- requires are now resolved relative to base phpsecinfo path, so PhpSecInfo does not need to be in php's include path

- allow_url_fopen now will not throw a warning if enabled and PHP version >= 5.2
- Added simple View system; moved HTML views out of PhpSecInfo class.  You can use PhpSecInfo->setViewDirectory($path) to set the path to your own custom views (your view files need to mirror the structure of the default views).
- Added cli, CSV, JSON and RSS views - Added examples directory to demonstrate more advanced usage of views system

Author: funkatron

CHANGELOG

@@ -1,8 +1,12 @@
 v0.2.2
+- requires are now resolved relative to base phpsecinfo path, so PhpSecInfo does
+  not need to be in php's include path
+- allow_url_fopen now will not throw a warning if enabled and PHP version >= 5.2
 - Added simple View system; moved HTML views out of PhpSecInfo class.  You can
   use PhpSecInfo->setViewDirectory($path) to set the path to your own custom
   views (your view files need to mirror the structure of the default views).
-- Added stubs for cli, CSV and RSS views
+- Added cli, CSV, JSON and RSS views
+- Added examples directory to demonstrate more advanced usage of views system
 - PHPSecInfo_Test::getUnixId() now handles failure better and tries alternate
   methods before giving up
 - Minor CSS fixes in HTML view <Thomas Corbiere>

PhpSecInfo/PhpSecInfo.php

@@ -23,7 +23,7 @@
  * a YYYYMMDD date string to indicate "build" date
  *
  */
-define ('PHPSECINFO_BUILD', '20070408');
+define ('PHPSECINFO_BUILD', '20080723');
 
 /**
  * Homepage for phpsecinfo project
@@ -44,14 +44,19 @@
 define('PHPSECINFO_FORMAT_DEFAULT', 'Html');
 
 
+/**
+ * The base directory, used to resolve requires and includes
+ */
+define('PHPSECINFO_BASE_DIR', dirname(__FILE__));
+
 /**
  * This is the main class for the phpsecinfo system.  It's responsible for
  * dynamically loading tests, running those tests, and generating the results
  * output
  *
  * Example:
  * <code>
- * <?php require_once('PhpSecInfo/PhpSecInfo.php'); ?>
+ * <?php require_once(PHPSECINFO_BASE_DIR.'/PhpSecInfo.php'); ?>
  * <?php phpsecinfo(); ?>
  * </code>
  *
@@ -60,7 +65,7 @@
  *
  * Example:
  * <code>
- * require_once('PhpSecInfo/PhpSecInfo.php');
+ * require_once(PHPSECINFO_BASE_DIR.'/PhpSecInfo.php');
  * // instantiate the class
  * $psi = new PhpSecInfo();
  *
@@ -150,6 +155,12 @@ class PhpSecInfo
 	var $num_tests_run = 0;
 
 
+	/**
+	 * The base directory for phpsecinfo. Set within the constructor. Paths are resolved from this.
+	 * @var string
+	 */
+	var $_base_dir;
+
 
 	/**
 	 * The directory PHPSecInfo will look for views.  It defaults to the value
@@ -173,15 +184,34 @@ class PhpSecInfo
 	 *
 	 * @return PhpSecInfo
 	 */
-	function PhpSecInfo() {
-		/**
-		 * set the default View directory
-		 */
-		$this->setViewDirectory(dirname(__FILE__).DIRECTORY_SEPARATOR . PHPSECINFO_VIEW_DIR_DEFAULT);
-		if (strtolower(php_sapi_name()) == 'cli' ) {
-			$this->setFormat('Cli');
-		} else {
-			$this->setFormat(PHPSECINFO_FORMAT_DEFAULT);
+	function PhpSecInfo($opts = null) {
+		
+		$this->_base_dir = dirname(__FILE__);
+		
+		if ($opts) {
+			if (isset($opts['view_directory'])) {
+				$this->setViewDirectory($opts['view_directory']);
+			} else {
+				$this->setViewDirectory(dirname(__FILE__).DIRECTORY_SEPARATOR . PHPSECINFO_VIEW_DIR_DEFAULT);
+			}
+			
+			if (isset($opts['format'])) {
+				$this->setFormat($opts['format']);
+			} else {
+				if (strtolower(php_sapi_name()) == 'cli' ) {
+					$this->setFormat('Cli');
+				} else {
+					$this->setFormat(PHPSECINFO_FORMAT_DEFAULT);
+				}
+			}
+			
+		} else { /* Use defaults */
+			$this->setViewDirectory(dirname(__FILE__).DIRECTORY_SEPARATOR . PHPSECINFO_VIEW_DIR_DEFAULT);
+			if (strtolower(php_sapi_name()) == 'cli' ) {
+				$this->setFormat('Cli');
+			} else {
+				$this->setFormat(PHPSECINFO_FORMAT_DEFAULT);
+			}
 		}
 	}
 

PhpSecInfo/Test/CGI/force_redirect.php

@@ -9,7 +9,7 @@
 /**
  * require the PhpSecInfo_Test_Cgi class
  */
-require_once('PhpSecInfo/Test/Test_Cgi.php');
+require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Cgi.php');
 
 /**
  * Test class for cgi force_redirect

PhpSecInfo/Test/Core/allow_url_fopen.php

@@ -10,7 +10,7 @@
 /**
  * require the PhpSecInfo_Test_Core class
  */
-require_once('PhpSecInfo/Test/Test_Core.php');
+require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Core.php');
 
 /**
  * Test Class for allow_url_fopen
@@ -47,11 +47,16 @@ function _retrieveCurrentValue() {
 	 *
 	 */
 	function _execTest() {
-		if ($this->current_value == $this->recommended_value) {
+		if ( version_compare(PHP_VERSION, '5.2', '<') ) { /* this is much more severe if we're running < 5.2 */
+			if ($this->current_value == $this->recommended_value) {
+				return PHPSECINFO_TEST_RESULT_OK;
+			}
+
+			return PHPSECINFO_TEST_RESULT_WARN;
+		} else { /* In 5.2, we'll consider allow_url_fopen "safe" */
+			$this->recommended_value = TRUE;
 			return PHPSECINFO_TEST_RESULT_OK;
 		}
-
-		return PHPSECINFO_TEST_RESULT_WARN;
 	}
 
 
@@ -61,9 +66,13 @@ function _execTest() {
 	 */
 	function _setMessages() {
 		parent::_setMessages();
-
-		$this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'allow_url_fopen is disabled, which is the recommended setting');
-		$this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', 'allow_url_fopen is enabled.  This could be a serious security risk.  You should disable allow_url_fopen and consider using the <a href="http://php.net/manual/en/ref.curl.php" target="_blank">PHP cURL functions</a> instead.');
+		if ( version_compare(PHP_VERSION, '5.2', '<') ) { /* this is much more severe if we're running < 5.2 */
+			$this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'allow_url_fopen is disabled, which is the recommended setting');
+			$this->setMessageForResult(PHPSECINFO_TEST_RESULT_WARN, 'en', 'allow_url_fopen is enabled.  This could be a serious security risk.  You should disable allow_url_fopen and consider using the <a href="http://php.net/manual/en/ref.curl.php" target="_blank">PHP cURL functions</a> instead.');
+		
+		} else {
+			$this->setMessageForResult(PHPSECINFO_TEST_RESULT_OK, 'en', 'You are running PHP 5.2 or greater, which makes allow_url_fopen significantly safer. Make sure allow_url_include is <em>disabled</em>, though');
+		}
 	}
 
 

PhpSecInfo/Test/Core/allow_url_include.php

@@ -10,7 +10,7 @@
 /**
  * require the PhpSecInfo_Test_Core class
  */
-require_once('PhpSecInfo/Test/Test_Core.php');
+require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Core.php');
 
 /**
  * Test Class for allow_url_include

PhpSecInfo/Test/Core/display_errors.php

@@ -10,7 +10,7 @@
 /**
  * require the PhpSecInfo_Test_Core class
  */
-require_once('PhpSecInfo/Test/Test_Core.php');
+require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Core.php');
 
 /**
  * Test class for display_errors

PhpSecInfo/Test/Core/expose_php.php

@@ -10,7 +10,7 @@
 /**
  * require the PhpSecInfo_Test_Core class
  */
-require_once('PhpSecInfo/Test/Test_Core.php');
+require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Core.php');
 
 /**
  * Test class for expose_php

PhpSecInfo/Test/Core/file_uploads.php

@@ -10,7 +10,7 @@
 /**
  * require the PhpSecInfo_Test_Core class
  */
-require_once('PhpSecInfo/Test/Test_Core.php');
+require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Core.php');
 
 /**
  * Test Class for file_uploads

PhpSecInfo/Test/Core/gid.php

@@ -10,7 +10,7 @@
 /**
  * require the PhpSecInfo_Test_Core class
  */
-require_once('PhpSecInfo/Test/Test_Core.php');
+require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Core.php');
 
 
 /**

PhpSecInfo/Test/Core/magic_quotes_gpc.php

@@ -11,7 +11,7 @@
 /**
  * require the PhpSecInfo_Test_Core class
  */
-require_once('PhpSecInfo/Test/Test_Core.php');
+require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Core.php');
 
 /**
  * Test Class for magic_quotes_gpc

PhpSecInfo/Test/Core/memory_limit.php

@@ -12,7 +12,7 @@
 /**
  * require the PhpSecInfo_Test_Core class
  */
-require_once('PhpSecInfo/Test/Test_Core.php');
+require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Core.php');
 
 /**
  * The max recommended size for the memory_limit setting, in bytes

PhpSecInfo/Test/Core/open_basedir.php

@@ -10,7 +10,7 @@
 /**
  * require the PhpSecInfo_Test_Core class
  */
-require_once('PhpSecInfo/Test/Test_Core.php');
+require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Core.php');
 
 /**
  * Test Class for open_basedir

PhpSecInfo/Test/Core/post_max_size.php

@@ -10,7 +10,7 @@
 /**
  * require the PhpSecInfo_Test_Core class
  */
-require_once('PhpSecInfo/Test/Test_Core.php');
+require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Core.php');
 
 /**
  * The max recommended size for the post_max_size setting, in bytes

PhpSecInfo/Test/Core/register_globals.php

@@ -10,7 +10,7 @@
 /**
  * require the PhpSecInfo_Test_Core class
  */
-require_once('PhpSecInfo/Test/Test_Core.php');
+require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Core.php');
 
 
 /**

PhpSecInfo/Test/Core/uid.php

@@ -10,7 +10,7 @@
 /**
  * require the PhpSecInfo_Test_Core class
  */
-require_once('PhpSecInfo/Test/Test_Core.php');
+require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Core.php');
 
 
 /**

PhpSecInfo/Test/Core/upload_max_filesize.php

@@ -9,7 +9,7 @@
 /**
  * require the PhpSecInfo_Test_Core class
  */
-require_once('PhpSecInfo/Test/Test_Core.php');
+require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Core.php');
 
 /**
  * The max recommended size for the upload_max_filesize setting, in bytes

PhpSecInfo/Test/Core/upload_tmp_dir.php

@@ -9,7 +9,7 @@
 /**
  * require the PhpSecInfo_Test_Core class
  */
-require_once('PhpSecInfo/Test/Test_Core.php');
+require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Core.php');
 
 /**
  * Test Class for upload_tmp_dir

PhpSecInfo/Test/Curl/file_support.php

@@ -9,7 +9,7 @@
 /**
  * require the PhpSecInfo_Test_Curl class
  */
-require_once('PhpSecInfo/Test/Test_Curl.php');
+require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Curl.php');
 
 /**
  * Test class for CURL file_support

PhpSecInfo/Test/Session/save_path.php

@@ -9,7 +9,7 @@
 /**
  * require the PhpSecInfo_Test_Core class
  */
-require_once('PhpSecInfo/Test/Test_Session.php');
+require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Session.php');
 
 /**
  * Test class for session save_path

PhpSecInfo/Test/Session/use_trans_sid.php

@@ -10,7 +10,7 @@
 /**
  * require the PhpSecInfo_Test_Session class
  */
-require_once('PhpSecInfo/Test/Test_Session.php');
+require_once(PHPSECINFO_BASE_DIR.'/Test/Test_Session.php');
 
 /**
  * Test class for session use_trans_sid

PhpSecInfo/Test/Test.php

@@ -9,7 +9,7 @@
 /**
  * require the main PhpSecInfo class
  */
-require_once('PhpSecInfo/PhpSecInfo.php');
+require_once(PHPSECINFO_BASE_DIR.'/PhpSecInfo.php');
 
 
 

PhpSecInfo/Test/Test_Cgi.php

@@ -9,7 +9,7 @@
 /**
  * require the main PhpSecInfo class
  */
-require_once('PhpSecInfo/Test/Test.php');
+require_once(PHPSECINFO_BASE_DIR.'/Test/Test.php');
 
 
 

PhpSecInfo/Test/Test_Core.php

@@ -9,7 +9,7 @@
 /**
  * require the main PhpSecInfo class
  */
-require_once('PhpSecInfo/Test/Test.php');
+require_once(PHPSECINFO_BASE_DIR.'/Test/Test.php');
 
 
 

PhpSecInfo/Test/Test_Curl.php

@@ -9,7 +9,7 @@
 /**
  * require the main PhpSecInfo class
  */
-require_once('PhpSecInfo/Test/Test.php');
+require_once(PHPSECINFO_BASE_DIR.'/Test/Test.php');
 
 
 

PhpSecInfo/Test/Test_Session.php

@@ -10,7 +10,7 @@
 /**
  * require the main PhpSecInfo class
  */
-require_once('PhpSecInfo/Test/Test.php');
+require_once(PHPSECINFO_BASE_DIR.'/Test/Test.php');
 
 
 

PhpSecInfo/View/Csv.php

@@ -1,5 +1,16 @@
 <?php
-/**
- * @todo write CSV view
- */
+header('Content-type: text/csv');
+header('Content-Disposition: attachment; filename="phpsecinfo.csv"');
+
+// This is kind of a lot of logic for a view, but...
+foreach ($this->test_results as $group_name=>$group_results) {
+	
+	$this->_outputRenderTable($group_name, $group_results);
+}
+
+$this->_outputRenderNotRunTable();
+
+/* stats will probably be handled by the app reading the csv */
+//$this->_outputRenderStatsTable();
+
 ?>

PhpSecInfo/View/Csv/Result.php

@@ -0,0 +1,24 @@
+<?php
+foreach($group_results as $test_name=>$test_results) {
+
+	echo strtoupper($group_name).',';
+	echo strtoupper($test_name).',';
+	if ($group_name != 'Test Results Summary'):
+		echo $this->_outputGetResultTypeFromCode($test_results['result']).',';
+	endif;
+
+	
+	echo $test_results['value_current'].',';
+	echo $test_results['value_recommended'].',';
+	
+	echo '"'.str_replace('"', '""',
+					strip_tags(
+						trim(
+							preg_replace("/(\s+)/im", ' ', $test_results['message'])
+						)
+					)
+				) . '",';
+	echo $test_results['moreinfo_url'];
+
+	echo "\n";
+}