Add `phpinfo()` to dangerous calls config

spaze / phpstan-disallowed-calls

PHPStan rules to detect disallowed method & function calls, constant, namespace, attribute & superglobal usages

MIT License

263 stars 17 forks source link

Add `phpinfo()` to dangerous calls config #255

Closed spaze closed 7 months ago

spaze commented 7 months ago

See

https://www.michalspacek.com/stealing-session-ids-with-phpinfo-and-how-to-stop-it
or https://www.michalspacek.cz/kradeni-session-id-pomoci-phpinfo-a-jak-tomu-zabranit (in Czech)

for reasons why (phpinfo() echoes cookie values like the session id, which may then be stolen with XSS for example, bypassing HttpOnly cookie flag), and use https://github.com/spaze/phpinfo instead of just calling phpinfo().