccess file in your %directory directory which contains the following lines: <pre><code>@htaccess</code></pre>", ['%directory' => $directory, '@htaccess' => FileSecurity::htaccessLines($deny_public_access)]);
return FALSE;
}
/** * {@inheritdoc} */
public function defaultProtectedDirs() {
$protected_dirs[] = new ProtectedDirectory('Public files directory', 'public://');
if (PrivateStream::basePath()) {
$protected_dirs[] = new ProtectedDirectory('Private files directory', 'private://', TRUE);
}
$directory = $this->streamWrapperManager->normalizeUri($directory);
}
else {
$directory = rtrim($directory, '/\\');
}
if (FileSecurity::writeHtaccess($directory, $deny_public_access, $force_overwrite)) {
return TRUE;
}
$this->logger->error("Security warning: Couldn't write .htaccess file. Please create a .htaccess file in your %directory directory which contains the following lines: <pre><code>@htaccess</code></pre>", ['%directory' => $directory, '@htaccess' => FileSecurity::htaccessLines($deny_public_access)]);
return FALSE;
}
/** * {@inheritdoc} */
public function defaultProtectedDirs() {
$protected_dirs[] = new ProtectedDirectory('Public files directory', 'public://');
if (PrivateStream::basePath()) {
$protected_dirs[] = new ProtectedDirectory('Private files directory', 'private://', TRUE);
}
public static function writeHtaccess($directory, $deny_public_access = TRUE, $force = FALSE) {
return self::writeFile($directory, '.htaccess', self::htaccessLines($deny_public_access), $force);
}
/** * Returns the standard .htaccess lines that Drupal writes. * * @param bool $deny_public_access * (optional) Set to FALSE to return the .htaccess lines for an open and * public directory that allows Apache to serve files, but not execute code. * The default is TRUE, which returns the .htaccess lines for a private and * protected directory that Apache will deny all access to. * * @return string * The desired contents of the .htaccess file. * * @see file_save_htaccess() */
// Verify that file_save_htaccess() returns FALSE if .htaccess cannot be
// written and writes a correctly formatted message to the error log. Set
// $private to TRUE so all possible .htaccess lines are written.
/** @var \Drupal\Core\File\HtaccessWriterInterface $htaccess */
$htaccess = \Drupal::service('file.htaccess_writer');
$this->assertFalse($htaccess->write($private, TRUE));
$this->drupalLogin($this->rootUser);
$this->drupalGet('admin/reports/dblog');
$this->clickLink("Security warning: Couldn't write .htaccess file. Pleaseā¦");
$lines = FileSecurity::htaccessLines(TRUE);
foreach (array_filter(explode("\n", $lines)) as $line) {
$this->assertSession()->assertEscaped($line);
}
}
}
$htaccess = \Drupal::service('file.htaccess_writer');
$this->assertFalse($htaccess->write($private, TRUE));
$this->drupalLogin($this->rootUser);
$this->drupalGet('admin/reports/dblog');
$this->clickLink("Security warning: Couldn't write .htaccess file. Pleaseā¦");
$lines = FileSecurity::htaccessLines(TRUE);
foreach (array_filter(explode("\n", $lines)) as $line) {
$this->assertSession()->assertEscaped($line);
}
}
}
$this->container->get('file.htaccess_writer')->ensure();
$this->assertFileExists($default_scheme . '://.htaccess');
// Remove .htaccess file again to test that it is re-created by a cron run. @$file_system->unlink($default_scheme . '://.htaccess');
$this->assertFileDoesNotExist($default_scheme . '://.htaccess');
system_cron();
$this->assertFileExists($default_scheme . '://.htaccess');
// Verify contents of .htaccess file. $file = file_get_contents($default_scheme . '://.htaccess');
$this->assertEquals(FileSecurity::htaccessLines(FALSE), $file, 'The .htaccess file contains the proper content.');
}
/** * Tests the file paths of newly created files. */
public function testFileCreateNewFilepath() {
// First we test against an imaginary file that does not exist in a // directory. $basename = 'xyz.txt';
$directory = 'core/misc';
$original = $directory . '/' . $basename;
$this->assertFileExists($default_scheme . '://.htaccess');
// Remove .htaccess file again to test that it is re-created by a cron run. @$file_system->unlink($default_scheme . '://.htaccess');
$this->assertFileDoesNotExist($default_scheme . '://.htaccess');
system_cron();
$this->assertFileExists($default_scheme . '://.htaccess');
// Verify contents of .htaccess file. $file = file_get_contents($default_scheme . '://.htaccess');
$this->assertEquals(FileSecurity::htaccessLines(FALSE), $file, 'The .htaccess file contains the proper content.');
}
/** * Tests the file paths of newly created files. */
public function testFileCreateNewFilepath() {
// First we test against an imaginary file that does not exist in a // directory. $basename = 'xyz.txt';
$directory = 'core/misc';
$original = $directory . '/' . $basename;
public static function writeHtaccess($directory, $deny_public_access = TRUE, $force = FALSE) {
return self::writeFile($directory, '.htaccess', self::htaccessLines($deny_public_access), $force);
}
/** * Returns the standard .htaccess lines that Drupal writes. * * @param bool $deny_public_access * (optional) Set to FALSE to return the .htaccess lines for an open and * public directory that allows Apache to serve files, but not execute code. * The default is TRUE, which returns the .htaccess lines for a private and * protected directory that Apache will deny all access to. * * @return string * The desired contents of the .htaccess file. * * @see \Drupal\Component\FileSecurity\FileSecurity::writeHtaccess() */