Add support for configuration dirs
mfn opened this issue · 5 comments
PHP has a setting, which set by default on e.g. Debian/Ubuntu, to load additional configuration files.
Looking at the output of iniscan scan --help I don't see an easy way to mimic this behavior quickly.
Suggestion: let --path also accept a directory by automatically reading all *.ini files in there; that's how PHP itself works
Another observation / suggestion:
Since providing a file/dir (=path) is essentially the required thing to perform anything useful I would suggest to simply drop --path option and use Symfonys arguments which don't require that prefix, effectively turning
iniscan scan --path foo.ini into iniscan scan foo.ini
This would also allow it easier to specify multiple filers, e.g. iniscan scan /etc/php5/cli/conf.d/*.ini
Yeah, I agree - I think that's a good way to go with it. It does seem more like a primary thing to have rather than an "option" per se.
@mfn any chance you could whip this up in a PR? :) I think it'd be a great addition to the tool.
Issue not relevant to me anymore 🤷♀️ => closing
The thing is for Apache HTTP Server for example you have an include statement like IncludeOptional conf-enabled/*.conf in apache2.conf but for PHP there is not such a thing. The fact the PHP will load ini files from the conf.d in addition to php.ini is not defined the the PHP configuration itself, there is no include statement in php.ini, it's defined during the PHP compilation with an option like --with-config-file-scan-dir=/etc/php5/$SAPI/conf.d. If running from the audited system directly there is maybe a way to find the value of this compilation flag to know where to read additional ini files but if running iniscan offline (extracting the /etc/php directory from the target and running iniscan on an audit machine) there is absolutely no way to automatically tell by reading php.ini if and where there are additional ini files. So I guess the only way to do it properly is by specifying the path manually. For example: iniscan scan --path /etc/php/8.1/apache2/apache2.conf --scan-dir /etc/php/8.1/apache2/conf.d.
Also it's important to note that ini files in conf.d can override configuration keys already present in php.ini, so to solve the config one has to take php.ini then append 10-mysqlnd.ini then append 20-curl.ini and so on alphabetically. When all the file are concatenated only the last key value must be taken into account.
TL;DR
Right now the workaround is: cat php.ini conf.d/*.ini > /tmp/php_concat.ini and then iniscan scan --path /tmp/php_concat.ini
Information about how php.ini loads extra files
[PHP]
;;;;;;;;;;;;;;;;;;;
; About php.ini ;
;;;;;;;;;;;;;;;;;;;
; PHP's initialization file, generally called php.ini, is responsible for
; configuring many of the aspects of PHP's behavior.
; PHP attempts to find and load this configuration from a number of locations.
; The following is a summary of its search order:
; 1. SAPI module specific location.
; 2. The PHPRC environment variable. (As of PHP 5.2.0)
; 3. A number of predefined registry keys on Windows (As of PHP 5.2.0)
; 4. Current working directory (except CLI)
; 5. The web server's directory (for SAPI modules), or directory of PHP
; (otherwise in Windows)
; 6. The directory from the --with-config-file-path compile time option, or the
; Windows directory (usually C:\windows)
; See the PHP docs for more specific information.
; http://php.net/configuration.file