3 namespace Drupal\Tests\Component\PhpStorage;
5 use Drupal\Component\Utility\Crypt;
6 use Drupal\Component\Utility\Random;
9 * Base test class for MTime protected storage.
11 abstract class MTimeProtectedFileStorageBase extends PhpStorageTestBase {
14 * The PHP storage class to test.
16 * This should be overridden by extending classes.
18 protected $storageClass;
21 * The secret string to use for file creation.
28 * Test settings to pass to storage instances.
37 protected function setUp() {
41 $random = new Random();
43 $this->secret = $random->name(8, TRUE);
46 'directory' => $this->directory,
48 'secret' => $this->secret,
53 * Tests basic load/save/delete operations.
60 public function testCRUD() {
61 $php = new $this->storageClass($this->settings);
62 $this->assertCRUD($php);
66 * Tests the security of the MTimeProtectedFileStorage implementation.
68 * We test two attacks: first changes the file mtime, then the directory
71 * We need to delay over 1 second for mtime test.
74 public function testSecurity() {
75 $php = new $this->storageClass($this->settings);
76 $name = 'simpletest.php';
77 $php->save($name, '<?php');
78 $expected_root_directory = $this->directory . '/test';
79 if (substr($name, -4) === '.php') {
80 $expected_directory = $expected_root_directory . '/' . substr($name, 0, -4);
83 $expected_directory = $expected_root_directory . '/' . $name;
85 $directory_mtime = filemtime($expected_directory);
86 $expected_filename = $expected_directory . '/' . Crypt::hmacBase64($name, $this->secret . $directory_mtime) . '.php';
88 // Ensure the file exists and that it and the containing directory have
89 // minimal permissions. fileperms() can return high bits unrelated to
90 // permissions, so mask with 0777.
91 $this->assertTrue(file_exists($expected_filename));
92 $this->assertSame(0444, fileperms($expected_filename) & 0777);
93 $this->assertSame(0777, fileperms($expected_directory) & 0777);
95 // Ensure the root directory for the bin has a .htaccess file denying web
97 $this->assertSame(file_get_contents($expected_root_directory . '/.htaccess'), call_user_func([$this->storageClass, 'htaccessLines']));
99 // Ensure that if the file is replaced with an untrusted one (due to another
100 // script's file upload vulnerability), it does not get loaded. Since mtime
101 // granularity is 1 second, we cannot prevent an attack that happens within
102 // a second of the initial save().
104 for ($i = 0; $i < 2; $i++) {
105 $php = new $this->storageClass($this->settings);
106 $GLOBALS['hacked'] = FALSE;
107 $untrusted_code = "<?php\n" . '$GLOBALS["hacked"] = TRUE;';
108 chmod($expected_directory, 0700);
109 chmod($expected_filename, 0700);
111 // Now try to write the file in such a way that the directory mtime
112 // changes and invalidates the hash.
113 file_put_contents($expected_filename . '.tmp', $untrusted_code);
114 rename($expected_filename . '.tmp', $expected_filename);
117 // On the first try do not change the directory mtime but the filemtime
118 // is now larger than the directory mtime.
119 file_put_contents($expected_filename, $untrusted_code);
121 chmod($expected_filename, 0400);
122 chmod($expected_directory, 0100);
123 $this->assertSame(file_get_contents($expected_filename), $untrusted_code);
124 $this->assertSame($this->expected[$i], $php->exists($name));
125 $this->assertSame($this->expected[$i], $php->load($name));
126 $this->assertSame($this->expected[$i], $GLOBALS['hacked']);
128 unset($GLOBALS['hacked']);