From d4853888afa86aa836d2b840574c55ded3c652be Mon Sep 17 00:00:00 2001 From: Hugo do Carmo Date: Fri, 13 Oct 2017 20:44:42 -0300 Subject: [PATCH] Fix false positive in soap.wsdl_cache_dir test - We're now testing if the string is exactly '/tmp' instead of checking if there's any '/tmp' in it; --- src/Psecio/Iniscan/Rule/CheckSoapWsdlCacheDir.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Psecio/Iniscan/Rule/CheckSoapWsdlCacheDir.php b/src/Psecio/Iniscan/Rule/CheckSoapWsdlCacheDir.php index 8f869f1..f551079 100644 --- a/src/Psecio/Iniscan/Rule/CheckSoapWsdlCacheDir.php +++ b/src/Psecio/Iniscan/Rule/CheckSoapWsdlCacheDir.php @@ -49,7 +49,7 @@ public function evaluate(array $ini) return false; } - if (strpos($wsdlCacheDir, '/tmp') !== false) + if (preg_match('/\/tmp$/', $wsdlCacheDir)) { $this->setDescription('The SOAP WSDL cache directory is inside of "/tmp/" which allows local users to conduct WSDL injection attacks (CVE-2013-6501)'); $this->fail();