ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S2092/php/rule.adoc
Fred Tingaud 16f6c0aecf
Inline adoc when include has no additional value (#1940) 
Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
2023-05-25 14:18:12 +02:00

118 lines
4.4 KiB
Plaintext
Raw Blame History

include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
In _php.ini_ you can specify the flags for the session cookie which is security-sensitive:
----
session.cookie_secure = 0; // Sensitive: this security-sensitive session cookie is created with the secure flag set to false (cookie_secure = 0)
----
Same thing in PHP code:
----
session_set_cookie_params($lifetime, $path, $domain, false);
// Sensitive: this security-sensitive session cookie is created with the secure flag (the fourth argument) set to _false_
----
If you create a custom security-sensitive cookie in your PHP code:
----
$value = "sensitive data";
setcookie($name, $value, $expire, $path, $domain, false); // Sensitive: a security-sensitive cookie is created with the secure flag (the sixth argument) set to _false_
----
By default https://www.php.net/manual/en/function.setcookie.php[``++setcookie++``] and https://www.php.net/manual/en/function.setrawcookie.php[``++setrawcookie++``] functions set the sixth argument / ``++secure++`` flag to _false:_
----
$value = "sensitive data";
setcookie($name, $value, $expire, $path, $domain); // Sensitive: a security-sensitive cookie is created with the secure flag (the sixth argument) not defined (by default to false)
setrawcookie($name, $value, $expire, $path, $domain); // Sensitive: a security-sensitive cookie is created with the secure flag (the sixth argument) not defined (by default to false)
----
== Compliant Solution
[source,php]
----
session.cookie_secure = 1; // Compliant: the sensitive cookie will not be send during an unencrypted HTTP request thanks to cookie_secure property set to 1
----
[source,php]
----
session_set_cookie_params($lifetime, $path, $domain, true); // Compliant: the sensitive cookie will not be send during an unencrypted HTTP request thanks to the secure flag (the fouth argument) set to true
----
[source,php]
----
$value = "sensitive data";
setcookie($name, $value, $expire, $path, $domain, true); // Compliant: the sensitive cookie will not be send during an unencrypted HTTP request thanks to the secure flag (the sixth argument) set to true
setrawcookie($name, $value, $expire, $path, $domain, true);// Compliant: the sensitive cookie will not be send during an unencrypted HTTP request thanks to the secure flag (the sixth argument) set to true
----
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
php.ini file: Make sure creating the session cookie without the "secure" flag is safe here.
php files: Make sure creating this cookie without the "secure" flag is safe here.
'''
== Comments And Links
(visible only on this page)
=== on 18 Oct 2016, 16:30:44 Pierre-Yves Nicolas wrote:
By default, cookies are not secured. It seems that there are several ways to have an impact on that behavior:
* through a php.ini configuration: http://php.net/manual/en/session.configuration.php#ini.session.cookie-secure[session.cookie_secure]
* by changing the configuration inside PHP code with http://php.net/manual/en/function.session-set-cookie-params.php[session_set_cookie_params]
* when creating a cookie in PHP code: http://php.net/manual/en/function.setcookie.php[setcookie ]
=== on 18 Oct 2016, 16:51:47 Pierre-Yves Nicolas wrote:
\[~ann.campbell.2] Could you please review this PHP subtask?
=== on 18 Oct 2016, 20:04:28 Ann Campbell wrote:
Looks fine [~pierre-yves.nicolas], but wouldn't a variable named $cookie_security be clearer & allow shorter comments?
=== on 20 Oct 2016, 17:18:59 Pierre-Yves Nicolas wrote:
Sorry [~ann.campbell.2], I don't see how that variable would be used.
=== on 20 Oct 2016, 18:44:23 Ann Campbell wrote:
\[~pierre-yves.nicolas] like so:
----
; php.ini
session.cookie_secure = 0 ; Noncompliant
$session_cookie_secure = false;
// in PHP code
session_set_cookie_params($lifetime, $path, $domain, $session_cookie_secure); // Noncompliant
setcookie ($name, $value, $expire, $path, $domain, $session_cookie_secure); // Noncompliant
----
I'm trying to make the code itself more self-explanatory
=== on 21 Oct 2016, 08:19:40 Pierre-Yves Nicolas wrote:
I now understand [~ann.campbell.2]. Of course, it's harder to implement, and requires symbolic execution for the most general case.
=== on 21 Oct 2016, 13:23:09 Ann Campbell wrote:
Ah. And now _I_ understand.
include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink