Révision bb746689
Ajouté par Assos Assos il y a plus de 9 ans
drupal7/sites/all/modules/security_review/IGNOREME.txt | ||
---|---|---|
4 | 4 |
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
5 | 5 |
|
6 | 6 |
20130923022437 - Your web server should not be able to write to your modules directory. This is a security vulnerable. Consult the Security Review file permissions check help for mitigation steps. |
7 |
20131024102938 - Your web server should not be able to write to your modules directory. This is a security vulnerable. Consult the Security Review file permissions check help for mitigation steps. |
|
8 |
20131024104044 - Your web server should not be able to write to your modules directory. This is a security vulnerable. Consult the Security Review file permissions check help for mitigation steps. |
|
9 |
20131024104100 - Your web server should not be able to write to your modules directory. This is a security vulnerable. Consult the Security Review file permissions check help for mitigation steps. |
|
7 |
20140906124133 - Your web server should not be able to write to your modules directory. This is a security vulnerable. Consult the Security Review file permissions check help for mitigation steps. |
drupal7/sites/all/modules/security_review/file_write_test.20131024102938 | ||
---|---|---|
1 |
20131024102938 - Your web server should not be able to write to your modules directory. This is a security vulnerable. Consult the Security Review file permissions check help for mitigation steps. |
drupal7/sites/all/modules/security_review/file_write_test.20131024104044 | ||
---|---|---|
1 |
20131024104044 - Your web server should not be able to write to your modules directory. This is a security vulnerable. Consult the Security Review file permissions check help for mitigation steps. |
drupal7/sites/all/modules/security_review/file_write_test.20131024104100 | ||
---|---|---|
1 |
20131024104100 - Your web server should not be able to write to your modules directory. This is a security vulnerable. Consult the Security Review file permissions check help for mitigation steps. |
drupal7/sites/all/modules/security_review/security_review.drush.inc | ||
---|---|---|
6 | 6 |
*/ |
7 | 7 |
|
8 | 8 |
// Include security_review.inc file for when invoked from outside the site. |
9 |
require_once __DIR__ . '/security_review.inc';
|
|
9 |
include_once dirname(__FILE__) . '/security_review.inc';
|
|
10 | 10 |
|
11 | 11 |
/** |
12 | 12 |
* Implementation of hook_drush_command(). |
... | ... | |
23 | 23 |
'log' => 'Log results of each check to watchdog, defaults to off', |
24 | 24 |
'lastrun' => 'Do not run the checklist, just print last results', |
25 | 25 |
'check' => 'Comma-separated list of specified checks to run. See README.txt for list of options', |
26 |
'skip' => 'Invert behavior of --check. Run all checks except specified checks', |
|
26 | 27 |
'short' => "Short result messages instead of full description (e.g. 'Text formats').", |
27 | 28 |
'results' => 'Show the incorrect settings for failed checks.', |
28 | 29 |
), |
... | ... | |
57 | 58 |
* Run checklist and display results command. |
58 | 59 |
*/ |
59 | 60 |
function security_review_drush() { |
61 |
if (!function_exists('security_review_get_checklist')) { |
|
62 |
return drush_set_error('REQUIREMENTS_ERROR', 'File security_review.inc is required to run the checklist.'); |
|
63 |
} |
|
60 | 64 |
// Retrieve the checklist. |
61 | 65 |
$checklist = security_review_get_checklist(); |
62 | 66 |
|
... | ... | |
69 | 73 |
$store = $log = $lastrun = FALSE; |
70 | 74 |
} |
71 | 75 |
$specific_checks = drush_get_option_list('check'); |
76 |
$skip = drush_get_option('skip'); |
|
72 | 77 |
$short_titles = drush_get_option('short'); |
73 | 78 |
if (!empty($short_titles)) { |
74 | 79 |
$short_titles = TRUE; |
... | ... | |
87 | 92 |
|
88 | 93 |
if (!$lastrun) { |
89 | 94 |
if (!empty($specific_checks)) { |
90 |
// Run specified checks only.
|
|
91 |
$new_checklist = array();
|
|
95 |
// Get specified checks.
|
|
96 |
$specific_checklist = array();
|
|
92 | 97 |
foreach ($specific_checks as $check_name) { |
93 | 98 |
if (empty($check_name)) { |
94 | 99 |
continue; // Can happen if user puts space after comma. |
... | ... | |
100 | 105 |
$module = 'security_review'; |
101 | 106 |
} |
102 | 107 |
if (isset($checklist[$module][$check_name])) { |
103 |
$new_checklist[$module][$check_name] = $checklist[$module][$check_name]; |
|
108 |
$specific_checklist[$module][$check_name] = $checklist[$module][$check_name]; |
|
109 |
} |
|
110 |
} |
|
111 |
if ($skip) { |
|
112 |
// Run all checks except specified checks. |
|
113 |
foreach ($specific_checklist as $module => $checks) { |
|
114 |
foreach (array_keys($checks) as $check_name) { |
|
115 |
unset($checklist[$module][$check_name]); |
|
116 |
} |
|
104 | 117 |
} |
105 | 118 |
} |
106 |
$checklist = $new_checklist; |
|
119 |
else { |
|
120 |
// Run only specified checks. |
|
121 |
$checklist = $specific_checklist; |
|
122 |
} |
|
107 | 123 |
} |
108 | 124 |
else { |
109 | 125 |
// Unset file_perms of security_review because drush is running as a |
... | ... | |
141 | 157 |
} |
142 | 158 |
elseif ($lastrun) { |
143 | 159 |
// Retrieve results from last run of the checklist. |
144 |
$results = db_query("SELECT namespace, reviewcheck, result, lastrun, skip, skiptime, skipuid FROM {security_review}"); |
|
145 |
while($record = $results->fetchAssoc()) { |
|
146 |
$checks[] = $record; |
|
147 |
} |
|
160 |
$results = security_review_get_stored_results(); |
|
148 | 161 |
// Print results. |
149 |
if (!empty($checks)) { |
|
150 |
foreach ($checks as $check) { |
|
151 |
_security_review_drush_print_result($checklist[$check['namespace']][$check['reviewcheck']], $short_titles, $show_results); |
|
162 |
if (!empty($results)) { |
|
163 |
foreach ($results as $result) { |
|
164 |
if (isset($checklist[$result['namespace']][$result['reviewcheck']])) { |
|
165 |
$check = array_merge($result, $checklist[$result['namespace']][$result['reviewcheck']]); |
|
166 |
_security_review_drush_print_result($check, $short_titles, $show_results); |
|
167 |
} |
|
152 | 168 |
} |
153 | 169 |
} |
154 | 170 |
} |
drupal7/sites/all/modules/security_review/security_review.help.inc | ||
---|---|---|
377 | 377 |
case 'incorrect_htaccess': |
378 | 378 |
$element['findings']['descriptions'][] = t("The .htaccess file exists but does not contain the correct content. It is possible it's been maliciously altered."); |
379 | 379 |
break; |
380 |
case 'outdated_core': |
|
381 |
$element['findings']['descriptions'][] = t("You are running a out-of-date Drupal installation that is vulnerable to arbitrary code execution via weak htaccess protection. Upgrade to the latest version of Drupal. See <a href='https://drupal.org/SA-CORE-2013-003'>SA-CORE-2013-003 - Drupal core - Multiple vulnerabilities</a> for the full report."); |
|
382 |
break; |
|
380 | 383 |
case 'writable_htaccess': |
381 | 384 |
$element['findings']['descriptions'][] = t("The .htaccess file is writeable which poses a risk should a malious user find a way to execute PHP code they could alter the htaccess file to allow further PHP code execution."); |
382 | 385 |
break; |
drupal7/sites/all/modules/security_review/security_review.inc | ||
---|---|---|
637 | 637 |
$result = FALSE; |
638 | 638 |
$check_result_value[] = 'missing_htaccess'; |
639 | 639 |
} |
640 |
elseif (!function_exists('file_htaccess_lines')) { |
|
641 |
$result = FALSE; |
|
642 |
$check_result_value[] = 'outdated_core'; |
|
643 |
} |
|
640 | 644 |
else { |
641 | 645 |
$contents = file_get_contents($directory . '/.htaccess'); |
642 | 646 |
// Text from includes/file.inc. |
643 |
$expected = "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006\nOptions None\nOptions +FollowSymLinks";
|
|
644 |
if ($contents !== $expected) {
|
|
647 |
$expected = file_htaccess_lines(FALSE);
|
|
648 |
if (trim($contents) !== trim($expected)) {
|
|
645 | 649 |
$result = FALSE; |
646 | 650 |
$check_result_value[] = 'incorrect_htaccess'; |
647 | 651 |
} |
drupal7/sites/all/modules/security_review/security_review.info | ||
---|---|---|
2 | 2 |
description = "Site security and configuration review module." |
3 | 3 |
core = 7.x |
4 | 4 |
files[] = tests/security_review.test |
5 |
; Information added by drupal.org packaging script on 2013-09-26 |
|
6 |
version = "7.x-1.1" |
|
5 |
configure = admin/reports/security-review/settings |
|
6 |
|
|
7 |
; Information added by Drupal.org packaging script on 2014-09-06 |
|
8 |
version = "7.x-1.2" |
|
7 | 9 |
core = "7.x" |
8 | 10 |
project = "security_review" |
9 |
datestamp = "1380217584"
|
|
11 |
datestamp = "1410036834"
|
|
10 | 12 |
|
drupal7/sites/all/modules/security_review/security_review.pages.inc | ||
---|---|---|
41 | 41 |
$header = t('Review results from last run !date', array('!date' => $date)); |
42 | 42 |
$desc = t("Here you can review the results from the last run of the checklist. Checks are not always perfectly correct in their procedure and result. You can keep a check from running by clicking the 'Skip' link beside it. You can run the checklist again by expanding the fieldset above."); |
43 | 43 |
foreach ($checks as $check) { |
44 |
// Skip this iteration if the result has no matching item in the checklist. |
|
45 |
if (!isset($checklist[$check['namespace']][$check['reviewcheck']])) { |
|
46 |
continue; |
|
47 |
} |
|
44 | 48 |
$message = $check['result'] ? $checklist[$check['namespace']][$check['reviewcheck']]['success'] : $checklist[$check['namespace']][$check['reviewcheck']]['failure']; |
45 | 49 |
$title = $check['result'] ? t('OK') : t('Error'); |
46 | 50 |
$class = $check['skip'] ? 'info' : ($check['result'] ? 'ok' : 'error'); |
... | ... | |
139 | 143 |
'#default_value' => variable_get('security_review_untrusted_roles', array_keys($defaults)), |
140 | 144 |
); |
141 | 145 |
|
146 |
$inactive_namespaces = array(); |
|
147 |
// Report stored checks that aren't currently active. |
|
148 |
$checks = security_review_get_stored_results(); |
|
149 |
foreach ($checks as $check) { |
|
150 |
if (!isset($checklist[$check['namespace']][$check['reviewcheck']])) { |
|
151 |
$inactive_namespaces[] = $check['namespace']; |
|
152 |
} |
|
153 |
} |
|
154 |
if (!empty($inactive_namespaces)) { |
|
155 |
$inactive_checks = implode(', ', $inactive_namespaces); |
|
156 |
$form['inactive_checks'] = array( |
|
157 |
'#prefix' => '<div class="messages warning">', |
|
158 |
'#suffix' => '</div>', |
|
159 |
'#markup' => t('Inactive checks are being stored under namespaces: %modules. Enabling associated modules may allow these checks to be run again. Inactive checks must be manually removed or uninstall and reinstall Security Review to clear all stored checks.', array('%modules' => $inactive_checks)) |
|
160 |
); |
|
161 |
} |
|
162 |
|
|
142 | 163 |
$form['security_review_adv'] = array( |
143 | 164 |
'#type' => 'fieldset', |
144 | 165 |
'#title' => t('Advanced'), |
... | ... | |
157 | 178 |
foreach ($checklist as $module => $checks) { |
158 | 179 |
foreach ($checks as $check_name => $check) { |
159 | 180 |
// Determine if check is being skipped. |
160 |
if (!empty($skipped) && array_key_exists($check_name, $skipped[$module])) { |
|
181 |
if (!empty($skipped) && isset($skipped[$module]) && array_key_exists($check_name, $skipped[$module])) {
|
|
161 | 182 |
$values[] = $check_name; |
162 | 183 |
$label = t('!name <em>skipped by UID !uid on !date</em>', array('!name' => $check['title'], '!uid' => $skipped[$module][$check_name]['skipuid'], '!date' => format_date($skipped[$module][$check_name]['skiptime']))); |
163 | 184 |
} |
... | ... | |
339 | 360 |
} |
340 | 361 |
elseif (isset($check['callback'])) { |
341 | 362 |
if (isset($check['file'])) { |
363 |
$check_module = $module; |
|
342 | 364 |
// Handle Security Review defining checks for other modules. |
343 | 365 |
if (isset($check['module'])) { |
344 |
$module = $check['module']; |
|
366 |
$check_module = $check['module'];
|
|
345 | 367 |
} |
346 |
module_load_include('inc', $module, $check['file']); |
|
368 |
module_load_include('inc', $check_module, $check['file']);
|
|
347 | 369 |
} |
348 | 370 |
$function = $check['callback'] . '_help'; |
349 | 371 |
if (function_exists($function)) { |
drupal7/sites/all/modules/webform_validation/webform_validation.info | ||
---|---|---|
11 | 11 |
files[] = webform_validation.rules.inc |
12 | 12 |
files[] = webform_validation.validators.inc |
13 | 13 |
|
14 |
; Information added by Drupal.org packaging script on 2014-08-28
|
|
15 |
version = "7.x-1.6"
|
|
14 |
; Information added by Drupal.org packaging script on 2014-09-09
|
|
15 |
version = "7.x-1.7"
|
|
16 | 16 |
core = "7.x" |
17 | 17 |
project = "webform_validation" |
18 |
datestamp = "1409236433"
|
|
18 |
datestamp = "1410296269"
|
|
19 | 19 |
|
drupal7/sites/all/modules/webform_validation/webform_validation.validators.inc | ||
---|---|---|
94 | 94 |
), |
95 | 95 |
'description' => t('Verifies that a user-entered value contains at most the specified number of words.'), |
96 | 96 |
), |
97 |
// Only available in Webform 4; removed below if not. |
|
97 | 98 |
'sum' => array( |
98 | 99 |
'name' => t('Adds up to'), |
99 | 100 |
'component_types' => array( |
... | ... | |
392 | 393 |
), |
393 | 394 |
); |
394 | 395 |
|
396 |
// Only available in Webform 4. |
|
397 |
module_load_include('inc', 'webform', 'components/number'); |
|
398 |
if (!function_exists('webform_compare_floats')) { |
|
399 |
unset($validators['sum']); |
|
400 |
} |
|
401 |
|
|
395 | 402 |
if (module_exists('email_verify')) { |
396 | 403 |
$validators['email_verify'] = array( |
397 | 404 |
'name' => t('Email Verify'), |
... | ... | |
540 | 547 |
$compare_number = (float) preg_replace('/^[^0-9]+/', '', $rule['data']); |
541 | 548 |
|
542 | 549 |
// Parse the comparision operator and do comparison. |
543 |
module_load_include('inc', 'webform', 'includes/webform.conditionals');
|
|
550 |
module_load_include('inc', 'webform', 'components/number');
|
|
544 | 551 |
$error = FALSE; |
545 | 552 |
if (substr($rule['data'], 0, 2) === '<=') { |
546 |
if (!(webform_conditional_compare_floats($sum, $compare_number) <= 0)) {
|
|
553 |
if (!(webform_compare_floats($sum, $compare_number) <= 0)) { |
|
547 | 554 |
$error = t('less than or equal to'); |
548 | 555 |
} |
549 | 556 |
} |
550 | 557 |
elseif (substr($rule['data'], 0, 1) === '<') { |
551 |
if (!(webform_conditional_compare_floats($sum, $compare_number) < 0)) {
|
|
558 |
if (!(webform_compare_floats($sum, $compare_number) < 0)) { |
|
552 | 559 |
$error = t('less than'); |
553 | 560 |
} |
554 | 561 |
} |
555 | 562 |
elseif (substr($rule['data'], 0, 2) === '>=') { |
556 |
if (!(webform_conditional_compare_floats($sum, $compare_number) >= 0)) {
|
|
563 |
if (!(webform_compare_floats($sum, $compare_number) >= 0)) { |
|
557 | 564 |
$error = t('greater than or equal to'); |
558 | 565 |
} |
559 | 566 |
} |
560 | 567 |
elseif (substr($rule['data'], 0, 1) === '>') { |
561 |
if (!(webform_conditional_compare_floats($sum, $compare_number) > 0)) {
|
|
568 |
if (!(webform_compare_floats($sum, $compare_number) > 0)) { |
|
562 | 569 |
$error = t('greater than'); |
563 | 570 |
} |
564 | 571 |
} |
565 | 572 |
else { |
566 |
if (!(webform_conditional_compare_floats($sum, $compare_number) === 0)) {
|
|
573 |
if (!(webform_compare_floats($sum, $compare_number) === 0)) { |
|
567 | 574 |
$error = t('exactly'); |
568 | 575 |
} |
569 | 576 |
} |
Formats disponibles : Unified diff
Weekly update of contrib modules