== Why is this an issue? The ``++open_basedir++`` configuration in _php.ini_ limits the files the script can access using, for example, ``++include++`` and ``++fopen()++``. Leave it out, and there is no default limit, meaning that any file can be accessed. Include it, and PHP will refuse to access files outside the allowed path. ``++open_basedir++`` should be configured with a directory, which will then be accessible recursively. However, the use of ``++.++`` (current directory) as an ``++open_basedir++`` value should be avoided since it's resolved dynamically during script execution, so a ``++chdir('/')++`` command could lay the whole server open to the script. This is not a fool-proof configuration; it can be reset or overridden at the script level. But its use should be seen as a minimum due diligence step. This rule raises an issue when ``++open_basedir++`` is not present in _php.ini_, and when ``++open_basedir++`` contains root, or the current directory (``++.++``) symbol. === Noncompliant code example [source,php] ---- ; php.ini try 1 ; open_basedir="${USER}/scripts/data" Noncompliant; commented out ; php.ini try 2 open_basedir="/:${USER}/scripts/data" ; Noncompliant; root directory in the list ---- === Compliant solution [source,php] ---- ; php.ini try 1 open_basedir="${USER}/scripts/data" ---- == Resources * https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control * https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration * https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration * https://cwe.mitre.org/data/definitions/23[MITRE, CWE-23] - Relative Path Traversal * https://cwe.mitre.org/data/definitions/36[MITRE, CWE-36] - Absolute Path Traversal ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) === Message * Set "open_basedir". * Limit "open_basedir" to a narrower path than "xxx". ''' == Comments And Links (visible only on this page) === on 1 Sep 2015, 07:55:30 Linda Martin wrote: @Ann actually I just realised that comment in the php.ini file are defined as the following: "any text on a line after an unquoted semicolon (; ) is ignored" from documentation: see \http://php.net/manual/en/configuration.file.php. So shall we update the code snippet or not (for readability)? Otherwise LGTM! === on 1 Sep 2015, 13:08:23 Ann Campbell wrote: Absolutely [~linda.martin]! Please always correct my syntax. :-] I've made an update just now. Double-check it? === on 12 Nov 2015, 17:45:03 Linda Martin wrote: \[~ann.campbell.2] Thanks, I update the remaining comments. endif::env-github,rspecator-view[]