magento-ecg / coding-standard

Magento PHP_CodeSniffer Coding Standard
MIT License
308 stars 100 forks source link

Why is parse_url forbidden? #49

Closed lazyguru closed 7 years ago

lazyguru commented 7 years ago

Can you please explain why parse_url() is on the forbidden list?

erfanimani commented 7 years ago

Wondering this as well. There doesn't seem to be a Magento method for it, although there is a Zend one: Zend\Uri\Http::parse, so maybe use of that method is encouraged.

zlik commented 7 years ago

Hi @lazyguru, @erfanimani,

While not necessarily dangerous itself, we've seen parse_url in a number of attacks.

We should probably revisit the list of forbidden functions and move parse_url and other functions that are OK to use (keeping in mind security) to the discouraged list. We still want to report calls of those functions in the code for review as using them in an insecure way might introduce a vulnerability.

ghost commented 6 years ago

How to fix The use of function parse_str() is forbidden , Magento 2

VladyslavSikailo commented 2 years ago

Seems like \Zend\Uri\Http is removed from Magento 2.4.1 and higher. Is there any alternative?

erfanimani commented 2 years ago

@Dren7755 \Laminas\Uri\Http