1.2.628. Keep Files Access Restricted

Avoid using 0777 as file or directory <https://www.php.net/`directory>`_ mode. In particular, setting a file or a directory <https://www.php.net/`directory>`_ to 0777 (or universal read-write-execute) may lead to security vulnerabilities, as anything on the server may read, write and even execute

File mode may be changed using the chmod() function, or at directory <https://www.php.net/`directory>`_ creation, with mkdir(). By default, this analysis report universal access (0777). It is possible to make this analysis more restrictive, by providing more forbidden modes in the filePrivileges parameter. For example : 511,510,489. Only use a decimal representation.

<?php

file_put_contents($file, $content);

// this file is accessible to the current user, and to his group, for reading and writing.
chmod($file, 0550);

// this file is accessible to everyone
chmod($file, 0777);

?>

Name

Default

Type

Description

filePrivileges

0777

string

List of forbidden file modes (comma separated). This should be a decimal value : 511 instead of 777. The values will not be converted from octal to decimal.

See also Mkdir Default and Least Privilege Violation.

1.2.628.1. Suggestions

  • Set the file mode to a level of restriction as low as possible.

1.2.628.2. Specs

Short name

Security/KeepFilesRestricted

Rulesets

All, Changed Behavior, Security

Exakat since

2.1.1

PHP Version

All

Severity

Minor

Time To Fix

Quick (30 mins)

Precision

High

Available in

Entreprise Edition, Exakat Cloud