Code Coverage for /Users/ericduran/Sites/drupal/drupal/core/lib/Drupal/Component/PhpStorage/MTimeProtectedFastFileStorage.php

	Code Coverage
	Classes and Traits			Functions and Methods				Lines
Total	0.00% covered (danger)	0.00%	0 / 1	75.00% covered (warning)	75.00%	6 / 8	CRAP	64.00% covered (warning)	64.00%	32 / 50
MTimeProtectedFastFileStorage	0.00% covered (danger)	0.00%	0 / 1	75.00% covered (warning)	75.00%	6 / 8	44.58	64.00% covered (warning)	64.00%	32 / 50
__construct				100.00% covered (success)	100.00%	1 / 1	1	100.00% covered (success)	100.00%	3 / 3
save				0.00% covered (danger)	0.00%	0 / 1	4.01	92.31% covered (success)	92.31%	12 / 13
getFullPath				100.00% covered (success)	100.00%	1 / 1	4	100.00% covered (success)	100.00%	5 / 5
delete				100.00% covered (success)	100.00%	1 / 1	2	100.00% covered (success)	100.00%	4 / 4
garbageCollection				0.00% covered (danger)	0.00%	0 / 1	42	0.00% covered (danger)	0.00%	0 / 17
getContainingDirectoryFullPath				100.00% covered (success)	100.00%	1 / 1	2	100.00% covered (success)	100.00%	3 / 3
getUncachedMTime				100.00% covered (success)	100.00%	1 / 1	1	100.00% covered (success)	100.00%	2 / 2
tempnam				100.00% covered (success)	100.00%	1 / 1	2	100.00% covered (success)	100.00%	3 / 3

1	<?php
2
3	/**
4	* @file
5	* Contains \Drupal\Component\PhpStorage\MTimeProtectedFastFileStorage.
6	*/
7
8	namespace Drupal\Component\PhpStorage;
9
10	/**
11	* Stores PHP code in files with securely hashed names.
12	*
13	* The goal of this class is to ensure that if a PHP file is replaced with
14	* an untrusted one, it does not get loaded. Since mtime granularity is 1
15	* second, we cannot prevent an attack that happens within one second of the
16	* initial save(). However, it is very unlikely for an attacker exploiting an
17	* upload or file write vulnerability to also know when a legitimate file is
18	* being saved, discover its hash, undo its file permissions, and override the
19	* file with an upload all within a single second. Being able to accomplish
20	* that would indicate a site very likely vulnerable to many other attack
21	* vectors.
22	*
23	* Each file is stored in its own unique containing directory. The hash is based
24	* on the virtual file name, the containing directory's mtime, and a
25	* cryptographically hard to guess secret string. Thus, even if the hashed file
26	* name is discovered and replaced by an untrusted file (e.g., via a
27	* move_uploaded_file() invocation by a script that performs insufficient
28	* validation), the directory's mtime gets updated in the process, invalidating
29	* the hash and preventing the untrusted file from getting loaded.
30	*
31	* This class does not protect against overwriting a file in-place (e.g. a
32	* malicious module that does a file_put_contents()) since this will not change
33	* the mtime of the directory. MTimeProtectedFileStorage protects against this
34	* at the cost of an additional system call for every load() and exists().
35	*
36	* The containing directory is created with the same name as the virtual file
37	* name (slashes removed) to assist with debugging, since the file itself is
38	* stored with a name that's meaningless to humans.
39	*/
40	class MTimeProtectedFastFileStorage extends FileStorage {
41
42	/**
43	* The secret used in the HMAC.
44	*
45	* @var string
46	*/
47	protected $secret;
48
49	/**
50	* Constructs this MTimeProtectedFastFileStorage object.
51	*
52	* @param array $configuration
53	* An associated array, containing at least these keys (the rest are
54	* ignored):
55	* - directory: The directory where the files should be stored.
56	* - secret: A cryptographically hard to guess secret string.
57	* -bin. The storage bin. Multiple storage objects can be instantiated with
58	* the same configuration, but for different bins.
59	*/
60	public function __construct(array $configuration) {
61	parent::__construct($configuration);
62	$this->secret = $configuration['secret'];
63	}
64
65	/**
66	* {@inheritdoc}
67	*/
68	public function save($name, $data) {
69	$this->ensureDirectory($this->directory);
70
71	// Write the file out to a temporary location. Prepend with a '.' to keep it
72	// hidden from listings and web servers.
73	$temporary_path = $this->tempnam($this->directory, '.');
74	if (!$temporary_path \|\| !@file_put_contents($temporary_path, $data)) {
75	return FALSE;
76	}
77	// The file will not be chmod() in the future so this is the final
78	// permission.
79	chmod($temporary_path, 0444);
80
81	// Determine the exact modification time of the file.
82	$mtime = $this->getUncachedMTime($temporary_path);
83
84	// Move the temporary file into the proper directory. Note that POSIX
85	// compliant systems as well as modern Windows perform the rename operation
86	// atomically, i.e. there is no point at which another process attempting to
87	// access the new path will find it missing.
88	$directory = $this->getContainingDirectoryFullPath($name);
89	$this->ensureDirectory($directory);
90	$full_path = $this->getFullPath($name, $directory, $mtime);
91	$result = rename($temporary_path, $full_path);
92
93	// Finally reset the modification time of the directory to match the one of
94	// the newly created file. In order to prevent the creation of a file if the
95	// directory does not exist, ensure that the path terminates with a
96	// directory separator.
97	//
98	// Recall that when subsequently loading the file, the hash is calculated
99	// based on the file name, the containing mtime, and a the secret string.
100	// Hence updating the mtime here is comparable to pointing a symbolic link
101	// at a new target, i.e., the newly created file.
102	if ($result) {
103	$result &= touch($directory . '/', $mtime);
104	}
105
106	return (bool) $result;
107	}
108
109	/**
110	* Gets the full path where the file is or should be stored.
111	*
112	* This function creates a file path that includes a unique containing
113	* directory for the file and a file name that is a hash of the virtual file
114	* name, a cryptographic secret, and the containing directory mtime. If the
115	* file is overridden by an insecure upload script, the directory mtime gets
116	* modified, invalidating the file, thus protecting against untrusted code
117	* getting executed.
118	*
119	* @param string $name
120	* The virtual file name. Can be a relative path.
121	* @param string $directory
122	* (optional) The directory containing the file. If not passed, this is
123	* retrieved by calling getContainingDirectoryFullPath().
124	* @param int $directory_mtime
125	* (optional) The mtime of $directory. Can be passed to avoid an extra
126	* filesystem call when the mtime of the directory is already known.
127	*
128	* @return string
129	* The full path where the file is or should be stored.
130	*/
131	public function getFullPath($name, &$directory = NULL, &$directory_mtime = NULL) {
132	if (!isset($directory)) {
133	$directory = $this->getContainingDirectoryFullPath($name);
134	}
135	if (!isset($directory_mtime)) {
136	$directory_mtime = file_exists($directory) ? filemtime($directory) : 0;
137	}
138	return $directory . '/' . hash_hmac('sha256', $name, $this->secret . $directory_mtime) . '.php';
139	}
140
141	/**
142	* {@inheritdoc}
143	*/
144	public function delete($name) {
145	$path = $this->getContainingDirectoryFullPath($name);
146	if (file_exists($path)) {
147	return $this->unlink($path);
148	}
149	return FALSE;
150	}
151
152	/**
153	* {@inheritdoc}
154	*/
155	public function garbageCollection() {
156	$flags = \FilesystemIterator::CURRENT_AS_FILEINFO;
157	$flags += \FilesystemIterator::SKIP_DOTS;
158
159	foreach ($this->listAll() as $name) {
160	$directory = $this->getContainingDirectoryFullPath($name);
161	try {
162	$dir_iterator = new \FilesystemIterator($directory, $flags);
163	}
164	catch (\UnexpectedValueException $e) {
165	// FilesystemIterator throws an UnexpectedValueException if the
166	// specified path is not a directory, or if it is not accessible.
167	continue;
168	}
169
170	$directory_unlink = TRUE;
171	$directory_mtime = filemtime($directory);
172	foreach ($dir_iterator as $fileinfo) {
173	if ($directory_mtime > $fileinfo->getMTime()) {
174	// Ensure the folder is writable.
175	@chmod($directory, 0777);
176	@unlink($fileinfo->getPathName());
177	}
178	else {
179	// The directory still contains valid files.
180	$directory_unlink = FALSE;
181	}
182	}
183
184	if ($directory_unlink) {
185	$this->unlink($name);
186	}
187	}
188	}
189
190	/**
191	* Gets the full path of the containing directory where the file is or should
192	* be stored.
193	*
194	* @param string $name
195	* The virtual file name. Can be a relative path.
196	*
197	* @return string
198	* The full path of the containing directory where the file is or should be
199	* stored.
200	*/
201	protected function getContainingDirectoryFullPath($name) {
202	// Remove the .php file extension from the directory name.
203	// Within a single directory, a subdirectory cannot have the same name as a
204	// file. Thus, when switching between MTimeProtectedFastFileStorage and
205	// FileStorage, the subdirectory or the file cannot be created in case the
206	// other file type exists already.
207	if (substr($name, -4) === '.php') {
208	$name = substr($name, 0, -4);
209	}
210	return $this->directory . '/' . str_replace('/', '#', $name);
211	}
212
213	/**
214	* Clears PHP's stat cache and returns the directory's mtime.
215	*/
216	protected function getUncachedMTime($directory) {
217	clearstatcache(TRUE, $directory);
218	return filemtime($directory);
219	}
220
221	/**
222	* A brute force tempnam implementation supporting streams.
223	*
224	* @param $directory
225	* The directory where the temporary filename will be created.
226	* @param $prefix
227	* The prefix of the generated temporary filename.
228	* @return string
229	* Returns the new temporary filename (with path), or FALSE on failure.
230	*/
231	protected function tempnam($directory, $prefix) {
232	do {
233	$path = $directory . '/' . $prefix . substr(str_shuffle(hash('sha256', microtime())), 0, 10);
234	} while (file_exists($path));
235	return $path;
236	}
237
238	}