43 lines
1.7 KiB
Plaintext
43 lines
1.7 KiB
Plaintext
The ``++open_basedir++`` configuration in _php.ini_ limits the files the script can access using, for example, ``++include++`` and ``++fopen()++``. Leave it out, and there is no default limit, meaning that any file can be accessed. Include it, and PHP will refuse to access files outside the allowed path.
|
|
|
|
|
|
``++open_basedir++`` should be configured with a directory, which will then be accessible recursively. However, the use of ``++.++`` (current directory) as an ``++open_basedir++`` value should be avoided since it's resolved dynamically during script execution, so a ``++chdir('/')++`` command could lay the whole server open to the script.
|
|
|
|
|
|
This is not a fool-proof configuration; it can be reset or overridden at the script level. But its use should be seen as a minimum due diligence step. This rule raises an issue when ``++open_basedir++`` is not present in _php.ini_, and when ``++open_basedir++`` contains root, or the current directory (``++.++``) symbol.
|
|
|
|
|
|
== Noncompliant Code Example
|
|
|
|
----
|
|
; php.ini try 1
|
|
; open_basedir="${USER}/scripts/data" Noncompliant; commented out
|
|
|
|
; php.ini try 2
|
|
open_basedir="/:${USER}/scripts/data" ; Noncompliant; root directory in the list
|
|
----
|
|
|
|
|
|
== Compliant Solution
|
|
|
|
----
|
|
; php.ini try 1
|
|
open_basedir="${USER}/scripts/data"
|
|
----
|
|
|
|
|
|
== See
|
|
|
|
* https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration
|
|
* https://cwe.mitre.org/data/definitions/23.html[MITRE, CWE-23] - Relative Path Traversal
|
|
* https://cwe.mitre.org/data/definitions/36.html[MITRE, CWE-36] - Absolute Path Traversal
|
|
|
|
|
|
|
|
ifdef::rspecator-view[]
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::comments-and-links.adoc[]
|
|
endif::rspecator-view[]
|