61 lines
1.6 KiB
Plaintext
61 lines
1.6 KiB
Plaintext
== Why is this an issue?
|
|
|
|
``++file_uploads++`` is an on-by-default PHP configuration that allows files to be uploaded to your site. Since accepting [.line-through]#candy# files from strangers is inherently dangerous, this feature should be disabled unless it is absolutely necessary for your site.
|
|
|
|
|
|
This rule raises an issue when ``++file_uploads++`` is not explicitly disabled.
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,php]
|
|
----
|
|
; php.ini
|
|
file_uploads=1 ; Noncompliant
|
|
----
|
|
|
|
|
|
=== Compliant solution
|
|
|
|
[source,php]
|
|
----
|
|
; php.ini
|
|
file_uploads=0
|
|
----
|
|
|
|
|
|
== Resources
|
|
|
|
* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
|
|
* CWE - https://cwe.mitre.org/data/definitions/434[CWE-434 - Unrestricted Upload of File with Dangerous Type]
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
* Explicitly disable "file_uploads".
|
|
* Update this configuration to disable "file_uploads".
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 1 Sep 2015, 06:41:40 Linda Martin wrote:
|
|
\[~ann.campbell.2] from the sentence "This rule raises an issue when file_uploads *is not explicitly disabled.*" I understand taht the rule it will not raise any issue if and only if the following line is present in the file: "file_uploads=*0*" is correct ?
|
|
|
|
I yes, maybe a compliant code snippet could be aded, WDYT ?
|
|
|
|
=== on 1 Sep 2015, 13:51:36 Ann Campbell wrote:
|
|
Of course you're right [~linda.martin]. Done.
|
|
|
|
=== on 1 Sep 2015, 14:44:55 Linda Martin wrote:
|
|
\[~ann.campbell.2] thanks ou! LGTM!
|
|
|
|
endif::env-github,rspecator-view[]
|