%TOC% ---++ Why configuration? The configuration file is used to configure the security-analysis within php-sat. It contains information about three things: * Which variables bring tainted data into the script * Which functions/constructs can make this data safe * Which SafetyLevel the parameters of a function should have This information can differ between projects and configurations of PHP. The most obvious example would be the [[http://www.php.net/magic_quotes][magic quotes]] directive. This directive influences the security algorithm directly because the input-data will have a higher SafetyLevel. ---++ Format The format of the configuration file is best explained with the following example file: 1: [tainted sources] 2: array: _SERVER level: escaped-slashes 3: function: file_get_contents level: raw-input 4: [sensitive sinks] 5: construct: echo ( escaped-html && escaped-slashes ) 6: function: mail ( matched-string || string-from-list, matched-string, matched-string ) 7: [function result] 8: function: addslashes level: escaped-slashes 1 Starts the section that lists the sources of TaintedData in the configuration file. All sources that bring TaintedData into your script should be defined here 1 An input-array can be declared as bringing in TaintedData by giving the keyword =array:= and the name followed by a SafetyLevel. A SafetyLevel is declared by =level: safety-level-name=. 1 A function can be declared as TaintedData-source in the same way, but the keyword is =function:=. 1 Starts the SensitiveSink-section of the configuration file. All functions and constructs that should be checked for preconditions should be defined here. 1 The precondition for a construct can be defined by the keyword =construct:= followed by the name of the construct. This should be followed by a precondition for the parameters you want to check. A SafetyLevel can be combined by the =&&= (and) or =||= (or) operator. These operators work as expected. 1 Functions can be defined as SensitiveSink in the same way as constructs, but the keyword is =function:=. This line also gives an example of the definition of preconditions for multiple parameters. 1 Starts the section that defines the functions that make the data safe. All functions that can influence data should be defined in this section. 1 Defining the SafetyLevel of the result of a function can be done by using the =function:= keyword followed by a name and a SafetyLevel. ---++ Default configuration The default configuration that is used by php-sat can be found under _prefix_ /share/php-sat and is called *PHP-SAT.ini*. %X% %RED% Editting the default configuration file will *not* influence php-sat directly.
%X% After you have altered the file you should pass it to php-sat using the =-cf f | --config-file f= flag.%ENDCOLOR% The default configuration is currently very small. If you have an improved version please share it with us.