Add phpinfo() to dangerous calls config

spaze released this 21 Apr 17:08

· 4 commits to main since this release

v3.2.0

6d5ce7e

Add `phpinfo()` to dangerous calls config (#255)

See

https://www.michalspacek.com/stealing-session-ids-with-phpinfo-and-how-to-stop-it
or https://www.michalspacek.cz/kradeni-session-id-pomoci-phpinfo-a-jak-tomu-zabranit (in Czech)

for reasons why (phpinfo() echoes cookie values like the session id, which may then be stolen with XSS for example, bypassing HttpOnly cookie flag), and use https://github.com/spaze/phpinfo instead of just calling phpinfo().

Internal changes

It's already a list, no need to call array_values() (#253, this is a new bleeding edge rule added in PHPStan 1.10.59)
Update dev dependencies (#254)

Assets 2

0 Join discussion

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add phpinfo() to dangerous calls config

Add `phpinfo()` to dangerous calls config (#255)

Internal changes

Add phpinfo() to dangerous calls config

Add phpinfo() to dangerous calls config (#255)

Internal changes

Add `phpinfo()` to dangerous calls config (#255)