1.2.624. Keep Files Access Restricted¶
Avoid using 0777 as file or directory <https://www.php.net/`directory>`_ mode. In particular, setting a file or a directory <https://www.php.net/`directory>`_ to 0777 (or universal read-write-execute) may lead to security vulnerabilities, as anything on the server may read, write and even execute
File mode may be changed using the chmod() function, or at directory <https://www.php.net/`directory>`_ creation, with mkdir().
By default, this analysis report universal access (0777). It is possible to make this analysis more restrictive, by providing more forbidden modes in the filePrivileges parameter. For example : 511,510,489. Only use a decimal representation.
<?php
file_put_contents($file, $content);
// this file is accessible to the current user, and to his group, for reading and writing.
chmod($file, 0550);
// this file is accessible to everyone
chmod($file, 0777);
?>
Name |
Default |
Type |
Description |
filePrivileges |
0777 |
string |
List of forbidden file modes (comma separated). This should be a decimal value : 511 instead of 777. The values will not be converted from octal to decimal. |
See also Mkdir Default and Least Privilege Violation.
1.2.624.1. Suggestions¶
Set the file mode to a level of restriction as low as possible.
1.2.624.2. Specs¶
Short name |
Security/KeepFilesRestricted |
Rulesets |
|
Exakat since |
2.1.1 |
PHP Version |
All |
Severity |
Minor |
Time To Fix |
Quick (30 mins) |
Precision |
High |
Available in |