How does the backend check a web accessibility of the app/etc/config.php? (which leads to the «Your web server is set up incorrectly and allows unauthorized access to sensitive files» message)

dmitry_fedyuk · April 1, 2016, 8:04pm

Short description

magento/magento2/blob/c58d2d/app/code/Magento/AdminNotification/Model/System/Message/Security.php#L18-L23


/**
 * File path for verification
 *
 * @var string
 */
private $_filePath = 'app/etc/config.php';

Then it uses \Magento\Framework\HTTP\Adapter\Curl:

github.com

magento/magento2/blob/c58d2d/app/code/Magento/AdminNotification/Model/System/Message/Security.php#L99-L105


/** @var $http \Magento\Framework\HTTP\Adapter\Curl */
$http = $this->_curlFactory->create();
$http->setConfig(['timeout' => $this->_verificationTimeOut]);
$http->write(\Zend_Http_Client::POST, $unsecureBaseURL . $this->_filePath);
$responseBody = $http->read();
$responseCode = \Zend_Http_Response::extractCode($responseBody);
$http->close();

Detailed description

github.com

magento/magento2/blob/6ea7d2d/app/code/Magento/AdminNotification/Model/System/Message/Security.php#L130-L141


/**
 * Retrieve message text
 *
 * @return \Magento\Framework\Phrase
 */
public function getText()
{
    return __(
        'Your web server is set up incorrectly and allows unauthorized access to sensitive files. '
        . 'Please contact your hosting provider.'
    );
}

github.com

magento/magento2/blob/6ea7d2d/app/code/Magento/AdminNotification/Model/System/Message/Security.php#L11-L11


class Security implements \Magento\Framework\Notification\MessageInterface

github.com

magento/magento2/blob/6ea7d2d/lib/internal/Magento/Framework/Notification/MessageInterface.php#L33-L45


/**
 * Check whether
 *
 * @return bool
 */
public function isDisplayed();


/**
 * Retrieve message text
 *
 * @return string
 */
public function getText();

github.com

magento/magento2/blob/6ea7d2d/app/code/Magento/AdminNotification/Model/System/Message/Security.php#L120-L128


/**
 * Check whether
 *
 * @return bool
 */
public function isDisplayed()
{
    return $this->_canShowNotification();
}

github.com

magento/magento2/blob/6ea7d2d/app/code/Magento/AdminNotification/Model/System/Message/Security.php#L70-L88


/**
 * Check verification result and return true if system must to show notification message
 *
 * @return bool
 */
private function _canShowNotification()
{
    if ($this->_cache->load(self::VERIFICATION_RESULT_CACHE_KEY)) {
        return false;
    }


    if ($this->_isFileAccessible()) {
        return true;
    }


    $adminSessionLifetime = (int)$this->_backendConfig->getValue('admin/security/session_lifetime');
    $this->_cache->save(true, self::VERIFICATION_RESULT_CACHE_KEY, [], $adminSessionLifetime);
    return false;
}

github.com

magento/magento2/blob/6ea7d2d/app/code/Magento/AdminNotification/Model/System/Message/Security.php#L90-L108


/**
 * If file is accessible return true or false
 *
 * @return bool
 */
private function _isFileAccessible()
{
    $unsecureBaseURL = $this->_config->getValue(Store::XML_PATH_UNSECURE_BASE_URL, 'default');


    /** @var $http \Magento\Framework\HTTP\Adapter\Curl */
    $http = $this->_curlFactory->create();
    $http->setConfig(['timeout' => $this->_verificationTimeOut]);
    $http->write(\Zend_Http_Client::POST, $unsecureBaseURL . $this->_filePath);
    $responseBody = $http->read();
    $responseCode = \Zend_Http_Response::extractCode($responseBody);
    $http->close();


    return $responseCode == 200;
}

github.com

magento/magento2/blob/6ea7d2d/app/code/Magento/AdminNotification/Model/System/Message/Security.php#L18-L23


/**
 * File path for verification
 *
 * @var string
 */
private $_filePath = 'app/etc/config.php';

dmitry_fedyuk · April 1, 2016, 8:05pm