Open TysonAndre opened 4 years ago
Currently, file_get_contents and file_put_contents are marked as sinks, but others also read files (e.g. https://www.php.net/readfile)
https://www.ixiacom.com/company/blog/exploiting-php-phar-deserialization-vulnerabilities-part-1 may matter if projects are used with code that accept uploads in guessable paths, but would not matter if there are no allowed uploads or php is compiled without phar in the target environment
Here is a list of filesystem functions that trigger phar deserialization: copy file_exists file_get_contents file_put_contents file fileatime filectime filegroup fileinode filemtime fileowner fileperms filesize filetype fopen is_dir is_executable is_file is_link is_readable is_writable lstat mkdir parse_ini_file readfile rename rmdir stat touch unlink
Here is a list of filesystem functions that trigger phar deserialization:
copy file_exists file_get_contents file_put_contents file fileatime filectime filegroup fileinode filemtime fileowner fileperms filesize filetype fopen is_dir is_executable is_file is_link is_readable is_writable lstat mkdir parse_ini_file readfile rename rmdir stat touch unlink
I'm not sure if that's complete. For example, other functions also read file contents
php > var_export(md5_file('https://www.google.com')); '82455db7a026874129b223e5b670158c'
There's also some of psalm's list of file i/o functions such as unlink()/symlink(), for other reasons
Hey @TysonAndre, can you reproduce the issue on https://psalm.dev ?
Currently, file_get_contents and file_put_contents are marked as sinks, but others also read files (e.g. https://www.php.net/readfile)
https://www.ixiacom.com/company/blog/exploiting-php-phar-deserialization-vulnerabilities-part-1 may matter if projects are used with code that accept uploads in guessable paths, but would not matter if there are no allowed uploads or php is compiled without phar in the target environment
I'm not sure if that's complete. For example, other functions also read file contents
There's also some of psalm's list of file i/o functions such as unlink()/symlink(), for other reasons