Set default array index blacklist to '"+-<>;()

3 files changed, 14 insertions, 4 deletions

diff --git a/Changelog b/Changelog
index 947d2a8..eb717de 100644
--- a/Changelog
+++ b/Changelog
@@ -15,6 +15,7 @@
     - Fixed potential NULL-pointer dereference with func.blacklist and logging
     - Logging timestamps are localtime instead of gmt now (thanks to mkrokos)
     - Added new array index filter (character whitelist/blacklist)
+    - Set default array index blacklist to '"+-<>;()
     - Added option to suppress date/time for suhosin file logging (suhosin.log.file.time=0)
     - Added simple script to create binary Debian package
     - Fixed additional recursion problems with session handler
diff --git a/suhosin.c b/suhosin.c
index 564adf8..059e49d 100644
--- a/suhosin.c
+++ b/suhosin.c
@@ -822,7 +822,7 @@ PHP_INI_BEGIN()
         STD_PHP_INI_ENTRY("suhosin.request.max_totalname_length", "256", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestLong, max_totalname_length, zend_suhosin_globals, suhosin_globals)
         STD_PHP_INI_ENTRY("suhosin.request.max_array_index_length", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestLong, max_array_index_length, zend_suhosin_globals, suhosin_globals)
                 STD_PHP_INI_ENTRY("suhosin.request.array_index_whitelist", "", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateString, array_index_whitelist, zend_suhosin_globals, suhosin_globals)
-                STD_PHP_INI_ENTRY("suhosin.request.array_index_blacklist", "", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateString, array_index_blacklist, zend_suhosin_globals, suhosin_globals)
+                STD_PHP_INI_ENTRY("suhosin.request.array_index_blacklist", "'\"+-<>;()", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateString, array_index_blacklist, zend_suhosin_globals, suhosin_globals)
         STD_PHP_INI_ENTRY("suhosin.request.disallow_nul", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestBool, disallow_nul, zend_suhosin_globals, suhosin_globals)
         STD_PHP_INI_ENTRY("suhosin.request.disallow_ws", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestBool, disallow_ws, zend_suhosin_globals, suhosin_globals)
     
diff --git a/suhosin.ini b/suhosin.ini
index 6887c09..f844b9e 100644
--- a/suhosin.ini
+++ b/suhosin.ini
@@ -338,6 +338,8 @@
 ; specify the beginning of allowed URLs. (f.e.: php://stdin) If no whitelist is
 ; specified, then the blacklist is evaluated.
 ; 
+; Note: This setting deactivates suhosin.executor.include.blacklist.
+; 
 ;suhosin.executor.include.whitelist = 
 ;
 
@@ -377,6 +379,8 @@
 ; whitelist is empty the blacklist is evaluated, otherwise calling a function not
 ; in the whitelist will terminate the script and get logged.
 ; 
+; Note: This setting deactivates suhosin.executor.func.blacklist.
+; 
 ;suhosin.executor.func.whitelist = 
 ;
 
@@ -402,6 +406,8 @@
 ; calling a function not in the whitelist will terminate the script and get
 ; logged. Please read the instructions carefully.
 ; 
+; Note: This setting deactivates suhosin.executor.eval.blacklist.
+; 
 ;suhosin.executor.eval.whitelist = 
 ;
 
@@ -901,6 +907,8 @@
 ; In case some cookies should not be encrypted this is a comma separated list of
 ; cookies that do not get encrypted. All other cookies will be encrypted.
 ; 
+; Note: This setting deactivates suhosin.cookie.cryptlist.
+; 
 ;suhosin.cookie.plainlist = 
 ;
 
@@ -1197,12 +1205,11 @@
 ; suhosin.request.array_index_blacklist
 ; -------------------------------------
 ; * Type: String
-; * Default:
-; * Example: ";-+"
+; * Default: "'\"+-<>;()"
 ; 
 ; Defines a character blacklist for array indices not allowed in user input.
 ; 
-;suhosin.request.array_index_blacklist = 
+;suhosin.request.array_index_blacklist = "'\"+-<>;()"
 ;
 
 ; suhosin.request.array_index_whitelist
@@ -1213,6 +1220,8 @@
 ; 
 ; Defines a character whitelist for array indices allowed in user input.
 ; 
+; Note: This setting deactivates suhosin.request.array_index_blacklist.
+; 
 ;suhosin.request.array_index_whitelist = 
 ;