Add phpinfo() to dangerous calls config

spaze released this 21 Apr 17:08

· 159 commits to main since this release

v3.2.0

6d5ce7e

Add `phpinfo()` to dangerous calls config (#255)

See

https://www.michalspacek.com/stealing-session-ids-with-phpinfo-and-how-to-stop-it
or https://www.michalspacek.cz/kradeni-session-id-pomoci-phpinfo-a-jak-tomu-zabranit (in Czech)

for reasons why (phpinfo() echoes cookie values like the session id, which may then be stolen with XSS for example, bypassing HttpOnly cookie flag), and use https://github.com/spaze/phpinfo instead of just calling phpinfo().

Internal changes

It's already a list, no need to call array_values() (#253, this is a new bleeding edge rule added in PHPStan 1.10.59)
Update dev dependencies (#254)

Assets 2

0 Join discussion

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Add phpinfo() to dangerous calls config

Choose a tag to compare

Sorry, something went wrong.

Sorry, something went wrong.

Uh oh!

No results found

Add `phpinfo()` to dangerous calls config (#255)

Internal changes

Uh oh!

Uh oh!

Add phpinfo() to dangerous calls config

Add phpinfo() to dangerous calls config (#255)

Internal changes

Uh oh!

Add `phpinfo()` to dangerous calls config (#255)