1 | <?php |
||
2 | /** |
||
3 | * Admin security information page |
||
4 | * Lists general security recommendations |
||
5 | */ |
||
6 | |||
7 | use Elgg\Project\Paths; |
||
8 | |||
9 | $params = $vars; |
||
10 | $params['selected'] = 'information'; |
||
11 | echo elgg_view('admin/security/tabs', $params); |
||
12 | |||
13 | echo elgg_view('output/longtext', [ |
||
14 | 'value' => elgg_echo('admin:security:information:description'), |
||
15 | ]); |
||
16 | |||
17 | $icon_ok = elgg_view_icon('checkmark'); |
||
18 | $icon_warning = elgg_view_icon('exclamation-triangle'); |
||
19 | $icon_error = elgg_view_icon('times'); |
||
20 | |||
21 | $view_module = function($icon, $title, $value = '', $subtext = '') { |
||
22 | $body = elgg_format_element('strong', [], $title); |
||
23 | if (!elgg_is_empty($value)) { |
||
24 | $body .= elgg_format_element('span', ['class' => 'mlm'], $value); |
||
25 | } |
||
26 | |||
27 | if (!elgg_is_empty($subtext)) { |
||
28 | $body .= elgg_format_element('div', ['class' => 'elgg-subtext'], $subtext); |
||
29 | } |
||
30 | |||
31 | return elgg_view_image_block($icon, $body, ['class' => 'elgg-admin-information-row']); |
||
32 | }; |
||
33 | |||
34 | // https |
||
35 | $icon = $icon_ok; |
||
36 | $title = elgg_echo('admin:security:information:https'); |
||
37 | $value = elgg_echo('option:yes'); |
||
38 | $subtext = ''; |
||
39 | |||
40 | if (parse_url(elgg_get_site_url(), PHP_URL_SCHEME) !== 'https') { |
||
41 | $icon = $icon_warning; |
||
42 | $value = elgg_echo('option:no'); |
||
43 | $subtext = elgg_echo('admin:security:information:https:warning'); |
||
44 | } |
||
45 | |||
46 | echo $view_module($icon, $title, $value, $subtext); |
||
47 | |||
48 | // wwwroot writeable |
||
49 | $icon = $icon_ok; |
||
50 | $title = elgg_echo('admin:security:information:wwwroot'); |
||
51 | $value = elgg_echo('option:no'); |
||
52 | $subtext = ''; |
||
53 | |||
54 | if (is_writable(Paths::project())) { |
||
55 | $icon = $icon_error; |
||
56 | $value = elgg_echo('option:yes'); |
||
57 | $subtext = elgg_echo('admin:security:information:wwwroot:error'); |
||
58 | } |
||
59 | |||
60 | echo $view_module($icon, $title, $value, $subtext); |
||
61 | |||
62 | // hooks on 'validate', 'input' (eg htmlawed) |
||
63 | $icon = $icon_ok; |
||
64 | $title = elgg_echo('admin:security:information:validate_input'); |
||
65 | $value = elgg_echo('status:enabled'); |
||
66 | $subtext = ''; |
||
67 | |||
68 | if (!(bool) elgg()->hooks->getOrderedHandlers('validate', 'input')) { |
||
69 | $icon = $icon_error; |
||
70 | $value = elgg_echo('status:disabled'); |
||
71 | $subtext = elgg_echo('admin:security:information:validate_input:error'); |
||
72 | } |
||
73 | |||
74 | echo $view_module($icon, $title, $value, $subtext); |
||
75 | |||
76 | // password length |
||
77 | $icon = $icon_ok; |
||
78 | $title = elgg_echo('admin:security:information:password_length'); |
||
79 | $value = elgg_get_config('min_password_length'); |
||
80 | $subtext = ''; |
||
81 | |||
82 | if ($value < 6) { |
||
83 | $icon = $icon_warning; |
||
84 | $subtext = elgg_echo('admin:security:information:password_length:warning'); |
||
85 | } |
||
86 | |||
87 | echo $view_module($icon, $title, $value, $subtext); |
||
88 | |||
89 | // username length |
||
90 | $icon = $icon_ok; |
||
91 | $title = elgg_echo('admin:security:information:username_length'); |
||
92 | $value = elgg_get_config('minusername'); |
||
93 | $subtext = ''; |
||
94 | |||
95 | if ($value < 4) { |
||
96 | $icon = $icon_warning; |
||
97 | $subtext = elgg_echo('admin:security:information:username_length:warning'); |
||
98 | } |
||
99 | |||
100 | echo $view_module($icon, $title, $value, $subtext); |
||
101 | |||
102 | // site secret |
||
103 | $icon = $icon_ok; |
||
104 | $title = elgg_view('output/url', [ |
||
105 | 'text' => elgg_echo('admin:security:settings:label:site_secret'), |
||
106 | 'href' => elgg_generate_url('admin', [ |
||
107 | 'segments' => 'security', |
||
108 | ]) . '#admin-security-site-secret', |
||
109 | 'is_trusted' => true, |
||
110 | ]); |
||
111 | $subtext = ''; |
||
112 | |||
113 | $strength = _elgg_get_site_secret_strength(); |
||
114 | $value = elgg_echo("site_secret:strength:$strength"); |
||
115 | |||
116 | if ($strength !== 'strong') { |
||
117 | $icon = $icon_error; |
||
118 | |||
119 | $subtext = elgg_echo("site_secret:strength_msg:$strength"); |
||
120 | } |
||
121 | |||
122 | echo $view_module($icon, $title, $value, $subtext); |
||
123 | |||
124 | // php session garbage collection |
||
125 | $icon = $icon_error; |
||
126 | $title = elgg_echo('admin:security:information:php:session_gc'); |
||
127 | $value = elgg_echo('status:disabled'); |
||
128 | $subtext = elgg_echo('admin:security:information:php:session_gc:error'); |
||
129 | |||
130 | $probability = ini_get('session.gc_probability'); |
||
131 | $divisor = ini_get('session.gc_divisor'); |
||
132 | $maxlifetime = ini_get('session.gc_maxlifetime'); |
||
133 | |||
134 | if ($probability > 0 && $divisor > 0) { |
||
135 | $icon = $icon_ok; |
||
136 | $value = elgg_echo('status:enabled'); |
||
137 | |||
138 | $chance = $probability / $divisor; |
||
139 | $subtext = elgg_echo('admin:security:information:php:session_gc:chance', [$chance]); |
||
140 | $subtext .= ' ' . elgg_echo('admin:security:information:php:session_gc:lifetime', [$maxlifetime]); |
||
141 | } |
||
142 | |||
143 | echo $view_module($icon, $title, $value, $subtext); |
||
144 | |||
145 | // Check for .htaccess hardening |
||
146 | $icon = $icon_warning; |
||
147 | $title = elgg_echo('admin:security:information:htaccess:hardening'); |
||
148 | $value = elgg_echo('status:disabled'); |
||
149 | $subtext = elgg_echo('admin:security:information:htaccess:hardening:help'); |
||
150 | |||
151 | $curl = curl_init(elgg_normalize_site_url('vendor/autoload.php')); |
||
1 ignored issue
–
show
Bug
introduced
by
Loading history...
|
|||
152 | curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); |
||
153 | curl_exec($curl); |
||
154 | |||
155 | if (curl_getinfo($curl, CURLINFO_HTTP_CODE) === 403) { |
||
156 | // hardening enabled |
||
157 | $icon = $icon_ok; |
||
158 | $value = elgg_echo('status:enabled'); |
||
159 | } |
||
160 | |||
161 | echo $view_module($icon, $title, $value, $subtext); |
||
162 |