Subversion Repositories ggsysinfo

[/] [modules/] [sysinfo/] [lib/] [PhpSecInfo/] [Test/] [CGI/] [force_redirect.php] - Blame information for rev 123

Details | Compare with Previous | View Log

Line No. Rev Author Line
1 123 gg
<?php
2
/**
3
 * Test class for cgi force_redirect
4
 *
5
 * @package PhpSecInfo
6
 * @author Ed Finkler <coj@funkatron.com>
7
 */
8
 
9
/**
10
 * require the PhpSecInfo_Test_Cgi class
11
 */
12
require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Cgi.php');
13
 
14
/**
15
 * Test class for cgi force_redirect
16
 *
17
 * @package PhpSecInfo
18
 * @author Ed Finkler <coj@funkatron.com>
19
 */
20
class PhpSecInfo_Test_Cgi_Force_Redirect extends PhpSecInfo_Test_Cgi
21
{
22
 
23
        /**
24
         * This should be a <b>unique</b>, human-readable identifier for this test
25
         *
26
         * @var string
27
         */
28
        var $test_name = "force_redirect";
29
 
30
        /**
31
         * The recommended setting value
32
         *
33
         * @var mixed
34
         */
35
        var $recommended_value = TRUE;
36
 
37
 
38
 
39
        function _retrieveCurrentValue() {
40
                $this->current_value = $this->getBooleanIniValue('cgi.force_redirect');
41
        }
42
 
43
 
44
 
45
        private function skipTest() {
46
                if (strpos(PHP_SAPI, 'cgi') === false) {
47
                        return PHP_SAPI . ' SAPI for php';
48
                }
49
 
50
                // these web servers require cgi.force_redirect = 0
51
                $webServers = array('Microsoft-IIS', 'OmniHTTPd', 'Xitami');
52
                if (isset($_SERVER['SERVER_SOFTWARE'])) {
53
                        foreach ($webServers as $webServer) {
54
                                if (strpos($_SERVER['SERVER_SOFTWARE'], $webServer) === 0) {
55
                                        return $_SERVER['SERVER_SOFTWARE'];
56
                                }
57
                        }
58
                }
59
 
60
                return false;
61
        }
62
 
63
 
64
 
65
        /**
66
         * Checks to see if cgi.force_redirect is enabled
67
         *
68
         */
69
        function _execTest() {
70
                if ($this->current_value == $this->recommended_value) {
71
                        return PHPSECINFO_TEST_RESULT_OK;
72
                }
73
 
74
                if ($this->skipTest())
75
                {
76
                        return PHPSECINFO_TEST_RESULT_NOTICE;
77
                }
78
 
79
                return PHPSECINFO_TEST_RESULT_WARN;
80
        }
81
 
82
 
83
 
84
        /**
85
         * Set the messages specific to this test
86
         *
87
         */
88
        function _setMessages() {
89
                parent::_setMessages();
90
 
91
                $this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', "force_redirect is enabled, which is the recommended setting");
92
                $ini = ini_get_all();
93
                if (isset($ini['cgi.force_redirect'])) {
94
                        $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', "force_redirect is disabled.  In most cases, this is a security vulnerability, but it appears this is not needed because you are running " . $this->skipTest());
95
                        $this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', "force_redirect is disabled.  In most cases, this is a <strong>serious</strong> security vulnerability.  Unless you are absolutely sure this is not needed, enable this setting");
96
                } else {
97
                        $this->setMessageForResult(PHPSECINFO_TEST_RESULT_NOTICE, 'en', "force_redirect is disabled because php was not compiled with --enable-force-cgi-redirect.  In most cases, this is a security vulnerability, but it appears this is not needed because you are running " . $this->skipTest());
98
                        $this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', "force_redirect is disabled because php was not compiled with --enable-force-cgi-redirect.  In most cases, this is a <strong>serious</strong> security vulnerability.  Unless you are absolutely sure this is not needed, recompile php with --enable-force-cgi-redirect and enable cgi.force_redirect");
99
                }
100
        }
101
}