Since these names are presented to the user, we should mark them for localization.
Basically, at the top of this file, add this:

from django.utils.translation import ugettext_lazy as _


and then here:

name = _("Executable Code Check")


I think we may also want to think about a good user-visible name for this. Maybe Christian has a good idea?

This is a good start, but I think we'll want to have this go through a range of different file extensions (and file types), instead of just checking .php.

In order to be more consistent with python's unit test frameworks, can we capitalize this "setUp"?
In unittest, the setUp and tearDown methods are called by the runner, not by the individual test function. We might want to do that here just to make it fit with prior expectations about this pattern.

And "tearDown" here.

This isn't catching any exceptions, and the open() call is leaking an open file.
For the open file, you can use the file as a context manager:

data = urllib2.urlopen(_get_url(self.directory) + to_download).read()
with self.fss.open(to_download, 'r') as f:
    return data == f.read()


That said, won't the value you get from fss.open(to_download).read() be the same as self.php_file?

Same thing here with localization. Perhaps call this one "Checking ALLOWED_HOSTS setting" ?

It's a little confusing to have "result" and "results" here. Can we name these better?

I think we're going to want a little bit more complexity in the results than just a true/false value.
My instinct here would be to have one of three "results", either pass, fail, or error (if something went wrong during the check), and instructions (or a link to instructions) for how to fix it if it fails.
We'll probably also want the individual checks to have a description field that can explain to the admin what's getting checked.

While I think it would be nice to eventually use entry points for this, for now I think just using a statically defined dict is sufficient.
Something like this would also let you get rid of the (un)register_security_check methods, too (which look unused):
```python

_security_checks = {

    'test_check': TestSecurityCheck,

    'executable_check': ExecutableCodeCheck,

    'hosts_check': AllowedHostsCheck,

}

This probably doesn't need (and shouldn't have) the admin-dashboard ID.

This stuff looks like it was copied from the admin dashboard and can be removed.

Please indent HTML with 1 space.

I don't think you intended to change this file. Please revert it.

No blank space here (both "django" and "djblets" are "third party" with respect to the review board codebase).

Add an extra blank line here.

Remove this blank line.

Remove this blank line.

This is pretty good but I'd like to change the first sentence a bit. How about:
"A misconfiguration in the web server can cause files attached to review requests to be executed."
I'd also change "The types of files being checked" to "The file types being checked".

Can we add one additional piece of metadata here for instructions to fix it?
For this check, we'd want the instructions to link to http://support.beanbaginc.com/support/solutions/articles/110173-securing-file-attachments

This should probably be `settings.MEDIA_URL + 'uploaded/files/'

We should skip saving, tearing down, and the actual tests in the case that the user is using s3 (or another) storage backend.
I'd make setUp and tearDown no-ops if settings.DEFAULT_FILE_STORAGE != 'django.core.files.storage.FileSystemStorage' and have execute() just return success.

This line looks too long (> 80 columns).
There's also some changes I'd like to make to the string. Let's add translation, use the "six" library to convert to a text type (for python 2/3 compatibility) and use string formatting to include the exception:

_('Uncaught exception during test: %s') % six.text_type(e)

This should also use _() and string formatting instead of concatenation.

Remove this blank line.

Once again, we should include instructions for how to fix it (shown when the test fails).
This one would say to edit the settings_local.py file in the site's conf directory and add a line like this with their site's URL:
ALLOWED_HOSTS = ['example.com']

This string should be marked for translation.

This string, too.

Remove this blank line.

These lines are all indented 4 spaces too many.

Add an extra blank line here.

A handful of comments, but the good news is that they're almost entirely stylistic things.
Can we see some screenshots showing success, failure, and a mix?

Should be in alphabetical order (base before storage).

Two blank lines.

These should just default to None.

The camelCase in unittest is a holdover from early days of Python. We shouldn't duplicate it here. Instead, just call this setup.

And teardown.

When you have to escape a single quote, it's best to just use double quotes for the string itself, to avoid the escape.

Can we call this storage instead of fss? It's a more standard variable name for an instance of a Storage class.

Would be better as file_checks.

The strings should all be aligned.

Can you break this into two lines, mimicking the newline?

Parameters should be aligned.

The %s will automatically cast to the string, so no need for six.text_type(e) here.

Just to check for myself, this will fail on the first failed file, right?
How hard would it be to still try every type, and present a list of failed file extensions? That'd prevent the admin from having to make a change, reload the web server, try the checks again, and repeating.

No need for the outer parens here, as it's one line and the comma will ensure it'll be returned as a tuple.

Same here.

Parameters need to align.

Not really worth talking about Django. "That Review Board will consider valid for this server" is probably fine.

Make sure the strings align.

Lots of escaping. Should just use double quotes to solve this.

A quicker way would be:
if '*' in settings.ALLOWED_HOSTS:
    result = False
    ...

Might be worth expanding on this, stating how it'll respond to any host, and how that's unsafe.

No need for these parens.

Mind adding a docstring?

Blank line between these.

Typically, you'd want iteritems(), since it doesn't make a copy of the list of items.
Python 3 renames this to items(), so we're now using this six module to provide abstraction.
So, this should be:
for name, cls in six.iteritems(checks):

The }) should align with all_test_results

Should add a trailing comma.

Two blank lines between things on the top level.

Global variables should be at the top of the file, after the imports. Two blank lines on either side.

"Returns" instead of "Gets"

All one line.

"site_domain_method" should only be indented 4 spaces from protocol =

The widget-* URLs are wrong. This regex should be:
r'^security/$'

The $ prevents security/adfsfsa from matching.

This should be in alphabetical order, so before reviewboard.admin.supports.

Two blank lines.

Should remove this. It'll actually break some server configurations, as many WSGI implementations don't like random things going on stdout.

The })) needs to align with return.

The URLs above based on views.dashboard are done for legacy reasons, but for this one, you should give the URL a name in the urls.py file by doing:
url(r'^security/$', 'security', name='admin-security-checks')

Then, here, you can do:
{% url 'admin-security-checks' %}

You shouldn't need this. This was only for the graphs on the dashboard.

So a word on indentation in templates.
The content of the template, and the template language itself, are indented separately, as there are times that they don't actually match up, and for some file types it would be flat-out wrong.
So, template tags are indented like:
{% block foo %}
{%  if bar %}
{%   for foobar in bar %}
...
{%   endfor %}
{%  endif %}
{% endblock %}

One space indentation within the template tag markup, relative to the parent template tag.
HTML tags should be indented one space relative to their parent tag, and not to the template tag.

Need a {% trans %}.

Things like border=1, style=, etc. don't belong. These should be defined solely in the CSS. It's not good to mix presentation and content in HTML.

No spaces inside a variable. {{check.name}} would be correct.

After discussion we determined it would be better to leave it in camelCase.

Same as above.

This should be localized, and you can use ngettext (included in django.utils.translation) to do the pluralization. It's also ok to use join on a single-element list, in which case it will just return the one element, regardless of joiner.
I'd also like to tweak this text a bit.

error_msg = (
    ngettext(
        'The web server incorrectly executed these file types: %s',
        'The web server incorrectly executed this file type: %s',
        len(failed_exts))
    % ', '.join(failed_exts))

Two blank lines here.

Can you put quotes around the `*?
Also, we've already explained why it's an issue in the desc text, so this probably doesn't need to have the second sentence at all.

base_site.html already defines this block to be colM, so you shouldn't need this.

I don't think these are necessary, either.

This should include {{block.super}} as the first line of the block.

We shouldn't have any inline styles, only classes and IDs (all styles here should all be in the admin.less file).
Having the error message be a single-element <ul> is pretty weird. Can we just make it a text span?
I'd also like to consider not doing this as a table with borders, but instead spacing it out with whitespace and headings. That said, changing the look is lower priority than the other fixes.

What is this here for?

The code looks pretty good to me (aside from the CSS and layout changes, which we talked about). It looks like your review request description somehow got overwritten with a description of the changes in diff r4. Can you change the description on the review request to be a description of what the feature is and an overview of what code changes were done to implement it?

I've gone through and updated the style and layout of the checklist page a bit to make it less boxy and more readable. I'll push this to master once 2.0 beta 2 is out.