1.2.714. Mkdir Default¶
mkdir() gives universal access to created folders, by default. It is recommended to gives limited set of rights (0755, 0700), or to explicitly set the rights to 0777.
<?php
// By default, this dir is 777
mkdir('/path/to/dir');
// Explicitely, this is wanted. It may also be audited easily
mkdir('/path/to/dir', 0777);
// This dir is limited to the current user.
mkdir('/path/to/dir', 0700);
?>
See also Why 777 Folder Permissions are a Security Risk.
1.2.714.1. Suggestions¶
Always use the lowest possible privileges on folders
Don’t use the PHP default : at least, make it explicit that the ‘universal’ rights are voluntary
1.2.714.2. Specs¶
Short name |
Security/MkdirDefault |
Rulesets |
|
Exakat since |
0.12.2 |
PHP Version |
All |
Severity |
Major |
Time To Fix |
Quick (30 mins) |
Precision |
Very high |
Features |
dir |
Examples |
|
Available in |