rspec/rules/S3337/php/rule.adoc

== Why is this an issue?

``++enable_dl++`` is on by default and allows ``++open_basedir++`` restrictions, which limit the files a script can access, to be ignored. For that reason, it's a dangerous option and should be explicitly turned off.


This rule raises an issue when ``++enable_dl++`` is not explicitly set to 0 in _php.ini_.


=== Noncompliant code example

[source,php]
----
; php.ini
enable_dl=1  ; Noncompliant
----


=== Compliant solution

[source,php]
----
; php.ini
enable_dl=0
----


== Resources

* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control
* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration
* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration
* https://cwe.mitre.org/data/definitions/23[MITRE, CWE-23] - Relative Path Traversal
* https://cwe.mitre.org/data/definitions/36[MITRE, CWE-36] - Absolute Path Traversal



ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

* Explicitly set "enable_dl" to false.
* Update this "enable_dl" configuration to turn it off.


'''
== Comments And Links
(visible only on this page)

=== on 1 Sep 2015, 07:12:09 Linda Martin wrote:
\[~ann.campbell.2] I would have the same remark than for: RSPEC-3338, suggesting the addition of a compliant solution code snippet. WDYT ?

Also what would you think about a ``++php-ini++`` tag ?

=== on 1 Sep 2015, 13:56:25 Ann Campbell wrote:
compliant solution added and tag added to all relevant rules [~linda.martin]

=== on 1 Sep 2015, 14:41:12 Linda Martin wrote:
\[~ann.campbell.2] nice! thank you! LGTM.

endif::env-github,rspecator-view[]