From a28a1e6e6b14c5965f6730305befd847456f3f40 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=A0pa=C4=8Dek?= Date: Sun, 21 Apr 2024 04:09:58 +0200 Subject: [PATCH] Add phpinfo() to dangerous calls config See https://www.michalspacek.com/stealing-session-ids-with-phpinfo-and-how-to-stop-it (or https://www.michalspacek.cz/kradeni-session-id-pomoci-phpinfo-a-jak-tomu-zabranit in Czech) for reasons why, and use https://github.com/spaze/phpinfo instead of just calling phpinfo(). --- disallowed-dangerous-calls.neon | 4 ++++ tests/Configs/DangerousConfigFunctionCallsTest.php | 1 + tests/src/configs/dangerousCalls.php | 1 + 3 files changed, 6 insertions(+) diff --git a/disallowed-dangerous-calls.neon b/disallowed-dangerous-calls.neon index 12c7e34..4f53d0f 100644 --- a/disallowed-dangerous-calls.neon +++ b/disallowed-dangerous-calls.neon @@ -58,3 +58,7 @@ parameters: message: 'use some logger instead' allowParamsAnywhere: 2: true + - + function: 'phpinfo()' + message: 'might reveal session id or other tokens in cookies' + errorTip: 'see https://www.michalspacek.com/stealing-session-ids-with-phpinfo-and-how-to-stop-it and use e.g. spaze/phpinfo instead' diff --git a/tests/Configs/DangerousConfigFunctionCallsTest.php b/tests/Configs/DangerousConfigFunctionCallsTest.php index 2c0cf0a..86773e3 100644 --- a/tests/Configs/DangerousConfigFunctionCallsTest.php +++ b/tests/Configs/DangerousConfigFunctionCallsTest.php @@ -40,6 +40,7 @@ public function testRule(): void ['Calling var_dump() is forbidden, use some logger instead.', 22], ['Calling var_export() is forbidden, use some logger instead.', 23], ['Calling var_export() is forbidden, use some logger instead.', 25], + ['Calling phpinfo() is forbidden, might reveal session id or other tokens in cookies.', 26, 'see https://www.michalspacek.com/stealing-session-ids-with-phpinfo-and-how-to-stop-it and use e.g. spaze/phpinfo instead'], ]); } diff --git a/tests/src/configs/dangerousCalls.php b/tests/src/configs/dangerousCalls.php index 771508e..7167318 100644 --- a/tests/src/configs/dangerousCalls.php +++ b/tests/src/configs/dangerousCalls.php @@ -23,3 +23,4 @@ var_export([]); var_export([1], true); var_export([2], false); +phpinfo();