3 final class PhabricatorSecuritySetupCheck
extends PhabricatorSetupCheck
{
5 public function getDefaultGroup() {
6 return self
::GROUP_OTHER
;
9 protected function executeChecks() {
11 // This checks for a version of bash with the "Shellshock" vulnerability.
12 // For details, see T6185.
15 'SHELLSHOCK_PAYLOAD' => '() { :;} ; echo VULNERABLE',
18 list($err, $stdout) = id(new ExecFuture('echo shellshock-test'))
19 ->setEnv($payload, $wipe_process_env = true)
22 if (!$err && preg_match('/VULNERABLE/', $stdout)) {
24 'This system has an unpatched version of Bash with a severe, widely '.
25 'disclosed vulnerability.');
28 'The version of %s on this system is out of date and contains a '.
29 'major, widely disclosed vulnerability (the "Shellshock" '.
32 'Upgrade %s to a patched version.'.
34 'To learn more about how this issue affects this software, see %s.',
35 phutil_tag('tt', array(), 'bash'),
36 phutil_tag('tt', array(), 'bash'),
40 'href' => 'https://secure.phabricator.com/T6185',
43 pht('T6185 "Shellshock" Bash Vulnerability')));
46 ->newIssue('security.shellshock')
47 ->setName(pht('Severe Security Vulnerability: Unpatched Bash'))
48 ->setSummary($summary)
49 ->setMessage($message);
52 $file_key = 'security.alternate-file-domain';
53 $file_domain = PhabricatorEnv
::getEnvConfig($file_key);
55 $doc_href = PhabricatorEnv
::getDoclink('Configuring a File Domain');
57 $this->newIssue('security.'.$file_key)
58 ->setName(pht('Alternate File Domain Not Configured'))
61 'Improve security by configuring an alternate file domain.'))
64 'This software is currently configured to serve user uploads '.
65 'directly from the same domain as other content. This is a '.
68 'Configure a CDN (or alternate file domain) to eliminate this '.
69 'risk. Using a CDN will also improve performance. See the '.
70 'guide below for instructions.'))
71 ->addPhabricatorConfig($file_key)
74 pht('Configuration Guide: Configuring a File Domain'));
