dolibarr  19.0.0-dev
security.php
Go to the documentation of this file.
1 <?php
2 /* Copyright (C) 2013-2022 Laurent Destailleur <eldy@users.sourceforge.net>
3  *
4  * This program is free software; you can redistribute it and/or modify
5  * it under the terms of the GNU General Public License as published by
6  * the Free Software Foundation; either version 3 of the License, or
7  * (at your option) any later version.
8  *
9  * This program is distributed in the hope that it will be useful,
10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12  * GNU General Public License for more details.
13  *
14  * You should have received a copy of the GNU General Public License
15  * along with this program. If not, see <https://www.gnu.org/licenses/>.
16  */
17 
23 // Load Dolibarr environment
24 require '../../main.inc.php';
25 require_once DOL_DOCUMENT_ROOT.'/core/lib/memory.lib.php';
26 require_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php';
27 require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
28 require_once DOL_DOCUMENT_ROOT.'/core/lib/geturl.lib.php';
29 require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php';
30 require_once DOL_DOCUMENT_ROOT.'/core/lib/security2.lib.php';
31 require_once DOL_DOCUMENT_ROOT.'/core/class/events.class.php';
32 
33 // Load translation files required by the page
34 $langs->loadLangs(array("install", "other", "admin", "errors"));
35 
36 if (!$user->admin) {
38 }
39 
40 if (GETPOST('action', 'aZ09') == 'donothing') {
41  exit;
42 }
43 
44 $execmethod = getDolGlobalInt('MAIN_EXEC_USE_POPEN', 1);
45 
46 
47 /*
48  * View
49  */
50 
51 $form = new Form($db);
52 
53 llxHeader();
54 
55 print load_fiche_titre($langs->trans("Security"), '', 'title_setup');
56 
57 print '<span class="opacitymedium">'.$langs->trans("YouMayFindSecurityAdviceHere", 'hhttps://wiki.dolibarr.org/index.php/Security_information').'</span>';
58 print ' &nbsp; &nbsp; ';
59 print '<a href="'.$_SERVER["PHP_SELF"].'">';
60 print img_picto($langs->trans("Reload"), 'refresh').' ';
61 print $langs->trans("Reload");
62 print '</a>';
63 print '<br>';
64 print '<br>';
65 
66 print load_fiche_titre($langs->trans("PHPSetup"), '', 'folder');
67 
68 // Get version of PHP
69 $phpversion = version_php();
70 print "<strong>PHP</strong>: ".$langs->trans("Version").": ".$phpversion;
71 if (function_exists('php_ini_loaded_file')) {
72  $inipath = php_ini_loaded_file();
73  print " - <strong>INI</strong>: ".$inipath;
74 }
75 print "<br>\n";
76 
77 // Get version of web server
78 print "<br><strong>Web server - ".$langs->trans("Version")."</strong>: ".$_SERVER["SERVER_SOFTWARE"]."<br>\n";
79 print '<strong>'.$langs->trans("DataRootServer")."</strong>: ".DOL_DATA_ROOT."<br>\n";
80 // Web user group by default
81 $labeluser = dol_getwebuser('user');
82 $labelgroup = dol_getwebuser('group');
83 if ($labeluser && $labelgroup) {
84  print '<strong>'.$langs->trans("WebUserGroup")." (env vars)</strong> : ".$labeluser.':'.$labelgroup;
85  if (function_exists('posix_geteuid') && function_exists('posix_getpwuid')) {
86  $arrayofinfoofuser = posix_getpwuid(posix_geteuid());
87  print ' <span class="opacitymedium">(POSIX '.$arrayofinfoofuser['name'].':'.$arrayofinfoofuser['gecos'].':'.$arrayofinfoofuser['dir'].':'.$arrayofinfoofuser['shell'].')</span><br>'."\n";
88  }
89 }
90 // Web user group real (detected by 'id' external command)
91 if (function_exists('exec')) {
92  $arrayout = array(); $varout = 0;
93  exec('id', $arrayout, $varout);
94  if (empty($varout)) { // Test command is ok. Work only on Linux OS.
95  print '<strong>'.$langs->trans("WebUserGroup")." (real, 'id' command)</strong> : ".join(',', $arrayout)."<br>\n";
96  }
97 }
98 print '<br>';
99 
100 print "<strong>PHP session.use_strict_mode</strong> = ".(ini_get('session.use_strict_mode') ? '' : img_warning().' ').(ini_get('session.use_strict_mode') ? ini_get('session.use_strict_mode') : yn(0)).' &nbsp; <span class="opacitymedium">('.$langs->trans("RecommendedValueIs", '1').")</span><br>\n";
101 print "<strong>PHP session.use_only_cookies</strong> = ".(ini_get('session.use_only_cookies') ? '' : img_warning().' ').(ini_get('session.use_only_cookies') ? ini_get('session.use_only_cookies') : yn(0)).' &nbsp; <span class="opacitymedium">('.$langs->trans("RecommendedValueIs", '1').")</span><br>\n";
102 print "<strong>PHP session.cookie_httponly</strong> = ".(ini_get('session.cookie_httponly') ? '' : img_warning().' ').(ini_get('session.cookie_httponly') ? ini_get('session.cookie_httponly') : '').' &nbsp; <span class="opacitymedium">('.$langs->trans("RecommendedValueIs", '1').")</span><br>\n";
103 print "<strong>PHP session.cookie_samesite</strong> = ".(ini_get('session.cookie_samesite') ? ini_get('session.cookie_samesite') : 'None');
104 if (!ini_get('session.cookie_samesite') || ini_get('session.cookie_samesite') == 'Lax') {
105  print ' &nbsp; <span class="opacitymedium">('.$langs->trans("RecommendedValueIs", 'Lax').")</span>";
106 } elseif (ini_get('session.cookie_samesite') == 'Strict') {
107  print ' &nbsp; '.img_warning().' <span class="opacitymedium">'.$langs->trans("WarningPaypalPaymentNotCompatibleWithStrict")."</span>";
108 }
109 print "<br>\n";
110 print "<strong>PHP open_basedir</strong> = ".(ini_get('open_basedir') ? ini_get('open_basedir') : yn(0).' &nbsp; <span class="opacitymedium">('.$langs->trans("RecommendedValueIs", $langs->transnoentitiesnoconv("ARestrictedPath").', '.$langs->transnoentitiesnoconv("Example").': '.$_SERVER["DOCUMENT_ROOT"].','.DOL_DATA_ROOT).')</span>')."<br>\n";
111 print "<strong>PHP short_open_tag</strong> = ".((empty(ini_get('short_open_tag')) || ini_get('short_open_tag') == 'Off') ? yn(0) : img_warning().' '.yn(0)).' &nbsp; <span class="opacitymedium">('.$langs->trans("RecommendedValueIs", $langs->transnoentitiesnoconv("No")).')</span>'."<br>\n";
112 print "<strong>PHP allow_url_fopen</strong> = ".(ini_get('allow_url_fopen') ? img_picto($langs->trans("YouShouldSetThisToOff"), 'warning').' '.ini_get('allow_url_fopen') : yn(0)).' &nbsp; <span class="opacitymedium">('.$langs->trans("RecommendedValueIs", $langs->transnoentitiesnoconv("No")).")</span><br>\n";
113 print "<strong>PHP allow_url_include</strong> = ".(ini_get('allow_url_include') ? img_picto($langs->trans("YouShouldSetThisToOff"), 'warning').' '.ini_get('allow_url_include') : yn(0)).' &nbsp; <span class="opacitymedium">('.$langs->trans("RecommendedValueIs", $langs->transnoentitiesnoconv("No")).")</span><br>\n";
114 //print "<strong>PHP safe_mode</strong> = ".(ini_get('safe_mode') ? ini_get('safe_mode') : yn(0)).' &nbsp; <span class="opacitymedium">'.$langs->trans("Deprecated")." (removed in PHP 5.4)</span><br>\n";
115 print "<strong>PHP disable_functions</strong> = ";
116 $arrayoffunctionsdisabled = explode(',', ini_get('disable_functions'));
117 $arrayoffunctionstodisable = explode(',', 'pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals');
118 //$arrayoffunctionstodisable[] = 'stream_wrapper_restore';
119 //$arrayoffunctionstodisable[] = 'stream_wrapper_register';
120 if ($execmethod == 1) {
121  $arrayoffunctionstodisable2 = explode(',', 'passthru,shell_exec,system,proc_open,popen');
122  $functiontokeep = 'exec';
123 } else {
124  $arrayoffunctionstodisable2 = explode(',', 'exec,passthru,shell_exec,system,proc_open');
125  $functiontokeep = 'popen';
126 }
127 $i = 0;
128 foreach ($arrayoffunctionsdisabled as $functionkey) {
129  if ($i > 0) {
130  print ', ';
131  }
132  print '<span class="opacitymedium">'.$functionkey.'</span>';
133  $i++;
134 }
135 print "<br>\n";
136 $todisabletext = '';
137 $i = 0;
138 foreach ($arrayoffunctionstodisable as $functiontodisable) {
139  if (! in_array($functiontodisable, $arrayoffunctionsdisabled)) {
140  if ($i > 0) {
141  $todisabletext .= ', ';
142  }
143  $todisabletext .= img_picto($langs->trans("YouShouldSetThisToOff"), 'warning').' <span class="opacitymedium">'.$functiontodisable.'</span>';
144  $i++;
145  }
146 }
147 if ($todisabletext) {
148  print $langs->trans("YouShouldDisablePHPFunctions").': '.$todisabletext;
149  print '<br>';
150 }
151 $todisabletext = '';
152 $i = 0;
153 foreach ($arrayoffunctionstodisable2 as $functiontodisable) {
154  if (! in_array($functiontodisable, $arrayoffunctionsdisabled)) {
155  if ($i > 0) {
156  $todisabletext .= ', ';
157  }
158  $todisabletext .= img_picto($langs->trans("YouShouldSetThisToOff"), 'warning').' <span class="opacitymedium">'.$functiontodisable.'</span>';
159  $i++;
160  }
161 }
162 if ($todisabletext) {
163  print $langs->trans("IfCLINotRequiredYouShouldDisablePHPFunctions").': '.$todisabletext;
164  print '<br>';
165 }
166 
167 print $langs->trans("PHPFunctionsRequiredForCLI").': ';
168 if (in_array($functiontokeep, $arrayoffunctionsdisabled)) {
169  print img_picto($langs->trans("PHPFunctionsRequiredForCLI"), 'warning');
170 }
171 print '<span class="opacitymedium">'.$functiontokeep.'</span>';
172 print '<br>';
173 
174 $arrayofstreams = stream_get_wrappers();
175 if (!empty($arrayofstreams)) {
176  sort($arrayofstreams);
177  print "<strong>PHP streams</strong> = ".(join(',', $arrayofstreams)).' &nbsp; <span class="opacitymedium">('.$langs->trans("RecommendedValueIs", 'file,http,https,php').')</span>'."<br>\n";
178 }
179 
180 print '<br>';
181 
182 // XDebug
183 print '<strong>'.$langs->trans("XDebug").'</strong>: ';
184 $test = !function_exists('xdebug_is_enabled') && !extension_loaded('xdebug');
185 if ($test) {
186  print img_picto('', 'tick').' '.$langs->trans("NotInstalled").' - '.$langs->trans("NotRiskOfLeakWithThis");
187 } else {
188  print img_picto('', 'warning').' '.$langs->trans("ModuleActivatedMayExposeInformation", $langs->transnoentities("XDebug"));
189  print ' - '.$langs->trans("MoreInformation").' <a href="'.DOL_URL_ROOT.'/admin/system/xdebug.php">XDebug admin page</a>';
190 }
191 print '<br>';
192 
193 
194 // OS Permissions
195 
196 print '<br>';
197 print '<br>';
198 print '<br>';
199 print load_fiche_titre($langs->trans("OSSetup").' - '.$langs->trans("PermissionsOnFiles"), '', 'folder');
200 
201 print '<strong>'.$langs->trans("PermissionsOnFilesInWebRoot").'</strong>: ';
202 $arrayoffilesinroot = dol_dir_list(DOL_DOCUMENT_ROOT, 'all', 1, '', array('\/custom'), 'name', SORT_ASC, 4, 1, '', 1);
203 $fileswithwritepermission = array();
204 foreach ($arrayoffilesinroot as $fileinroot) {
205  // Test if there is at least one write permission file. If yes, add the entry into array $fileswithwritepermission
206  if (isset($fileinroot['perm']) && ($fileinroot['perm'] & 0222)) {
207  $fileswithwritepermission[] = $fileinroot['relativename'];
208  }
209 }
210 if (empty($fileswithwritepermission)) {
211  print img_picto('', 'tick').' '.$langs->trans("NoWritableFilesFoundIntoRootDir");
212 } else {
213  print img_warning().' '.$langs->trans("SomeFilesOrDirInRootAreWritable");
214  print '<br>'.$langs->trans("Example").': ';
215  $i = 0;
216  foreach ($fileswithwritepermission as $filewithwritepermission) {
217  if ($i > 0) {
218  print ', ';
219  }
220  print '<span class="opacitymedium">'.$filewithwritepermission.'</span>';
221  if ($i > 20) {
222  print ' ...';
223  break;
224  }
225  $i++;
226  }
227 }
228 print '<br>';
229 print '<br>';
230 
231 print '<strong>'.$langs->trans("PermissionsOnFile", $conffile).'</strong>: '; // $conffile is defined into filefunc.inc.php
232 $perms = fileperms($dolibarr_main_document_root.'/'.$conffile);
233 if ($perms) {
234  if (($perms & 0x0004) || ($perms & 0x0002)) {
235  print img_warning().' '.$langs->trans("ConfFileIsReadableOrWritableByAnyUsers");
236  // Web user group by default
237  $labeluser = dol_getwebuser('user');
238  $labelgroup = dol_getwebuser('group');
239  print ' '.$langs->trans("User").': '.$labeluser.':'.$labelgroup;
240  if (function_exists('posix_geteuid') && function_exists('posix_getpwuid')) {
241  $arrayofinfoofuser = posix_getpwuid(posix_geteuid());
242  print ' <span class="opacitymedium">(POSIX '.$arrayofinfoofuser['name'].':'.$arrayofinfoofuser['gecos'].':'.$arrayofinfoofuser['dir'].':'.$arrayofinfoofuser['shell'].')</span>';
243  }
244  } else {
245  print img_picto('', 'tick');
246  }
247 } else {
248  print img_warning().' '.$langs->trans("FailedToReadFile", $conffile);
249 }
250 print '<br>';
251 print '<br>';
252 
253 $installlock = DOL_DATA_ROOT.'/install.lock';
254 $upgradeunlock = DOL_DATA_ROOT.'/upgrade.unlock';
255 $installmoduleslock = DOL_DATA_ROOT.'/installmodules.lock';
256 
257 // Is install (upgrade) locked
258 print '<strong>'.$langs->trans("DolibarrSetup").'</strong>: ';
259 if (file_exists($installlock)) {
260  if (file_exists($upgradeunlock)) {
261  print img_picto('', 'tick').' '.$langs->trans("InstallLockedBy", $installlock);
262  } else {
263  print img_picto('', 'tick').' '.$langs->trans("InstallAndUpgradeLockedBy", $installlock);
264  }
265 } else {
266  print img_warning().' '.$langs->trans("WarningLockFileDoesNotExists", DOL_DATA_ROOT);
267 }
268 print '<br>';
269 
270 // Is upgrade unlocked
271 if (file_exists($installlock)) { // If install not locked, no need to show this.
272  if (file_exists($upgradeunlock)) {
273  print '<strong>'.$langs->trans("DolibarrUpgrade").'</strong>: ';
274  print img_warning().' '.$langs->trans("UpgradeHasBeenUnlocked", $upgradeunlock);
275  print '<br>';
276  }
277 }
278 
279 // Is addon install locked ?
280 print '<strong>'.$langs->trans("DolibarrAddonInstall").'</strong>: ';
281 if (file_exists($installmoduleslock)) {
282  print img_picto('', 'tick').' '.$langs->trans("InstallAndUpgradeLockedBy", $installmoduleslock);
283 } else {
284  print $langs->trans("InstallOfAddonIsNotBlocked", DOL_DATA_ROOT);
285 }
286 print '<br>';
287 
288 
289 
290 // File conf.php
291 
292 print '<br>';
293 print '<br>';
294 print '<br>';
295 print load_fiche_titre($langs->trans("ConfigurationFile").' ('.$conffile.')', '', 'folder');
296 
297 print '<strong>$dolibarr_main_prod</strong>: '.($dolibarr_main_prod ? $dolibarr_main_prod : '0');
298 if (empty($dolibarr_main_prod)) {
299  print ' &nbsp; '.img_picto('', 'warning').' '.$langs->trans("IfYouAreOnAProductionSetThis", 1);
300 }
301 print '<br>';
302 
303 print '<strong>$dolibarr_nocsrfcheck</strong>: '.(empty($dolibarr_nocsrfcheck) ? '0' : $dolibarr_nocsrfcheck);
304 if (!empty($dolibarr_nocsrfcheck)) {
305  print ' &nbsp; '.img_picto('', 'warning').' '.$langs->trans("IfYouAreOnAProductionSetThis", 0);
306 } else {
307  print ' &nbsp; <span class="opacitymedium">('.$langs->trans("Recommended").': 0)</span>';
308 }
309 print '<br>';
310 
311 print '<strong>$dolibarr_main_restrict_ip</strong>: ';
312 if (empty($dolibarr_main_restrict_ip)) {
313  print $langs->trans("None");
314  //print ' <span class="opacitymedium">('.$langs->trans("RecommendedValueIs", $langs->transnoentitiesnoconv("IPsOfUsers")).')</span>';
315 } else {
316  print $dolibarr_main_restrict_ip;
317 }
318 print '<br>';
319 
320 print '<strong>$dolibarr_main_restrict_os_commands</strong>: ';
321 if (empty($dolibarr_main_restrict_os_commands)) {
322  print $langs->trans("None");
323 } else {
324  print $dolibarr_main_restrict_os_commands;
325 }
326 print ' <span class="opacitymedium">('.$langs->trans("RecommendedValueIs", 'mysqldump, mysql, pg_dump, pgrestore, clamdscan').')</span>';
327 print '<br>';
328 
329 if (empty($conf->global->SECURITY_DISABLE_TEST_ON_OBFUSCATED_CONF)) {
330  print '<strong>$dolibarr_main_db_pass</strong>: ';
331  if (!empty($dolibarr_main_db_pass) && empty($dolibarr_main_db_encrypted_pass)) {
332  print img_picto('', 'warning').' '.$langs->trans("DatabasePasswordNotObfuscated").' &nbsp; <span class="opacitymedium">('.$langs->trans("Recommended").': '.$langs->trans("SetOptionTo", $langs->transnoentitiesnoconv("MainDbPasswordFileConfEncrypted"), yn(1)).')</span>';
333  //print ' <span class="opacitymedium">('.$langs->trans("RecommendedValueIs", $langs->transnoentitiesnoconv("IPsOfUsers")).')</span>';
334  } else {
335  print img_picto('', 'tick').' '.$langs->trans("DatabasePasswordObfuscated");
336  }
337 
338  print '<br>';
339 }
340 
341 
342 
343 // Menu Home - Setup - Security
344 
345 print '<br>';
346 print '<br>';
347 print '<br>';
348 
349 print load_fiche_titre($langs->trans("Menu").' '.$langs->trans("SecuritySetup"), '', 'folder');
350 
351 
352 print '<strong>'.$langs->trans("UseCaptchaCode").'</strong>: ';
353 print empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA) ? '' : img_picto('', 'tick').' ';
354 print yn(empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA) ? 0 : 1);
355 print '<br>';
356 print '<br>';
357 
358 
359 $sessiontimeout = ini_get("session.gc_maxlifetime");
360 if (empty($conf->global->MAIN_SESSION_TIMEOUT)) {
361  $conf->global->MAIN_SESSION_TIMEOUT = $sessiontimeout;
362 }
363 print '<strong>'.$langs->trans("SessionTimeOut").'</strong>';
364 if (!ini_get("session.gc_probability")) {
365  print $form->textwithpicto('', $langs->trans("SessionsPurgedByExternalSystem", ini_get("session.gc_maxlifetime")));
366 } else {
367  print $form->textwithpicto('', $langs->trans("SessionExplanation", ini_get("session.gc_probability"), ini_get("session.gc_divisor"), ini_get("session.gc_maxlifetime")));
368 }
369 print ': '.getDolGlobalInt('MAIN_SESSION_TIMEOUT').' '.strtolower($langs->trans("Seconds"));
370 print '<br><br>';
371 
372 print '<strong>'.$langs->trans("MaxNumberOfImagesInGetPost").'</strong>: ';
373 print getDolGlobalInt('MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT').' '.strtolower($langs->trans("Images"));
374 print '<br><br>';
375 
376 print '<strong>'.$langs->trans("MaxNumberOfPostOnPublicPagesByIP").'</strong>: ';
377 print getDolGlobalInt('MAIN_SECURITY_MAX_POST_ON_PUBLIC_PAGES_BY_IP_ADDRESS', 200).' '.strtolower($langs->trans("Posts"));
378 print '<br><br>';
379 
380 print '<strong>'.$langs->trans("MaxNumberOfAttachementOnForms").'</strong>: ';
381 print getDolGlobalInt("MAIN_SECURITY_MAX_ATTACHMENT_ON_FORMS", 10).' '.strtolower($langs->trans("Files"));
382 print '<br><br>';
383 
384 print '<strong>'.$langs->trans("DoNotStoreClearPassword").'</strong>: ';
385 print empty($conf->global->DATABASE_PWD_ENCRYPTED) ? '' : img_picto('', 'tick').' ';
386 print yn(empty($conf->global->DATABASE_PWD_ENCRYPTED) ? 0 : 1);
387 if (empty($conf->global->DATABASE_PWD_ENCRYPTED)) {
388  print ' <span class="opacitymedium">('.$langs->trans("Recommended").' '.yn(1).')</span>';
389 }
390 print '<br>';
391 print '<br>';
392 
393 /* Already into section conf file */
394 /*
395 $usepassinconfencrypted = 0;
396 global $dolibarr_main_db_pass, $dolibarr_main_db_encrypted_pass;
397 if (preg_match('/crypted:/i', $dolibarr_main_db_pass) || !empty($dolibarr_main_db_encrypted_pass)) {
398  $usepassinconfencrypted = 1;
399 }
400 print '<strong>'.$langs->trans("MainDbPasswordFileConfEncrypted").'</strong>: ';
401 print $usepassinconfencrypted ? img_picto('', 'tick').' ' : img_warning().' ';
402 print yn($usepassinconfencrypted);
403 if (empty($usepassinconfencrypted)) {
404  print ' <span class="opacitymedium">('.$langs->trans("Recommended").' '.yn(1).')</span>';
405 }
406 print '<br>';
407 print '<br>';
408 */
409 
410 /* Password length
411 
412 // Stored into $tabconf[0] if module generator is "Perso" or specific to the module generator.
413 $tabConf = explode(";", getDolGlobalString('USER_PASSWORD_PATTERN'));
414 
415 print '<strong>'.$langs->trans("PasswordLength").'</strong>: ';
416 print empty($conf->global->DATABASE_PWD_ENCRYPTED) ? '' : img_picto('', 'tick').' ';
417 print yn(empty($conf->global->DATABASE_PWD_ENCRYPTED) ? 0 : 1);
418 if (empty($conf->global->DATABASE_PWD_ENCRYPTED)) {
419  print ' <span class="opacitymedium">('.$langs->trans("Recommended").' '.yn(1).')</span>';
420 }
421 print '<br>';
422 print '<br>';
423 */
424 
425 print '<strong>'.$langs->trans("AntivirusEnabledOnUpload").'</strong>: ';
426 print empty($conf->global->MAIN_ANTIVIRUS_COMMAND) ? img_warning().' ' : img_picto('', 'tick').' ';
427 print yn(empty($conf->global->MAIN_ANTIVIRUS_COMMAND) ? 0 : 1);
428 if (empty($conf->global->MAIN_ANTIVIRUS_COMMAND)) {
429  print ' - <span class="opacitymedium">'.$langs->trans("Recommended").': '.$langs->trans("DefinedAPathForAntivirusCommandIntoSetup", $langs->transnoentitiesnoconv("Home")." - ".$langs->transnoentitiesnoconv("Setup")." - ".$langs->transnoentitiesnoconv("Security")).'</span>';
430 } else {
431  print ' &nbsp; - '.$conf->global->MAIN_ANTIVIRUS_COMMAND;
432  if (defined('MAIN_ANTIVIRUS_COMMAND') && !defined('MAIN_ANTIVIRUS_BYPASS_COMMAND_AND_PARAM')) {
433  print ' - <span class="opacitymedium">'.$langs->trans("ValueIsForcedBySystem").'</span>';
434  }
435 }
436 print '<br>';
437 print '<br>';
438 
439 $umask = getDolGlobalString('MAIN_UMASK');
440 
441 print '<strong>'.$langs->trans("UMask").'</strong>: ';
442 if (! in_array($umask, array('600', '660', '0600', '0660'))) {
443  print img_warning().' ';
444 }
445 print $umask;
446 if (! in_array($umask, array('600', '660', '0600', '0660'))) {
447  print ' &nbsp; <span class="opacitymedium">('.$langs->trans("Recommended").': 0600 | 0660)</span>';
448 }
449 print '<br>';
450 print '<br>';
451 
452 
453 $securityevent = new Events($db);
454 $eventstolog = $securityevent->eventstolog;
455 
456 print '<strong>'.$langs->trans("AuditedSecurityEvents").'</strong>: ';
457 $out = '';
458 if (!empty($eventstolog) && is_array($eventstolog)) {
459  // Loop on each event type
460  $i = 0;
461  foreach ($eventstolog as $key => $arr) {
462  if ($arr['id']) {
463  $key = 'MAIN_LOGEVENTS_'.$arr['id'];
464  $value = getDolGlobalString($key);
465  if ($value) {
466  if ($i > 0) {
467  $out .= ', ';
468  }
469  $out .= '<span class="opacitymedium">'.$key.'</span>';
470  $i++;
471  }
472  }
473  }
474  print $out;
475 }
476 
477 if (empty($out)) {
478  print img_warning().' '.$langs->trans("NoSecurityEventsAreAduited", $langs->transnoentities("Home").' - '.$langs->transnoentities("Setup").' - '.$langs->transnoentities("Security").' - '.$langs->transnoentities("Audit")).'<br>';
479 }
480 
481 print '<br>';
482 
483 
484 // Modules/Applications
485 
486 print '<br>';
487 print '<br>';
488 print '<br>';
489 print load_fiche_titre($langs->trans("Modules"), '', 'folder');
490 
491 // Module log
492 print '<strong>'.$langs->trans("Syslog").'</strong>: ';
493 $test = isModEnabled('syslog');
494 if (!$test) {
495  print img_picto('', 'tick').' '.$langs->trans("NotInstalled").' - '.$langs->trans("NotRiskOfLeakWithThis");
496 } else {
497  if (getDolGlobalInt('SYSLOG_LEVEL') > LOG_NOTICE) {
498  print img_picto('', 'warning').' '.$langs->trans("ModuleActivatedWithTooHighLogLevel", $langs->transnoentities("Syslog"));
499  } else {
500  print img_picto('', 'tick').' '.$langs->trans("ModuleSyslogActivatedButLevelNotTooVerbose", $langs->transnoentities("Syslog"), getDolGlobalInt('SYSLOG_LEVEL'));
501  }
502  //print ' '.$langs->trans("MoreInformation").' <a href="'.DOL_URL_ROOT.'/admin/system/xdebug.php'.'">XDebug admin page</a>';
503 }
504 print '<br>';
505 
506 print '<br>';
507 
508 // Module debugbar
509 print '<strong>'.$langs->trans("DebugBar").'</strong>: ';
510 $test = isModEnabled('debugbar');
511 if (!$test) {
512  print img_picto('', 'tick').' '.$langs->trans("NotInstalled").' - '.$langs->trans("NotRiskOfLeakWithThis");
513 } else {
514  print img_picto('', 'error').' '.$langs->trans("ModuleActivatedDoNotUseInProduction", $langs->transnoentities("DebugBar"));
515  //print ' '.$langs->trans("MoreInformation").' <a href="'.DOL_URL_ROOT.'/admin/system/xdebug.php'.'">XDebug admin page</a>';
516 }
517 print '<br>';
518 
519 print '<br>';
520 
521 // Modules for Payments
522 $test = isModEnabled('stripe');
523 if ($test) {
524  print '<strong>'.$langs->trans("Stripe").'</strong>: ';
525  if (!getDolGlobalString('PAYMENT_SECURITY_TOKEN_UNIQUE')) {
526  print img_picto('', 'error').' '.$langs->trans("OptionXShouldBeEnabledInModuleY", $langs->transnoentities("SecurityTokenIsUnique"), $langs->transnoentities("Stripe"));
527  } else {
528  print img_picto('', 'tick').' '.$langs->trans("OptionXIsCorrectlyEnabledInModuleY", $langs->transnoentities("SecurityTokenIsUnique"), $langs->transnoentities("Stripe"));
529  }
530  print '<br>';
531 } else {
532  $test = isModEnabled('paypal');
533  if ($test) {
534  print '<strong>'.$langs->trans("Paypal").'</strong>: ';
535  if (!getDolGlobalString('PAYMENT_SECURITY_TOKEN_UNIQUE')) {
536  print img_picto('', 'error').' '.$langs->trans("OptionXShouldBeEnabledInModuleY", $langs->transnoentities("SecurityTokenIsUnique"), $langs->transnoentities("Paypal"));
537  } else {
538  print img_picto('', 'tick').' '.$langs->trans("OptionXIsCorrectlyEnabledInModuleY", $langs->transnoentities("SecurityTokenIsUnique"), $langs->transnoentities("Paypal"));
539  }
540  print '<br>';
541  }
542 }
543 
544 
545 // APIs
546 
547 print '<br>';
548 print '<br>';
549 print '<br>';
550 print load_fiche_titre($langs->trans("API"), '', 'folder');
551 
552 if (!isModEnabled('api') && !isModEnabled('webservices')) {
553  print $langs->trans("APIsAreNotEnabled");
554 } else {
555  if (isModEnabled('webservices')) {
556  print $langs->trans('YouEnableDeprecatedWSAPIsUseRESTAPIsInstead')."<br>\n";
557  print '<br>';
558  }
559  if (isModEnabled('api')) {
560  print '<strong>API_ENDPOINT_RULES</strong> = '.getDolGlobalString('API_ENDPOINT_RULES', '<span class="opacitymedium">'.$langs->trans("Undefined").' &nbsp; ('.$langs->trans("Example").': login:0,users:0,setup:1,status:1,tickets:1,...)</span>')."<br>\n";
561  print '<br>';
562  }
563 }
564 
565 
566 print '<br><br>';
567 
568 
569 print '<br>';
570 
571 
572 print load_fiche_titre($langs->trans("OtherSetup"), '', 'folder');
573 
574 print '<strong>MAIN_ALLOW_SVG_FILES_AS_IMAGES</strong> = '.getDolGlobalString('MAIN_ALLOW_SVG_FILES_AS_IMAGES', '0').' &nbsp; <span class="opacitymedium">('.$langs->trans("Recommended").': 0)</span><br>';
575 print '<br>';
576 
577 print '<strong>MAIN_ALWAYS_CREATE_LOCK_AFTER_LAST_UPGRADE</strong> = '.getDolGlobalString('MAIN_ALWAYS_CREATE_LOCK_AFTER_LAST_UPGRADE', '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>').' &nbsp; <span class="opacitymedium">('.$langs->trans("Recommended").': 1)</span><br>';
578 print '<br>';
579 
580 //print '<strong>'.$langs->trans("PasswordEncryption").'</strong>: ';
581 print '<strong>MAIN_SECURITY_HASH_ALGO</strong> = '.getDolGlobalString('MAIN_SECURITY_HASH_ALGO', '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>')." &nbsp; ";
582 if (empty($conf->global->MAIN_SECURITY_HASH_ALGO)) {
583  print '<span class="opacitymedium"> &nbsp; &nbsp; If unset: \'md5\'</span>';
584 }
585 if ($conf->global->MAIN_SECURITY_HASH_ALGO != 'password_hash') {
586  print '<br><strong>MAIN_SECURITY_SALT</strong> = '.getDolGlobalString('MAIN_SECURITY_SALT', '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>').'<br>';
587 } else {
588  print '<span class="opacitymedium">('.$langs->trans("Recommended").': password_hash)</span>';
589  print '<br>';
590 }
591 if ($conf->global->MAIN_SECURITY_HASH_ALGO != 'password_hash') {
592  print '<div class="info">The recommanded value for MAIN_SECURITY_HASH_ALGO is now \'password_hash\' but setting it now will make ALL existing passwords of all users not valid, so update is not possible.<br>';
593  print 'If you really want to switch, you must:<br>';
594  print '- Go on home - setup - other and add constant MAIN_SECURITY_HASH_ALGO to value \'password_hash\'<br>';
595  print '- In same session, WITHOUT LOGGING OUT, go into your admin user record and set a new password<br>';
596  print '- You can now logout and login with this new password. You must now reset password of all other users.<br>';
597  print '</div><br>';
598 }
599 print '<br>';
600 
601 print '<strong>MAIN_SECURITY_ANTI_SSRF_SERVER_IP</strong> = '.getDolGlobalString('MAIN_SECURITY_ANTI_SSRF_SERVER_IP', '<span class="opacitymedium">'.$langs->trans("Undefined").'</span> &nbsp; <span class="opacitymedium">('.$langs->trans("Recommended").': List of static IPs of server separated with coma - '.$langs->trans("Note").': common loopback ip like 127.*.*.*, [::1] are already added)</span>')."<br>";
602 print '<br>';
603 
604 print '<strong>MAIN_SECURITY_CSRF_WITH_TOKEN</strong> = '.getDolGlobalString('MAIN_SECURITY_CSRF_WITH_TOKEN', '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>').' &nbsp; <span class="opacitymedium">('.$langs->trans("Recommended").': '.$langs->trans("Undefined").' '.$langs->trans("or").' 2)</span>'."<br>";
605 print '<br>';
606 
607 print '<br>';
608 print '<br>';
609 
610 
611 print load_fiche_titre($langs->trans("OtherSetup").' ('.$langs->trans("Experimental").')', '', 'folder');
612 
613 print '<strong>MAIN_EXEC_USE_POPEN</strong> = ';
614 if (empty($conf->global->MAIN_EXEC_USE_POPEN)) {
615  print '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>';
616 } else {
617  print $conf->global->MAIN_EXEC_USE_POPEN;
618 }
619 if ($execmethod == 1) {
620  print '<span class="opacitymedium"> &nbsp; &nbsp; "exec" PHP method will be used for shell commands';
621  print ' &nbsp; ('.$langs->trans("Recommended").': '.$langs->trans("Undefined").' '.$langs->trans("or").' 1)';
622  print '</span>';
623 }
624 if ($execmethod == 2) {
625  print '<span class="opacitymedium"> &nbsp; &nbsp; "popen" PHP method will be used for shell commands';
626  print ' &nbsp; ('.$langs->trans("Recommended").': '.$langs->trans("Undefined").' '.$langs->trans("or").' 1)';
627  print '</span>';
628 }
629 print '<br>';
630 print '<br>';
631 
632 print '<strong>MAIN_SECURITY_MAXFILESIZE_DOWNLOADED</strong> = '.getDolGlobalString('MAIN_SECURITY_MAXFILESIZE_DOWNLOADED', '<span class="opacitymedium">'.$langs->trans("Undefined").' &nbsp; ('.$langs->trans("Recommended").': 100000000)</span>')."<br>";
633 print '<br>';
634 
635 print '<strong>MAIN_RESTRICTHTML_ONLY_VALID_HTML</strong> = '.getDolGlobalString('MAIN_RESTRICTHTML_ONLY_VALID_HTML', '<span class="opacitymedium">'.$langs->trans("Undefined").' &nbsp; ('.$langs->trans("Recommended").': 1)</span>')."<br>";
636 print '<br>';
637 
638 print '<strong>MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES</strong> = '.getDolGlobalString('MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES', '<span class="opacitymedium">'.$langs->trans("Undefined").' &nbsp; ('.$langs->trans("Recommended").': 1)</span>')."<br>";
639 print '<br>';
640 
641 print '<strong>MAIN_DISALLOW_EXT_URL_INTO_DESCRIPTIONS</strong> = '.getDolGlobalString('MAIN_DISALLOW_EXT_URL_INTO_DESCRIPTIONS', '<span class="opacitymedium">'.$langs->trans("Undefined").' &nbsp; ('.$langs->trans("Recommended").': '.$langs->trans("Undefined").' '.$langs->trans("or").' 0)</span>')."<br>";
642 print '<br>';
643 
644 print '<strong>MAIN_ALLOW_SVG_FILES_AS_EXTERNAL_LINKS</strong> = '.getDolGlobalString('MAIN_ALLOW_SVG_FILES_AS_EXTERNAL_LINKS', '<span class="opacitymedium">'.$langs->trans("Undefined").' &nbsp; ('.$langs->trans("Recommended").': '.$langs->trans("Undefined").' '.$langs->trans("or").' 0)</span>')."<br>";
645 print '<br>';
646 
647 // MAIN_ALLOW_LOCAL_LINKS_AS_EXTERNAL_LINKS
648 
649 print '<strong>MAIN_SECURITY_CSRF_TOKEN_RENEWAL_ON_EACH_CALL</strong> = '.getDolGlobalString('MAIN_SECURITY_CSRF_TOKEN_RENEWAL_ON_EACH_CALL', '<span class="opacitymedium">'.$langs->trans("Undefined").' &nbsp; ('.$langs->trans("Recommended").': '.$langs->trans("Undefined").' '.$langs->trans("or").' 0)</span>')."<br>";
650 print '<br>';
651 
652 print '<strong>MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED</strong> = '.getDolGlobalString('MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED', '<span class="opacitymedium">'.$langs->trans("Undefined").' &nbsp; ('.$langs->trans("Recommended").': '.$langs->trans("Undefined").' '.$langs->trans("or").' 0)</span>')."<br>";
653 print '<br>';
654 
655 $examplecsprule = "frame-ancestors 'self'; img-src * data:; font-src *; default-src 'self' 'unsafe-inline' 'unsafe-eval' *.paypal.com *.stripe.com *.google.com *.googleapis.com *.google-analytics.com *.googletagmanager.com;";
656 print '<strong>MAIN_SECURITY_FORCECSPRO</strong> = '.getDolGlobalString('MAIN_SECURITY_FORCECSPRO', '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>').' &nbsp; <span class="opacitymedium">('.$langs->trans("Example").': "'.$examplecsprule.'")</span><br>';
657 print '<br>';
658 
659 $examplecsprule = "frame-ancestors 'self'; img-src * data:; font-src *; default-src 'self' 'unsafe-inline' 'unsafe-eval' *.paypal.com *.stripe.com *.google.com *.googleapis.com *.google-analytics.com *.googletagmanager.com;";
660 print '<strong>MAIN_SECURITY_FORCECSP</strong> = '.getDolGlobalString('MAIN_SECURITY_FORCECSP', '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>').' &nbsp; <span class="opacitymedium">('.$langs->trans("Example").': "'.$examplecsprule.'")</span><br>';
661 print '<br>';
662 
663 print '<strong>MAIN_SECURITY_FORCERP</strong> = '.getDolGlobalString('MAIN_SECURITY_FORCERP', '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>').' &nbsp; <span class="opacitymedium">('.$langs->trans("Recommended").': '.$langs->trans("Undefined").' '.$langs->trans("or")." \"same-origin\" so browser doesn't send any referrer when going into another web site domain)</span><br>";
664 print '<br>';
665 
666 print '<strong>WEBSITE_MAIN_SECURITY_FORCECSPRO</strong> = '.getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCECSPRO', '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>');
667 print ' &nbsp; <span class="opacitymedium">('.$langs->trans("Example").": \"frame-ancestors 'self'; default-src 'self' 'unsafe-inline'; style-src https://cdnjs.cloudflare.com *.googleapis.com; script-src *.transifex.com *.google-analytics.com *.googletagmanager.com; object-src https://youtube.com; frame-src https://youtube.com; img-src * data:;\")</span><br>";
668 print '<br>';
669 
670 print '<strong>WEBSITE_MAIN_SECURITY_FORCECSP</strong> = '.getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCECSP', '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>');
671 print ' &nbsp; <span class="opacitymedium">('.$langs->trans("Example").": \"frame-ancestors 'self'; default-src 'self' 'unsafe-inline'; style-src https://cdnjs.cloudflare.com *.googleapis.com; script-src *.transifex.com *.google-analytics.com *.googletagmanager.com; object-src https://youtube.com; frame-src https://youtube.com; img-src * data:;\")</span><br>";
672 print '<br>';
673 
674 print '<strong>WEBSITE_MAIN_SECURITY_FORCERP</strong> = '.getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCERP', '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>').' &nbsp; <span class="opacitymedium">('.$langs->trans("Recommended").': '.$langs->trans("Undefined").' '.$langs->trans("or")." \"strict-origin-when-cross-origin\")</span><br>";
675 print '<br>';
676 
677 print '<strong>WEBSITE_MAIN_SECURITY_FORCESTS</strong> = '.getDolGlobalString('>WEBSITE_MAIN_SECURITY_FORCESTS', '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>').' &nbsp; <span class="opacitymedium">('.$langs->trans("Example").": \"max-age=31536000; includeSubDomains\")</span><br>";
678 print '<br>';
679 
680 print '<strong>WEBSITE_MAIN_SECURITY_FORCEPP</strong> = '.getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCEPP', '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>').' &nbsp; <span class="opacitymedium">('.$langs->trans("Example").": \"camera: (); microphone: ();\")</span><br>";
681 print '<br>';
682 
683 print '<br>';
684 
685 
686 print load_fiche_titre($langs->trans("LimitsAndMitigation"), '', 'folder');
687 
688 print '<span class="opacitymedium">';
689 print $langs->trans("RecommendMitigationOnURL").'<br>';
690 print '</span>';
691 
692 print '<br>';
693 $urlexamplebase = 'https://github.com/Dolibarr/dolibarr/blob/develop/dev/setup/fail2ban/filter.d/';
694 print '- Login or API authentication (see <a target="_blank" rel="noopener" href="'.$urlexamplebase.'web-dolibarr-rulesbruteforce.conf">fail2ban example on GitHub</a>)<br>';
695 print '- '.DOL_URL_ROOT.'/passwordforgotten.php (see <a target="_blank" rel="noopener" href="'.$urlexamplebase.'web-dolibarr-rulespassforgotten.conf">fail2ban example on GitHub</a>)<br>';
696 print '- '.DOL_URL_ROOT.'/public/* (see <a target="_blank" rel="noopener" href="'.$urlexamplebase.'web-dolibarr-limitpublic.conf">fail2ban example on GitHub</a>)<br>';
697 print '<br>';
698 $urlexamplebase = 'https://github.com/Dolibarr/dolibarr/blob/develop/dev/setup/apache/';
699 print '- You can also protect the application using a HTTP Basic authentication layer (see <a target="_blank" rel="noopener" href="'.$urlexamplebase.'virtualhost">apache2 virtualhost example on GitHub</a>)<br>';
700 
701 
702 // End of page
703 llxFooter();
704 $db->close();
yn
yn($yesno, $case=1, $color=0)
Return yes or no in current language.
Definition: functions.lib.php:6824
llxFooter
llxFooter()
Empty footer.
Definition: wrapper.php:70
load_fiche_titre
load_fiche_titre($titre, $morehtmlright='', $picto='generic', $pictoisfullpath=0, $id='', $morecssontable='', $morehtmlcenter='')
Load a title with picto.
Definition: functions.lib.php:5477
GETPOST
GETPOST($paramname, $check='alphanohtml', $method=0, $filter=null, $options=null, $noreplace=0)
Return value of a param into GET or POST supervariable.
Definition: functions.lib.php:609
dol_dir_list
dol_dir_list($path, $types="all", $recursive=0, $filter="", $excludefilter=null, $sortcriteria="name", $sortorder=SORT_ASC, $mode=0, $nohook=0, $relativename="", $donotfollowsymlinks=0, $nbsecondsold=0)
Scan a directory and return a list of files/directories.
Definition: files.lib.php:62
img_warning
img_warning($titlealt='default', $moreatt='', $morecss='pictowarning')
Show warning logo.
Definition: functions.lib.php:4784
$form
if($cancel &&! $id) if($action=='add' &&! $cancel) if($action=='delete') if($id) $form
Actions.
Definition: card.php:143
Events
Events class.
Definition: events.class.php:29
img_picto
img_picto($titlealt, $picto, $moreatt='', $pictoisfullpath=false, $srconly=0, $notitle=0, $alt='', $morecss='', $marginleftonlyshort=2)
Show picto whatever it's its name (generic function)
Definition: functions.lib.php:4135
llxHeader
if(!defined('NOREQUIRESOC')) if(!defined('NOREQUIRETRAN')) if(!defined('NOTOKENRENEWAL')) if(!defined('NOREQUIREMENU')) if(!defined('NOREQUIREHTML')) if(!defined('NOREQUIREAJAX')) llxHeader()
Empty header.
Definition: wrapper.php:56
isModEnabled
isModEnabled($module)
Is Dolibarr module enabled.
Definition: functions.lib.php:207
getDolGlobalString
getDolGlobalString($key, $default='')
Return dolibarr global constant string value.
Definition: functions.lib.php:142
Form
Class to manage generation of HTML components Only common components must be here.
Definition: html.form.class.php:53
version_php
version_php()
Return PHP version.
Definition: functions2.lib.php:1891
accessforbidden
accessforbidden($message='', $printheader=1, $printfooter=1, $showonlymessage=0, $params=null)
Show a message to say access is forbidden and stop program.
Definition: security.lib.php:1169
dol_getwebuser
dol_getwebuser($mode)
Return user/group account of web server.
Definition: security2.lib.php:35
getDolGlobalInt
getDolGlobalInt($key, $default=0)
Return dolibarr global constant int value.
Definition: functions.lib.php:156