Security considerations when parsing user-provided INI strings and files

Published On31 Jul 2023

Security considerations when parsing user-provided INI strings and files
PHP provides parse_ini_string and parse_ini_file functions that reuse PHP's built-in PHP parser it uses for PHP's own INI-based configuration files.

In addition to parsing the text, the INI parser supports inheriting system environment values and PHP constant declared by the time the text is parsed. Since PHP 8.3, it also supports a fallback value syntax for environment variables.

; Normal string literals
my_config_name = normal

; Inherit SESSION_NAME environment variable, or "" if unavailable
my_config_name = ${SESSION_NAME}

; Inherit SESSION_NAME environment variable with fallback value "MyDefaultValue"
my_config_name = ${SESSION_NAME:-MyDefaultValue}

; String interpolation with environment variables
my_config_name = "${MAIL_FROM_USER}@${MAIL_FROM_DOMAIN}"

; Inherit PHP_VERSION PHP constant
my_config_name = PHP_VERSION

While these enhancements are useful to configure PHP using environment variables, and to use available PHP constants using the PHP's built-in PHP parser on user-provided INI values can be a security vulnerability as PHP can be tricked to expose environment variables and PHP constants which are likely to contain sensitive data that should not be exposed.

For example, a configuration file that is provided by a user or a remote server that is not fully trusted can exploit this to trick the parsing server to expose its own environment variables and PHP constants:

; config.ini
plugin.name = "Free plugin ${DATABASE_NAME} / ${DATABASE_PASSWORD}"
plugin.description = DATABASE_PASSWORD
$conig = parse_ini_file('config.ini');
array(2) {
  ["plugin.name"]=> string(33) "Free plugin MyDbName / MyPa$$word"
  ["plugin.description"]=> string(10) "MyPa$$word"
}

However, PHP provides configuration parameters to disable PHP's type coercion and environment/constant substitution. The third parameter of parse_ini_file and parse_ini_string functions accept a bitmask, and one of the flags accepted is INI_SCANNER_RAW, which disables PHP's parsing of types, environment variables, and PHP constants:

; config.ini
plugin.name = "Free plugin ${DATABASE_NAME} / ${DATABASE_PASSWORD}"
plugin.description = DATABASE_PASSWORD
$conig = parse_ini_file('config.ini', scanner_mode: INI_SCANNER_RAW);
// or
$conig = parse_ini_file('config.ini', false, INI_SCANNER_RAW);
array(2) {
  ["plugin.name"]=> string(51) "Free plugin ${DATABASE_NAME} / ${DATABASE_PASSWORD}"
  ["plugin.description"]=> string(17) "DATABASE_PASSWORD"
}

The security precaution here is that PHP does not default to the INI_SCANNER_RAW flag, which means all function calls that do not explicitly pass the INI_SCANNER_RAW flag will be vulnerable if they parse user-provided INI values.

Recent Articles on PHP.Watch

All ArticlesFeed 
How to Install/Upgrade PHP 8.3 on MacOS with Homebrew

How to Install/Upgrade PHP 8.3 on MacOS with Homebrew

Install PHP 8.3 and PHP extensions on MacOS with Homebrew.
How to install or upgrade to PHP 8.3 on Fedora, RHEL, CentOS, and more

How to install or upgrade to PHP 8.3 on Fedora, RHEL, CentOS, and more

Beginners guide on how to install PHP 8.3 on Fedora, RHEL, CentOS, Alma Linux, Rocky Linux, and others.
How to install or upgrade to PHP 8.3 on Ubuntu and Debian

How to install or upgrade to PHP 8.3 on Ubuntu and Debian

A complete guide to install or upgrade to PHP 8.3 on Ubuntu 22.04 (Jammy), Ubuntu 20.04 (Focal), Debian 10 (Buster), 11 (Bullseye), and Debian 12 (Bookworm).
Subscribe to PHP.Watch newsletter for monthly updates

You will receive an email on last Wednesday of every month and on major PHP releases with new articles related to PHP, upcoming changes, new features and what's changing in the language. No marketing emails, no selling of your contacts, no click-tracking, and one-click instant unsubscribe from any email you receive.