1
0
mirror of https://github.com/danog/psalm.git synced 2024-12-15 02:47:02 +01:00
psalm/docs/running_psalm/issues/TaintedHeader.md
Lukas Reschke 78f4a0691c
Add dedicated types for 'file', 'header' and 'cookie' (#4630)
* [WIP] Add dedicated sinks for 'file', 'header' and 'cookie'

* Add documentation

* Add mapping for taint flows

* Add tests

* Fix test
2020-11-19 17:47:29 -05:00

1.3 KiB

TaintedHeader

Potential header injection. This rule is emitted when user-controlled input can be passed into a HTTP header.

Risk

The risk of a header injection depends hugely on your environment.

If your webserver supports something like XSendFile / X-Accel, an attacker could potentially access arbitrary files on the systems.

If your system does not do that, there may be other concerns, such as:

  • Cookie Injection
  • Open Redirects
  • Proxy Cache Poisoning

Example

<?php

header($_GET['header']);

Mitigations

Make sure only the value and not the key can be set by an attacker. (e.g. header('Location: ' . $_GET['target']);)

Verify the set values are sensible. Consider using an allow list. (e.g. for redirections)

Further resources