Security considerations when parsing user-provided INI strings and files

By Akash
on 12-10-2023 11:24 AM

PHP provides parse_ini_string and parse_ini_file functions that reuse PHP’s built-in PHP parser it uses for PHP’s own INI-based configuration files.

In addition to parsing the text, the INI parser supports inheriting system environment values and PHP constant declared by the time the text is parsed. Since PHP 8.3, it also supports a fallback value syntax for environment variables. While these enhancements are useful to configure PHP using environment variables, and to use available PHP constants using the PHP’s built-in PHP parser on user-provided INI values can be a security vulnerability as PHP can be tricked to expose environment variables and PHP constants which are likely to contain sensitive data that should not be exposed.
For example, a configuration file that is provided by a user or a remote server that is not fully trusted can exploit this to trick the parsing server to expose its own environment variables and PHP constants: However, PHP provides configuration parameters to disable PHP’s type coercion and environment/constant substitution. The third parameter of parse_ini_file and parse_ini_string functions accept a bitmask, and one of the flags accepted is INI_SCANNER_RAW, which disables PHP’s parsing of types, environment variables, and PHP constants:
The security precaution here is that PHP does not default to the INI_SCANNER_RAW flag, which means all function calls that do not explicitly pass the INI_SCANNER_RAW flag will be vulnerable if they parse user-provided INI values.