incorrect results / false positives

[sandrokeil]

I guess there are some incorrect results. I use this php.ini and PHP 7.0 with iniscan version 3.6.4.

This is the output:

Status | Severity | PHP Version | Current Value | Key                           | Description
------------------------------------------------------------------------------------------
FAIL   | ERROR    | 5.2.0       | 1             | session.cookie_httponly       | Setting session cookies to 'http only' makes them only readable by the browser
FAIL   | ERROR    | 4.0.4       | 1             | session.cookie_secure         | Cookie secure specifies whether cookies should only be sent over secure connections.
FAIL   | WARNING  | 5.5.2       | 1             | session.use_strict_mode       | Strict mode prevents uninitialized session IDs in the built-in session handling.
FAIL   | ERROR    | 4.0.3       | 0             | allow_url_fopen               | Do not allow the opening of remote file resources ('Off' recommended)

As you can read in the php docs the current session settings are secure. allow_url_fopen is also disabled. Or is the column Current value the recommended value?

It seems the determination of default values is incorrect, because the value of session.cookie_httponly is "". Same for other values.

Do you check the values 1, 0, Off, On, "1", "0" or "" for specific settings?

[enygma]

Hmm, interesting - I'll have to look into this one further to see what's happening here. There's "casting" functionality in the Psecio\Iniscan\Cast class that tries to normalize out the 1/0/Off/On/etc values to the same result but maybe there's something getting lost in the shuffle there with some of the PHP 7 updates.

[derFunk]

I encountered the same thing. +1 for fixing it.

[tommy-muehle]

@enygma The cast is correct. It seems more an error with the "current value" column.
See my example for "allow_url_fopen".

The real value:

The result of iniscan:

Current value shows "0" but is definitly 1 ("On").

[tommy-muehle]

The bug is here:
https://github.com/psecio/iniscan/blob/master/src/Psecio/Iniscan/Rule.php#L369
Instead of $test->value which returns
https://github.com/psecio/iniscan/blob/master/src/Psecio/Iniscan/rules.json#L148
should be $ini[$test->key] are set.

[enygma]

Hmm, trying to reproduce this one but it seems that things are reporting back correctly on a PHP 7.0 configuration file. I've tried:

allow_url_fopen = Off
allow_url_fopen = 0

Both seem to work as expected:

PASS   | ERROR    | 4.0.3       | 0             | allow_url_fopen               | Do not allow the opening of remote file resources ('Off' recommended)

Is there something I'm missing to reproduce this issue?

[sebastienbarre]

(discard warning about session.cookie_httponly, it was my mistake, sorry about the noise)

[enygma]

@tommy-muehle any update on how to reproduce this?

[tommy-muehle]

@enygma
Sorry for the late response!

I tried it also with my iniscan Docker container and this ini file.

Here are the steps to reproduce:

cd /tmp
curl -o php.ini https://gist.githubusercontent.com/tommy-muehle/4a59294d1799c19254780788f1f6f1e6/raw/e6133995df411ecf158892d338512a11949863d6/php.ini
docker run --rm -ti -v $(pwd):/tmp dockerizedphp/iniscan scan --fail-only --path=/tmp/php.ini

Inside the container runs PHP 7.1 if this is necessary.

[noraj]

For upload_max_filesize (16M -> 2M), post_max_size (24M -> 8M) and memory_limit (256M -> 128M) it returns me the default value and not the current value. For allow_url_fopen it cast me On to 0. And for disable_functions it displays and empty value instead of pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,.
Also for session.use_strict_mode the value is 0 but is displays 1, however it still detect it as failed so the cast occurs after.
Happening on PHP 7.4 if that matters.