49 lines
1.6 KiB
Plaintext
49 lines
1.6 KiB
Plaintext
``++allow_url_fopen++`` and ``++allow_url_include++`` allow code to be read into a script from URL's. The ability to suck in executable code from outside your site, coupled with imperfect input cleansing could lay your site bare to attackers. Even if your input filtering is perfect today, are you prepared to bet your site that it will always be perfect in the future?
|
|
|
|
|
|
This rule raises an issue when either property is explicitly enabled in _php.ini_ and when ``++allow_url_fopen++``, which defaults to enabled, is not explicitly disabled.
|
|
|
|
|
|
== Noncompliant Code Example
|
|
|
|
[source,php]
|
|
----
|
|
; php.ini Noncompliant; allow_url_fopen not explicitly disabled
|
|
allow_url_include=1 ; Noncompliant
|
|
----
|
|
|
|
|
|
== Compliant Solution
|
|
|
|
[source,php]
|
|
----
|
|
; php.ini
|
|
allow_url_fopen=0
|
|
allow_url_include=0
|
|
----
|
|
|
|
|
|
== See
|
|
|
|
* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection
|
|
* https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[OWASP Top 10 2021 Category A8] - Software and Data Integrity Failures
|
|
* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection
|
|
* https://cwe.mitre.org/data/definitions/829[MITRE, CWE-829] - Inclusion of Functionality from Untrusted Control Sphere
|
|
* https://www.sans.org/top25-software-errors/#cat2[SANS Top 25] - Risky Resource Management
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|