/** * Check if our uploads or ConfigAndLog directories have browseable * listings. * * Retrieve a listing of files from the local filesystem, and the * corresponding path via HTTP. Then check and see if the local * files are represented in the HTTP result; if so then warn. This * MAY trigger false positives (if you have files named 'a', 'e' * we'll probably match that). * * @return array * Array of messages * @see CRM-14091 * * @todo Test with WordPress, Joomla. */ public function checkDirectoriesAreNotBrowseable() { $messages = array(); $config = CRM_Core_Config::singleton(); $publicDirs = array($config->imageUploadDir => $config->imageUploadURL); // Setup index.html files to prevent browsing foreach ($publicDirs as $publicDir => $publicUrl) { CRM_Utils_File::restrictBrowsing($publicDir); } // Test that $publicDir is not browsable foreach ($publicDirs as $publicDir => $publicUrl) { if ($this->isBrowsable($publicDir, $publicUrl)) { $msg = 'Directory <a href="%1">%2</a> should not be browseable via the web.' . '<br />' . '<a href="%3">Read more about this warning</a>'; $docs_url = $this->createDocUrl('checkDirectoriesAreNotBrowseable'); $messages[] = new CRM_Utils_Check_Message(__FUNCTION__, ts($msg, array(1 => $publicDir, 2 => $publicDir, 3 => $docs_url)), ts('Browseable Directories'), \Psr\Log\LogLevel::ERROR, 'fa-lock'); } } return $messages; }