if ( !defined( 'CHECK_ANONYMOUS_INC_ALLOW' ) ) {
return;
}
/**
* MantisBT Check API
*/
require_once( 'check_api.php' );
require_api( 'config_api.php' );
require_api( 'user_api.php' );
check_print_section_header_row( 'Anonymous access' );
$t_anonymous_access_enabled = config_get_global( 'allow_anonymous_login' );
check_print_info_row(
'Anonymous access is enabled',
$t_anonymous_access_enabled ? 'Yes' : 'No'
);
if( !$t_anonymous_access_enabled ) {
return;
}
$t_anonymous_account = config_get_global( 'anonymous_account' );
check_print_test_row(
'anonymous_account configuration option is specified',
$t_anonymous_account !== '',
array(
true => 'The account currently being used for anonymous access is: ' . htmlentities( $t_anonymous_account ),
false => 'The anonymous_account configuration option must specify the username of an account to use for anonymous logins.'
)
);
'Version of PostgreSQL being used still has <a href="http://wiki.postgresql.org/wiki/PostgreSQL_Release_Support_Policy">release support</a>',
version_compare( $t_database_server_info['version'], '7.4', '>=' ),
array( false => 'The version of PostgreSQL you are using is '. htmlentities( $t_database_server_info['version'] ). '. This version is no longer supported and should not be used as security flaws discovered in this version will not be fixed.' )
);
}
$t_table_prefix = config_get_global( 'db_table_prefix' );
check_print_info_row(
'Prefix added to each MantisBT table name',
htmlentities( $t_table_prefix )
);
$t_table_suffix = config_get_global( 'db_table_suffix' );
check_print_info_row(
'Suffix added to each MantisBT table name',
htmlentities( $t_table_suffix )
);
if( db_is_mysql() ) {
$t_table_prefix_regex_safe = preg_quote( $t_table_prefix, '/' );
$t_table_suffix_regex_safe = preg_quote( $t_table_suffix, '/' );
$t_result = db_query_bound( 'SHOW TABLE STATUS' );
while( $t_row = db_fetch_array( $t_result ) ) {
if( $t_row['Comment'] !== 'VIEW' &&
preg_match( "/^$t_table_prefix_regex_safe.+?$t_table_suffix_regex_safe\$/", $t_row['Name'] ) ) {
check_print_test_row(
'Table <em>' . htmlentities( $t_row['Name'] ) . '</em> is using UTF-8 collation',
substr( $t_row['Collation'], 0, 5 ) === 'utf8_',
array( false => 'Table ' . htmlentities( $t_row['Name'] ) . ' is using ' . htmlentities( $t_row['Collation'] ) . ' collation where UTF-8 collation is required.' )
check_print_section_header_row('Attachments');
$t_file_uploads_allowed = config_get_global('allow_file_upload');
check_print_info_row('File uploads are allowed', $t_file_uploads_allowed ? 'Yes' : 'No');
if (!$t_file_uploads_allowed) {
return;
}
check_print_test_row('file_uploads php.ini directive is enabled', ini_get_bool('file_uploads'), array(false => 'The file_uploads directive in php.ini must be enabled in order for file uploads to work with MantisBT.'));
check_print_info_row('Maximum file upload size (per file)', config_get_global('max_file_size') . ' bytes');
check_print_test_row('max_file_size MantisBT option is less than or equal to the upload_max_filesize directive in php.ini', config_get_global('max_file_size') <= ini_get_number('upload_max_filesize'), array(false => 'max_file_size is currently ' . htmlentities(config_get_global('max_file_size')) . ' bytes which is greater than the limit of ' . htmlentities(ini_get_number('upload_max_filesize')) . ' bytes imposed by the php.ini directive upload_max_filesize.'));
$t_use_xsendfile = config_get_global('file_download_xsendfile_enabled');
check_print_info_row('<a href="http://www.google.com/search?q=x-sendfile">X-Sendfile</a> file download technique enabled', $t_use_xsendfile ? 'Yes' : 'No');
if ($t_use_xsendfile) {
check_print_test_row('file_download_xsendfile_enabled = ON requires file_upload_method = DISK', config_get_global('file_upload_method') == DISK, array(false => 'X-Sendfile file downloading only works when files are stored on a disk.'));
$t_xsendfile_header_name = config_get_global('file_download_xsendfile_header_name');
if ($t_xsendfile_header_name !== 'X-Sendfile') {
check_print_info_row('Alternative header name to use for X-Sendfile-like functionality', $t_xsendfile_header_name);
}
}
$t_finfo_exists = class_exists('finfo');
check_print_test_warn_row('Fileinfo extension is available for determining file MIME types', $t_finfo_exists, array(false => 'Web clients may struggle to download files without knowing the MIME type of each attachment.'));
if ($t_finfo_exists) {
$t_fileinfo_magic_db_file = config_get_global('fileinfo_magic_db_file');
if ($t_fileinfo_magic_db_file) {
check_print_info_row('Name of magic.db file set with the fileinfo_magic_db_file configuration value', config_get_global('fileinfo_magic_db_file'));
check_print_test_row('fileinfo_magic_db_file configuration value points to an existing magic.db file', file_exists($t_fileinfo_magic_db_file));
$t_finfo = new finfo(FILEINFO_MIME, $t_fileinfo_magic_db_file);
} else {
$t_finfo = new finfo(FILEINFO_MIME);
}
check_print_test_row('Fileinfo extension can find and load a valid magic.db file', $t_finfo !== false, array(false => 'Ensure that the fileinfo_magic_db_file configuration value points to a valid magic.db file.'));
}
check_print_test_row('memory_limit php.ini directive is at least equal to the post_max_size directive', ini_get_number('memory_limit') >= ini_get_number('post_max_size'), array(false => 'The current value of the memory_limit directive is ' . htmlentities(ini_get_number('memory_limit')) . ' bytes. This value needs to be at least equal to the post_max_size directive value of ' . htmlentities(ini_get_number('post_max_size')) . ' bytes.'));
check_print_info_row('File uploads are enabled (php.ini directive: file_uploads)', ini_get_bool('file_uploads') ? 'Yes' : 'No');
check_print_info_row('php.ini directive: upload_max_filesize', htmlentities(ini_get_number('upload_max_filesize')) . ' bytes');
check_print_test_row('post_max_size php.ini directive is at least equal to the upload_max_size directive', ini_get_number('post_max_size') >= ini_get_number('upload_max_filesize'), array(false => 'The current value of the post_max_size directive is ' . htmlentities(ini_get_number('post_max_size')) . ' bytes. This value needs to be at least equal to the upload_max_size directive value of ' . htmlentities(ini_get_number('upload_max_filesize')) . ' bytes.'));
$t_disabled_functions = explode(',', ini_get('disable_functions'));
foreach ($t_disabled_functions as $t_disabled_function) {
$t_disabled_function = trim($t_disabled_function);
if ($t_disabled_function && substr($t_disabled_function, 0, 6) != 'pcntl_') {
check_print_test_warn_row('<em>' . $t_disabled_function . '</em> function is enabled', false, 'This function has been disabled by the disable_functions php.ini directive. MantisBT may not operate correctly with this function disabled.');
}
}
$t_disabled_classes = explode(',', ini_get('disable_classes'));
foreach ($t_disabled_classes as $t_disabled_class) {
$t_disabled_class = trim($t_disabled_class);
if ($t_disabled_class) {
check_print_test_warn_row('<em>' . $t_disabled_class . '</em> class is enabled', false, 'This class has been disabled by the disable_classes php.ini directive. MantisBT may not operate correctly with this class disabled.');
}
}
# Print additional information from php.ini to assist debugging (see http://www.php.net/manual/en/ini.list.php)
$t_vars = array('open_basedir', 'extension', 'upload_tmp_dir', 'max_file_uploads', 'date.timezone');
while (list($t_foo, $t_var) = each($t_vars)) {
$t_value = ini_get($t_var);
if ($t_value != '') {
check_print_info_row('php.ini directive: ' . $t_var, htmlentities($t_value));
}
}
if (is_windows_server()) {
check_print_test_warn_row('There is a performance issue on windows for PHP versions < 5.4 in openssl_random_pseudo_bytes', version_compare(phpversion(), '5.4.0', '>='), array(false => 'For best performance upgrade to PHP > 5.4.0.'));
}
check_print_test_warn_row('Check for php bug 61443 - php 5.4.0-5.4.3, trying to use compression with no output handler set', !(ini_get('output_handler') == '' && function_exists('ini_set') && version_compare(PHP_VERSION, '5.4.0', '>=') && version_compare(PHP_VERSION, '5.4.4', '<')), array(false => 'you should consider setting a php output handler, ensuring compression is disabled or upgrading to at least php 5.4.4'));
check_print_test_warn_row('webserver: check SCRIPT_NAME is returned to PHP by web server', isset($_SERVER['SCRIPT_NAME']), array(false => 'Please ensure web server configuration sets SCRIPT_NAME'));
