16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
76 lines
2.7 KiB
Plaintext
76 lines
2.7 KiB
Plaintext
== Why is this an issue?
|
|
|
|
The ``++open_basedir++`` configuration in _php.ini_ limits the files the script can access using, for example, ``++include++`` and ``++fopen()++``. Leave it out, and there is no default limit, meaning that any file can be accessed. Include it, and PHP will refuse to access files outside the allowed path.
|
|
|
|
|
|
``++open_basedir++`` should be configured with a directory, which will then be accessible recursively. However, the use of ``++.++`` (current directory) as an ``++open_basedir++`` value should be avoided since it's resolved dynamically during script execution, so a ``++chdir('/')++`` command could lay the whole server open to the script.
|
|
|
|
|
|
This is not a fool-proof configuration; it can be reset or overridden at the script level. But its use should be seen as a minimum due diligence step. This rule raises an issue when ``++open_basedir++`` is not present in _php.ini_, and when ``++open_basedir++`` contains root, or the current directory (``++.++``) symbol.
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,php]
|
|
----
|
|
; php.ini try 1
|
|
; open_basedir="${USER}/scripts/data" Noncompliant; commented out
|
|
|
|
; php.ini try 2
|
|
open_basedir="/:${USER}/scripts/data" ; Noncompliant; root directory in the list
|
|
----
|
|
|
|
|
|
=== Compliant solution
|
|
|
|
[source,php]
|
|
----
|
|
; php.ini try 1
|
|
open_basedir="${USER}/scripts/data"
|
|
----
|
|
|
|
|
|
== Resources
|
|
|
|
* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control
|
|
* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration
|
|
* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration
|
|
* https://cwe.mitre.org/data/definitions/23[MITRE, CWE-23] - Relative Path Traversal
|
|
* https://cwe.mitre.org/data/definitions/36[MITRE, CWE-36] - Absolute Path Traversal
|
|
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
* Set "open_basedir".
|
|
* Limit "open_basedir" to a narrower path than "xxx".
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 1 Sep 2015, 07:55:30 Linda Martin wrote:
|
|
@Ann actually I just realised that comment in the php.ini file are defined as the following: "any text on a line after an unquoted semicolon (; ) is ignored" from documentation: see \http://php.net/manual/en/configuration.file.php.
|
|
|
|
So shall we update the code snippet or not (for readability)?
|
|
|
|
|
|
Otherwise LGTM!
|
|
|
|
=== on 1 Sep 2015, 13:08:23 Ann Campbell wrote:
|
|
Absolutely [~linda.martin]! Please always correct my syntax. :-]
|
|
|
|
I've made an update just now. Double-check it?
|
|
|
|
=== on 12 Nov 2015, 17:45:03 Linda Martin wrote:
|
|
\[~ann.campbell.2] Thanks, I update the remaining comments.
|
|
|
|
endif::env-github,rspecator-view[]
|