Comments (9)
The bug is here:
https://github.com/psecio/iniscan/blob/master/src/Psecio/Iniscan/Rule.php#L369
Instead of $test->value which returns
https://github.com/psecio/iniscan/blob/master/src/Psecio/Iniscan/rules.json#L148
should be $ini[$test->key]Β are set.
from iniscan.
Hmm, interesting - I'll have to look into this one further to see what's happening here. There's "casting" functionality in the Psecio\Iniscan\Cast
class that tries to normalize out the 1/0/Off/On/etc values to the same result but maybe there's something getting lost in the shuffle there with some of the PHP 7 updates.
from iniscan.
I encountered the same thing. +1 for fixing it.
from iniscan.
@enygma The cast is correct. It seems more an error with the "current value" column.
See my example for "allow_url_fopen".
Current value shows "0" but is definitly 1 ("On").
from iniscan.
Hmm, trying to reproduce this one but it seems that things are reporting back correctly on a PHP 7.0 configuration file. I've tried:
allow_url_fopen = Off
allow_url_fopen = 0
Both seem to work as expected:
PASS | ERROR | 4.0.3 | 0 | allow_url_fopen | Do not allow the opening of remote file resources ('Off' recommended)
Is there something I'm missing to reproduce this issue?
from iniscan.
(discard warning about session.cookie_httponly
, it was my mistake, sorry about the noise)
from iniscan.
@tommy-muehle any update on how to reproduce this?
from iniscan.
@enygma
Sorry for the late response!
I tried it also with my iniscan Docker container and this ini file.
Here are the steps to reproduce:
cd /tmp
curl -o php.ini https://gist.githubusercontent.com/tommy-muehle/4a59294d1799c19254780788f1f6f1e6/raw/e6133995df411ecf158892d338512a11949863d6/php.ini
docker run --rm -ti -v $(pwd):/tmp dockerizedphp/iniscan scan --fail-only --path=/tmp/php.ini
Inside the container runs PHP 7.1 if this is necessary.
from iniscan.
For upload_max_filesize (16M -> 2M), post_max_size (24M -> 8M) and memory_limit (256M -> 128M) it returns me the default value and not the current value. For allow_url_fopen
it cast me On
to 0
. And for disable_functions
it displays and empty value instead of pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
.
Also for session.use_strict_mode
the value is 0 but is displays 1, however it still detect it as failed so the cast occurs after.
Happening on PHP 7.4 if that matters.
from iniscan.
Related Issues (20)
- Invalid argument supplied for foreach() by running iniscan show HOT 4
- soap.wsdl_cache_dir: False positive (directory name /tmp[...]) HOT 1
- JUnit XML output format for CI integration HOT 2
- Have an option for a non-dynamic HTML output filename / make html filename configurable
- imap_open
- Symfony console ^5.0 compatibility.
- Feature request - scan a folder where all .ini files are placed HOT 1
- Check version for session.hash_function
- PHP 7.4 compatibility: warning and error
- session.cookie_domain
- Add support for configuration dirs HOT 5
- The configuration file could not be found HOT 9
- security.limit_extensions ? HOT 4
- Add warning if soap.wsdl_cache_dir is not set for PHP <= 5.6.7 (or if it is set to /tmp at all)
- Show "Current value" column in the scan results table HOT 2
- Support for open_basedir containing more then one paths set HOT 4
- Domain expired HOT 4
- Problem installing on PHP 7 (ocramius/instantiator dependency) HOT 5
- dump of the running php deamon HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from iniscan.