diff options
| author | David Rothstein <drothstein@gmail.com> | 2013-11-20 15:45:59 -0500 |
|---|---|---|
| committer | David Rothstein <drothstein@gmail.com> | 2013-11-20 15:45:59 -0500 |
| commit | 782d1155c62c0a879bf587c7e40c3a13bcf6879c (patch) | |
| tree | 380060c81a7ebd76870cfd7fb566933b3a7c6efd /modules/system | |
| parent | bf704d6ffe55d66a440a55a9d43e8846d46d2440 (diff) | |
| download | brdo-782d1155c62c0a879bf587c7e40c3a13bcf6879c.tar.gz brdo-782d1155c62c0a879bf587c7e40c3a13bcf6879c.tar.bz2 | |
Drupal 7.24
Diffstat (limited to 'modules/system')
| -rw-r--r-- | modules/system/system.install | 37 | ||||
| -rw-r--r-- | modules/system/system.test | 47 |
2 files changed, 82 insertions, 2 deletions
diff --git a/modules/system/system.install b/modules/system/system.install index a58e855ad..afe4ebc0e 100644 --- a/modules/system/system.install +++ b/modules/system/system.install @@ -258,6 +258,39 @@ function system_requirements($phase) { $requirements['settings.php']['title'] = $t('Configuration file'); } + // Test the contents of the .htaccess files. + if ($phase == 'runtime') { + // Try to write the .htaccess files first, to prevent false alarms in case + // (for example) the /tmp directory was wiped. + file_ensure_htaccess(); + $htaccess_files['public://.htaccess'] = array( + 'title' => $t('Public files directory'), + 'directory' => variable_get('file_public_path', conf_path() . '/files'), + ); + if ($private_files_directory = variable_get('file_private_path')) { + $htaccess_files['private://.htaccess'] = array( + 'title' => $t('Private files directory'), + 'directory' => $private_files_directory, + ); + } + $htaccess_files['temporary://.htaccess'] = array( + 'title' => $t('Temporary files directory'), + 'directory' => variable_get('file_temporary_path', file_directory_temp()), + ); + foreach ($htaccess_files as $htaccess_file => $info) { + // Check for the string which was added to the recommended .htaccess file + // in the latest security update. + if (!file_exists($htaccess_file) || !($contents = @file_get_contents($htaccess_file)) || strpos($contents, 'Drupal_Security_Do_Not_Remove_See_SA_2013_003') === FALSE) { + $requirements[$htaccess_file] = array( + 'title' => $info['title'], + 'value' => $t('Not fully protected'), + 'severity' => REQUIREMENT_ERROR, + 'description' => $t('See <a href="@url">@url</a> for information about the recommended .htaccess file which should be added to the %directory directory to help protect against arbitrary code execution.', array('@url' => 'http://drupal.org/SA-CORE-2013-003', '%directory' => $info['directory'])), + ); + } + } + } + // Report cron status. if ($phase == 'runtime') { // Cron warning threshold defaults to two days. @@ -516,7 +549,7 @@ function system_install() { ->execute(); // Populate the cron key variable. - $cron_key = drupal_hash_base64(drupal_random_bytes(55)); + $cron_key = drupal_random_key(); variable_set('cron_key', $cron_key); } @@ -1743,7 +1776,7 @@ function system_update_7000() { * Generate a cron key and save it in the variables table. */ function system_update_7001() { - variable_set('cron_key', drupal_hash_base64(drupal_random_bytes(55))); + variable_set('cron_key', drupal_random_key()); } /** diff --git a/modules/system/system.test b/modules/system/system.test index 99e0cbe95..f4fb047d1 100644 --- a/modules/system/system.test +++ b/modules/system/system.test @@ -2712,3 +2712,50 @@ class TokenScanTest extends DrupalWebTestCase { } } +/** + * Test case for drupal_valid_token(). + */ +class SystemValidTokenTest extends DrupalUnitTestCase { + + /** + * Flag to indicate whether PHP error reportings should be asserted. + * + * @var bool + */ + protected $assertErrors = TRUE; + + public static function getInfo() { + return array( + 'name' => 'Token validation', + 'description' => 'Test the security token validation.', + 'group' => 'System', + ); + } + + /** + * Tests invalid invocations of drupal_valid_token() that must return FALSE. + */ + public function testTokenValidation() { + // The following checks will throw PHP notices, so we disable error + // assertions. + $this->assertErrors = FALSE; + $this->assertFalse(drupal_valid_token(NULL, new stdClass()), 'Token NULL, value object returns FALSE.'); + $this->assertFalse(drupal_valid_token(0, array()), 'Token 0, value array returns FALSE.'); + $this->assertFalse(drupal_valid_token('', array()), "Token '', value array returns FALSE."); + $this->assertFalse('' === drupal_get_token(array()), 'Token generation does not return an empty string on invalid parameters.'); + $this->assertErrors = TRUE; + + $this->assertFalse(drupal_valid_token(TRUE, 'foo'), 'Token TRUE, value foo returns FALSE.'); + $this->assertFalse(drupal_valid_token(0, 'foo'), 'Token 0, value foo returns FALSE.'); + } + + /** + * Overrides DrupalTestCase::errorHandler(). + */ + public function errorHandler($severity, $message, $file = NULL, $line = NULL) { + if ($this->assertErrors) { + return parent::errorHandler($severity, $message, $file, $line); + } + return TRUE; + } +} |