Rules for session.bug_compat_42, session.bug_compat_warn and session.hash_function

src/Psecio/Iniscan/Rule/CheckSessionEntropyPath.php

@@ -17,7 +17,8 @@ public function __construct($config, $section)
 
 	public function evaluate(array $ini)
 	{
-		$entropyFile = $this->findValue('session.entropy_file', $ini);
+		// Resolve our entropy file
+		$entropyFile = realpath($this->findValue('session.entropy_file', $ini));
 
 		// If the version is less than 5.4.0
 		if (version_compare($this->getVersion(), '5.4.0', '<') === true) {

src/Psecio/Iniscan/Rule/CheckSessionHashFunction.php

@@ -0,0 +1,59 @@
+<?php
+namespace Psecio\Iniscan\Rule;
+
+/**
+ * Custom operation - Checks to see if the bug compatability for PHP between 4.3.0 and 5.4.0
+ * are specifically disabled (default is enabled, so they must have an entry set to 0)
+ *
+ * http://www.php.net/manual/en/session.configuration.php#ini.session.bug-compat-42
+ */
+class CheckSessionHashFunction extends \Psecio\Iniscan\Rule
+{
+	public function __construct($config, $section)
+	{
+		parent::__construct($config, $section);
+		$this->setTest(array('key' => 'session.hash_function'));
+	}
+
+	/**
+	 * Perform the evaluation of the rule
+	 *
+	 * @param array $ini Configuration settings (from php.ini)
+	 * @return boolean Pass/fail of evaluation
+	 */
+	public function evaluate(array $ini)
+	{
+		$hashFunction = $this->findValue('session.hash_function', $ini);
+
+		// Get a list of available hashing algorithms on this machine
+		$availableHashes = array_unique(hash_algos());
+
+		// Filter out the unwanted hashing algorithms
+		// http://en.wikipedia.org/wiki/Category:Broken_hash_functions
+		$brokenHashes = array(
+			'md2',
+			'md4',
+			'md5',
+			'sha1',
+			'gost',
+			'snefru'
+		);
+
+		$safeHashes = array_diff($availableHashes, $brokenHashes);
+
+		if (empty($safeHashes)) {
+			$this->setDescription('No strong hashing algorithms available.');
+			$this->fail();
+			return false;
+		}
+
+		if (!$hashFunction || $this->castValue($hashFunction) === 1 || !in_array($hashFunction, $safeHashes)) {
+			$this->setDescription('Weak hashing algorithms in use. Rather use one of these: ' . implode(', ', $safeHashes));
+			$this->fail();
+			return false;
+		}
+
+        $this->pass();
+		return true;
+	}
+}

src/Psecio/Iniscan/Scan.php

@@ -232,15 +232,12 @@ public function isDeprecated($key, $section, $phpVersion = PHP_VERSION)
 		$ini = $this->getConfig();
 
 		// loop through the versions and see if our key is in there
-		foreach ($deprecated as $index => $value) {
-			if ($index === $key) {
-				$compare = version_compare($phpVersion, $value);
-				if ($compare >= 0) {
-					if (isset($ini[$section][$key])) {
-						$this->markKey($key);
-					}
-					return true;
-				}
+		if (property_exists($deprecated, $key))
+		{
+			$compare = version_compare($phpVersion, $deprecated->$key);
+			if ($compare >= 0 && isset($ini[$key])) {
+				$this->markKey($key);
+				return true;
 			}
 		}
 		return false;

src/Psecio/Iniscan/rules.json

@@ -44,6 +44,34 @@
 							"version": "5.2.0"
 						}
 					},
+					{
+						"name": "Ensure bug compatability is disabled",
+						"description": "An undocumented feature/bug that allows initialize of a session in the global scope even if register_globals is disabled for PHP up to 5.3.22",
+						"level": "ERROR",
+						"test": {
+							"key": "session.bug_compat_42",
+							"operation": "equals",
+							"value": "0",
+							"version": "4.3.0"
+						}
+					},
+					{
+						"name": "Ensure bug compatability warning is disabled",
+						"description": "Disable warnings for session.bug_compat_42",
+						"level": "WARNING",
+						"test": {
+							"key": "session.bug_compat_warn",
+							"operation": "equals",
+							"value": "0",
+							"version": "4.3.0"
+						}
+					},
+					{
+						"name": "Recommend session hashing functions",
+						"description": "Check against a list of recommended session hashing functions",
+						"level": "WARNING",
+						"test": "CheckSessionHashFunction"
+					},
 					{
 						"name": "Session save path not set or world writeable",
 						"description": "Session save path should be set and writeable by only the web user",
@@ -338,7 +366,9 @@
 				"magic_quotes_gpc": "5.4.0",
 				"safe_mode": "5.4.0",
 				"magic_quotes_runtime": "5.4.0",
-				"register_long_arrays": "5.3.0"
+				"register_long_arrays": "5.3.0",
+				"session.bug_compat_42": "5.4.0",
+				"session.bug_compat_warn": "5.4.0"
 			}
 		}
 	]

tests/Psecio/Iniscan/Rule/CheckSessionHashFunctionTest.php

@@ -0,0 +1,71 @@
+<?php
+
+namespace Psecio\Iniscan\Rule;
+
+class CheckSessionHashFunctionTest extends \PHPUnit_Framework_TestCase
+{
+    /**
+     * Test that a hashing function is rejected if we specify one of the
+     * broken hashing functions
+     *
+     * @covers \Psecio\Iniscan\Rule\CheckSessionHashFunction::evaluate
+     */
+    public function testCheckSessionHashFunctionFail()
+    {
+        $config = array();
+        $section = 'Session';
+        $rule = new CheckSessionHashFunction($config, $section);
+
+        $ini = array('session.hash_function' => '0');
+        $result = $rule->evaluate($ini);
+        $this->assertFalse($result);
+
+        $ini = array('session.hash_function' => '1');
+        $result = $rule->evaluate($ini);
+        $this->assertFalse($result);
+
+        $ini = array('session.hash_function' => 'md5');
+        $result = $rule->evaluate($ini);
+        $this->assertFalse($result);
+    }
+
+    /**
+     * Test that a hashing function is accepted if we specify one of the
+     * robust hashing functions
+     *
+     * @covers \Psecio\Iniscan\Rule\CheckSessionHashFunction::evaluate
+     */
+    public function testCheckSessionHashFunction()
+    {
+        $config = array();
+        $section = 'PHP';
+        $rule = new CheckSessionHashFunction($config, $section);
+
+        // Get a list of available hashing algorithms on this machine
+        $availableHashes = array_unique(hash_algos());
+
+        // Filter out the unwanted hashing algorithms
+        // http://en.wikipedia.org/wiki/Category:Broken_hash_functions
+        $brokenHashes = array(
+            'md2',
+            'md4',
+            'md5',
+            'sha1',
+            'gost',
+            'snefru'
+        );
+        // Grab the first available hash on this machine
+        $safeHashes = array_diff($availableHashes, $brokenHashes);
+
+        if (empty($safeHashes))
+        {
+            // Can't really test then since this machine doesn't have
+            // certain algorithms.
+            return true;
+        }
+
+        $ini = array('session.hash_function' => current($safeHashes));
+        $result = $rule->evaluate($ini);
+        $this->assertTrue($result);
+    }
+}