$expected_filename =
$expected_directory . '/' . Crypt::
hmacBase64($name,
$this->secret .
$directory_mtime) . '.php';
// Ensure the file exists and that it and the containing directory have
// minimal permissions. fileperms() can return high bits unrelated to
// permissions, so mask with 0777.
$this->
assertFileExists($expected_filename);
$this->
assertSame(0444,
fileperms($expected_filename) & 0777
);
$this->
assertSame(0777,
fileperms($expected_directory) & 0777
);
// Ensure the root directory for the bin has a .htaccess file denying web
// access.
$this->
assertSame(file_get_contents($expected_root_directory . '/.htaccess'
), FileSecurity::
htaccessLines());
// Ensure that if the file is replaced with an untrusted one (due to another
// script's file upload vulnerability), it does not get loaded. Since mtime
// granularity is 1 second, we cannot prevent an attack that happens within
// a second of the initial save().
sleep(1
);
for ($i = 0;
$i < 2;
$i++
) { $php =
new $this->
storageClass($this->settings
);
$GLOBALS['hacked'
] = FALSE;
$untrusted_code = "<?php\n" . '$GLOBALS["hacked"] = TRUE;';
chmod($expected_directory, 0700
);