The ``++open_basedir++`` configuration in _php.ini_ limits the files the script can access using, for example, ``++include++`` and ``++fopen()++``. Leave it out, and there is no default limit, meaning that any file can be accessed. Include it, and PHP will refuse to access files outside the allowed path. ``++open_basedir++`` should be configured with a directory, which will then be accessible recursively. However, the use of ``++.++`` (current directory) as an ``++open_basedir++`` value should be avoided since it's resolved dynamically during script execution, so a ``++chdir('/')++`` command could lay the whole server open to the script. This is not a fool-proof configuration; it can be reset or overridden at the script level. But its use should be seen as a minimum due diligence step. This rule raises an issue when ``++open_basedir++`` is not present in _php.ini_, and when ``++open_basedir++`` contains root, or the current directory (``++.++``) symbol. == Noncompliant Code Example [source,php] ---- ; php.ini try 1 ; open_basedir="${USER}/scripts/data" Noncompliant; commented out ; php.ini try 2 open_basedir="/:${USER}/scripts/data" ; Noncompliant; root directory in the list ---- == Compliant Solution [source,php] ---- ; php.ini try 1 open_basedir="${USER}/scripts/data" ---- == See * https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control * https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration * https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration * https://cwe.mitre.org/data/definitions/23[MITRE, CWE-23] - Relative Path Traversal * https://cwe.mitre.org/data/definitions/36[MITRE, CWE-36] - Absolute Path Traversal ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::message.adoc[] ''' == Comments And Links (visible only on this page) include::comments-and-links.adoc[] endif::env-github,rspecator-view[]