1.2.392. Dynamic Library Loading¶
Loading a variable dynamically requires a lot of care in the preparation of the library name.
In case of injection in the variable, the dynamic loading of a library gives a lot of power to an intruder.
<?php
// dynamically loading a library
dl($library. PHP_SHLIB_SUFFIX);
// dynamically loading ext/vips
dl('vips.' . PHP_SHLIB_SUFFIX);
// static loading ext/vips (unix only)
dl('vips.so');
?>
See also dl.
1.2.392.1. Suggestions¶
Use a switch structure, to make the dl() calls static.
Avoid using dl() and make the needed extension always available in PHP binary.
1.2.392.2. Specs¶
Short name |
Security/DynamicDl |
Rulesets |
|
Exakat since |
1.1.7 |
PHP Version |
All |
Severity |
Major |
Time To Fix |
Slow (1 hour) |
Precision |
Very high |
Features |
library-loading |
Available in |