Security considerations when parsing user-provided INI strings and files

Published On31 Jul 2023

Security considerations when parsing user-provided INI strings and files
PHP provides parse_ini_string and parse_ini_file functions that reuse PHP's built-in PHP parser it uses for PHP's own INI-based configuration files.

In addition to parsing the text, the INI parser supports inheriting system environment values and PHP constant declared by the time the text is parsed. Since PHP 8.3, it also supports a fallback value syntax for environment variables.


; Normal string literals
my_config_name = normal

; Inherit SESSION_NAME environment variable, or "" if unavailable
my_config_name = ${SESSION_NAME}

; Inherit SESSION_NAME environment variable with fallback value "MyDefaultValue"
my_config_name = ${SESSION_NAME:-MyDefaultValue}

; String interpolation with environment variables
my_config_name = "${MAIL_FROM_USER}@${MAIL_FROM_DOMAIN}"

; Inherit PHP_VERSION PHP constant
my_config_name = PHP_VERSION

While these enhancements are useful to configure PHP using environment variables, and to use available PHP constants using the PHP's built-in PHP parser on user-provided INI values can be a security vulnerability as PHP can be tricked to expose environment variables and PHP constants which are likely to contain sensitive data that should not be exposed.


For example, a configuration file that is provided by a user or a remote server that is not fully trusted can exploit this to trick the parsing server to expose its own environment variables and PHP constants:

; config.ini
plugin.name = "Free plugin ${DATABASE_NAME} / ${DATABASE_PASSWORD}"
plugin.description = DATABASE_PASSWORD
$conig = parse_ini_file('config.ini');
array(2) {
  ["plugin.name"]=> string(33) "Free plugin MyDbName / MyPa$$word"
  ["plugin.description"]=> string(10) "MyPa$$word"
}

However, PHP provides configuration parameters to disable PHP's type coercion and environment/constant substitution. The third parameter of parse_ini_file and parse_ini_string functions accept a bitmask, and one of the flags accepted is INI_SCANNER_RAW, which disables PHP's parsing of types, environment variables, and PHP constants:

; config.ini
plugin.name = "Free plugin ${DATABASE_NAME} / ${DATABASE_PASSWORD}"
plugin.description = DATABASE_PASSWORD
$conig = parse_ini_file('config.ini', scanner_mode: INI_SCANNER_RAW);
// or
$conig = parse_ini_file('config.ini', false, INI_SCANNER_RAW);
array(2) {
  ["plugin.name"]=> string(51) "Free plugin ${DATABASE_NAME} / ${DATABASE_PASSWORD}"
  ["plugin.description"]=> string(17) "DATABASE_PASSWORD"
}

The security precaution here is that PHP does not default to the INI_SCANNER_RAW flag, which means all function calls that do not explicitly pass the INI_SCANNER_RAW flag will be vulnerable if they parse user-provided INI values.

Recent Articles on PHP.Watch

All ArticlesFeed 
Get Composer to suggest dev packages to `require-dev`

Get Composer to suggest dev packages to require-dev

Composer 2.4 comes with a feature that it prompts during a composer require to install packages as require-dev dependencies when certain keywords are present. Development tools and libraries now can make use of this feature to mark themselves, so Composer uses the prompt when suitable.
How to extend lifetime of legacy PHP applications

How to extend lifetime of legacy PHP applications

As PHP continue to evolve with new breaking changes, and while that is great for most PHP applications, there are legacy applications that can't justify the human and financial cost of keeping up. Here is a guide on how to extend the lifetime of legacy PHP applications with security updates and maintenance.
PHP 8.2 Highlights: What's New and Changed

PHP 8.2 Highlights: What's New and Changed

Read about the highlights of PHP 8.2: Major new features, changes, and deprecated functionality.
Subscribe to PHP.Watch newsletter for monthly updates

You will receive an email on last Wednesday of every month and on major PHP releases with new articles related to PHP, upcoming changes, new features and what's changing in the language. No marketing emails, no selling of your contacts, no click-tracking, and one-click instant unsubscribe from any email you receive.