org.sonar.l10n.php.rules.php.S3335.html Maven / Gradle / Ivy
The cgi.force_redirect php.ini configuration controls the behavior of the PHP engine when used in CGI mode. In particular, it
prevents CGI scripts from being directly requested without prior web server or application processing.
When disabled, CGI scripts can be requested directly.
Why is this an issue?
Pre-processing on the server side is often required to check users authentication when working in CGI mode. Those preliminary actions can also
position diverse configuration parameters necessary for the CGI script to work correctly.
What is the potential impact?
CGI scripts might behave unexpectedly if the proper configuration is not set up before they are accessed.
Most serious security-related consequences will affect the authorization and authentication mechanisms of the application. When the web server is
responsible for authenticating clients and forwarding the proper identity to the script, direct access will bypass this authentication step.
Attackers could also provide arbitrary identities to the CGI script by forging specific HTTP headers or parameters. They could then impersonate any
legitimate user of the application.
How to fix it
cgi.force_redirect should be enforced in the main PHP configuration file.
Note that this parameter is enabled by default.
Code examples
Noncompliant code example
; php.ini
cgi.force_redirect=0 ; Noncompliant
Compliant solution
; php.ini
cgi.force_redirect=1 ; Noncompliant
Pitfalls
The cgi.force_redirect is not supported by all web servers. For example, Microsoft IIS web server is unable to differentiate an
internally redirected request from a normal one.
While using such a server, the cgi.force_redirect parameter will have to be disabled for the CGI scripts to work properly. In that
case, it is important to ensure the CGI behavior is aware of the security threat.
Resources
Standards