%TOC%
---++ Why configuration?
The configuration file is used to configure the security-analysis within php-sat. It contains information about three things:
* Which variables bring tainted data into the script
* Which functions/constructs can make this data safe
* Which SafetyLevel the parameters of a function should have
This information can differ between projects and configurations of PHP. The most obvious example would be the [[http://www.php.net/magic_quotes][magic quotes]] directive. This directive influences the security algorithm directly because the input-data will have a higher SafetyLevel.
---++ Format
The format of the configuration file is best explained with the following example file:
1: [tainted sources]
2: array: _SERVER level: escaped-slashes
3: function: file_get_contents level: raw-input
4: [sensitive sinks]
5: construct: echo ( escaped-html && escaped-slashes )
6: function: mail ( matched-string || string-from-list, matched-string, matched-string )
7: [function result]
8: function: addslashes level: escaped-slashes
1 Starts the section that lists the sources of TaintedData in the configuration file. All sources that bring TaintedData
into your script should be defined here
1 An input-array can be declared as bringing in TaintedData by giving the keyword =array:= and the name followed by a
SafetyLevel. A SafetyLevel is declared by =level: safety-level-name=.
1 A function can be declared as TaintedData-source in the same way, but the keyword is =function:=.
1 Starts the SensitiveSink-section of the configuration file. All functions and constructs that should be checked for
preconditions should be defined here.
1 The precondition for a construct can be defined by the keyword =construct:= followed by the name of the construct.
This should be followed by a precondition for the parameters you want to check. A SafetyLevel can be combined by the
=&&= (and) or =||= (or) operator. These operators work as expected.
1 Functions can be defined as SensitiveSink in the same way as constructs, but the keyword is =function:=. This line also
gives an example of the definition of preconditions for multiple parameters.
1 Starts the section that defines the functions that make the data safe. All functions that can influence data should be
defined in this section.
1 Defining the SafetyLevel of the result of a function can be done by using the =function:= keyword followed by a name and
a SafetyLevel.
---++ Default configuration
The default configuration that is used by php-sat can be found under _prefix_ /share/php-sat and is called *PHP-SAT.ini*.
%X% %RED% Editting the default configuration file will *not* influence php-sat directly.
%X% After you have altered the file you should pass it to php-sat using the =-cf f | --config-file f= flag.%ENDCOLOR%
The default configuration is currently very small. If you have an improved version please share it with us.