Skip to content

Commit

Permalink
Add phpinfo() to dangerous calls config (#255)
Browse files Browse the repository at this point in the history
See
- https://www.michalspacek.com/stealing-session-ids-with-phpinfo-and-how-to-stop-it
- or https://www.michalspacek.cz/kradeni-session-id-pomoci-phpinfo-a-jak-tomu-zabranit (in Czech)

for reasons why (`phpinfo()` echoes cookie values like the session id, which may then be stolen with XSS for example, bypassing `HttpOnly` cookie flag), and use https://github.com/spaze/phpinfo instead of just calling `phpinfo()`.
  • Loading branch information
spaze authored Apr 21, 2024
2 parents bcd693f + a28a1e6 commit 6d5ce7e
Show file tree
Hide file tree
Showing 3 changed files with 6 additions and 0 deletions.
4 changes: 4 additions & 0 deletions disallowed-dangerous-calls.neon
Original file line number Diff line number Diff line change
Expand Up @@ -58,3 +58,7 @@ parameters:
message: 'use some logger instead'
allowParamsAnywhere:
2: true
-
function: 'phpinfo()'
message: 'might reveal session id or other tokens in cookies'
errorTip: 'see https://www.michalspacek.com/stealing-session-ids-with-phpinfo-and-how-to-stop-it and use e.g. spaze/phpinfo instead'
1 change: 1 addition & 0 deletions tests/Configs/DangerousConfigFunctionCallsTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ public function testRule(): void
['Calling var_dump() is forbidden, use some logger instead.', 22],
['Calling var_export() is forbidden, use some logger instead.', 23],
['Calling var_export() is forbidden, use some logger instead.', 25],
['Calling phpinfo() is forbidden, might reveal session id or other tokens in cookies.', 26, 'see https://www.michalspacek.com/stealing-session-ids-with-phpinfo-and-how-to-stop-it and use e.g. spaze/phpinfo instead'],
]);
}

Expand Down
1 change: 1 addition & 0 deletions tests/src/configs/dangerousCalls.php
Original file line number Diff line number Diff line change
Expand Up @@ -23,3 +23,4 @@
var_export([]);
var_export([1], true);
var_export([2], false);
phpinfo();

0 comments on commit 6d5ce7e

Please sign in to comment.