1.2.632. Keep Files Access Restricted¶
Avoid using 0777 as file or directory mode. In particular, setting a file or a directory to 0777 (or universal read-write-execute) may lead to security vulnerabilities, as anything on the server may read, write and even execute
File mode may be changed using the chmod() function, or at directory creation, with mkdir().
By default, this analysis report universal access (0777). It is possible to make this analysis more restrictive, by providing more forbidden modes in the filePrivileges parameter. For example : 511,510,489. Only use a decimal representation.
<?php
file_put_contents($file, $content);
// this file is accessible to the current user, and to his group, for reading and writing.
chmod($file, 0550);
// this file is accessible to everyone
chmod($file, 0777);
?>
Name |
Default |
Type |
Description |
filePrivileges |
0777 |
string |
List of forbidden file modes (comma separated). This should be a decimal value : 511 instead of 777. The values will not be converted from octal to decimal. |
See also Mkdir Default and Least Privilege Violation.
1.2.632.1. Connex PHP features¶
1.2.632.1.1. Suggestions¶
Set the file mode to a level of restriction as low as possible.
1.2.632.1.2. Specs¶
Short name |
Security/KeepFilesRestricted |
Rulesets |
|
Exakat since |
2.1.1 |
PHP Version |
All |
Severity |
Minor |
Time To Fix |
Quick (30 mins) |
Precision |
High |
Available in |