rspec/rules/S3337/php/rule.adoc

The `enable_dl` PHP configuration setting allows PHP extensions to be loaded
dynamically at runtime.

== Why is this an issue?

When dynamic loading is enabled, PHP code can load arbitrary PHP extensions by
calling the `dl` function. This can be used to bypass restrictions set with
the `open_basedir` configuration.

PHP defaults to allowing dynamic loading.

== How to fix it

``++enable_dl++`` setting should be set to ``0`` in the main PHP configuration.

=== Code examples

==== Noncompliant code example

[source,php,diff-id=1,diff-type=noncompliant]
----
; php.ini
enable_dl=1  ; Noncompliant
----

==== Compliant solution

[source,php,diff-id=1,diff-type=compliant]
----
; php.ini
enable_dl=0
----

== Resources

=== Standards

* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

* Explicitly set "enable_dl" to false.
* Update this "enable_dl" configuration to turn it off.


'''
== Comments And Links
(visible only on this page)

=== on 1 Sep 2015, 07:12:09 Linda Martin wrote:
\[~ann.campbell.2] I would have the same remark than for: RSPEC-3338, suggesting the addition of a compliant solution code snippet. WDYT ?

Also what would you think about a ``++php-ini++`` tag ?

=== on 1 Sep 2015, 13:56:25 Ann Campbell wrote:
compliant solution added and tag added to all relevant rules [~linda.martin]

=== on 1 Sep 2015, 14:41:12 Linda Martin wrote:
\[~ann.campbell.2] nice! thank you! LGTM.

endif::env-github,rspecator-view[]