/
check_paths_inc.php
140 lines (120 loc) · 5.49 KB
/
check_paths_inc.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
<?php
# MantisBT - A PHP based bugtracking system
# MantisBT is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 2 of the License, or
# (at your option) any later version.
#
# MantisBT is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with MantisBT. If not, see <http://www.gnu.org/licenses/>.
/**
* @package MantisBT
* @copyright Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org
* @copyright Copyright (C) 2002 - 2011 MantisBT Team - mantisbt-dev@lists.sourceforge.net
* @link http://www.mantisbt.org
*
* @uses check_api.php
* @uses config_api.php
*/
if ( !defined( 'CHECK_PATHS_INC_ALLOW' ) ) {
return;
}
/**
* MantisBT Check API
*/
require_once( 'check_api.php' );
require_api( 'config_api.php' );
check_print_section_header_row( 'Paths' );
$t_path_config_names = array(
'absolute_path',
);
# Handle file upload default path only if attachments stored on disk
if( DISK == config_get_global( 'file_upload_method' ) ) {
$t_path_config_names[] = 'absolute_path_default_upload_folder';
}
$t_paths = array();
foreach( $t_path_config_names as $t_path_config_name ) {
$t_new_path = array();
$t_new_path['config_value'] = config_get_global( $t_path_config_name );
$t_new_path['real_path'] = realpath( $t_new_path['config_value'] );
$t_paths[$t_path_config_name] = $t_new_path;
}
foreach( $t_paths as $t_path_config_name => $t_path ) {
check_print_test_row(
$t_path_config_name . ' configuration option has a trailing directory separator',
substr( $t_path['config_value'], -1, 1 ) == DIRECTORY_SEPARATOR,
array( false => 'You must provide a trailing directory separator (' . DIRECTORY_SEPARATOR . ') to the end of the ' . $t_path_config_name . ' configuration value.' )
);
}
foreach( $t_paths as $t_path_config_name => $t_path ) {
check_print_test_row(
$t_path_config_name . ' configuration option points to a valid directory',
is_dir( $t_path['config_value'] ),
array( false => 'The path specified by the ' . $t_path_config_name . ' configuration option does not point to a valid and accessible directory.' )
);
}
# File upload default path must be writeable
if( DISK == config_get_global( 'file_upload_method' ) ) {
$t_path_config_name = 'absolute_path_default_upload_folder';
$t_path = $t_paths[$t_path_config_name];
check_print_test_row(
$t_path_config_name . ' configuration option points to a writable directory',
is_writable( $t_path['config_value'] ),
array( false => "The path specified by the $t_path_config_name configuration option ('" . $t_path['config_value'] . "') must be writable." )
);
}
if( $g_failed_test ) {
return;
}
# The entire app has been removed from the web tree. Moveable paths are now only configurable via webserver conf
$t_moveable_paths = array(
);
if( $t_paths['absolute_path']['real_path'] !== false ) {
$t_absolute_path_regex_safe = preg_quote( $t_paths['absolute_path']['real_path'], '/' );
} else {
$t_absolute_path_regex_safe = preg_quote( $t_paths['absolute_path']['config_value'], '/' );
}
foreach( $t_moveable_paths as $t_moveable_path ) {
if( $t_paths[$t_moveable_path]['real_path'] !== false ) {
$t_moveable_real_path = $t_paths[$t_moveable_path]['real_path'];
} else {
$t_moveable_real_path = $t_paths[$t_moveable_path]['config_value'];
}
check_print_test_warn_row(
$t_moveable_path . ' configuration option is set to a path outside the web root',
!preg_match( "/^$t_absolute_path_regex_safe/", $t_moveable_real_path ),
array( false => 'For increased security it is recommended that you move the ' . $t_moveable_path . ' directory outside the web root.' )
);
}
$t_removeable_directories = array(
'doc',
);
foreach( $t_removeable_directories as $t_removeable_directory ) {
check_print_test_warn_row(
'Directory <em><a href="' . htmlentities( config_get_global( 'short_path' ) ) . $t_removeable_directory . '">' . $t_removeable_directory . '</a></em> does not need to exist within the MantisBT root',
!is_dir( $t_paths['absolute_path']['config_value'] . $t_removeable_directory ),
array( false => 'The ' . $t_removeable_directory . ' directory within the MantisBT root should be removed as it is not needed for the live operation of MantisBT.' )
);
}
$t_developer_directories = array(
'docbook',
'packages',
'scripts',
'tests',
);
foreach( $t_developer_directories as $t_developer_directory ) {
check_print_test_warn_row(
'Directory <em><a href="' . htmlentities( config_get_global( 'short_path' ) ) . $t_developer_directory . '">' . $t_developer_directory . '</a></em> exists. These files are not included in MantisBT builds. For production use, please use a release build/snapshot, and not the developer git code.',
!is_dir( $t_paths['absolute_path']['config_value'] . $t_developer_directory ),
array( false => 'The ' . $t_developer_directory . ' directory within the MantisBT root is for development use and is not included in official releases of MantisBT.' )
);
}
check_print_test_warn_row(
'Directory <em><a href="' . htmlentities( config_get_global( 'short_path' ) ) . 'api">api</a></em> should be removed from the MantisBT root if you do not plan on using <a href="http://en.wikipedia.org/wiki/SOAP">SOAP</a>',
!is_dir( $t_paths['absolute_path']['config_value'] . 'api' )
);