ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S3333/php/rule.adoc
pedro-oliveira-sonarsource 082b3ef269
Modify: Fix old/broken embedded links (#1100)
2022-07-08 13:58:56 +02:00

55 lines
2.1 KiB
Plaintext
Raw Blame History

The ``++open_basedir++`` configuration in _php.ini_ limits the files the script can access using, for example, ``++include++`` and ``++fopen()++``. Leave it out, and there is no default limit, meaning that any file can be accessed. Include it, and PHP will refuse to access files outside the allowed path.
``++open_basedir++`` should be configured with a directory, which will then be accessible recursively. However, the use of ``++.++`` (current directory) as an ``++open_basedir++`` value should be avoided since it's resolved dynamically during script execution, so a ``++chdir('/')++`` command could lay the whole server open to the script.
This is not a fool-proof configuration; it can be reset or overridden at the script level. But its use should be seen as a minimum due diligence step. This rule raises an issue when ``++open_basedir++`` is not present in _php.ini_, and when ``++open_basedir++`` contains root, or the current directory (``++.++``) symbol.
== Noncompliant Code Example
[source,php]
----
; php.ini try 1
; open_basedir="${USER}/scripts/data" Noncompliant; commented out
; php.ini try 2
open_basedir="/:${USER}/scripts/data" ; Noncompliant; root directory in the list
----
== Compliant Solution
[source,php]
----
; php.ini try 1
open_basedir="${USER}/scripts/data"
----
== See
* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control
* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration
* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration
* https://cwe.mitre.org/data/definitions/23[MITRE, CWE-23] - Relative Path Traversal
* https://cwe.mitre.org/data/definitions/36[MITRE, CWE-36] - Absolute Path Traversal
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::message.adoc[]
'''
== Comments And Links
(visible only on this page)
include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink