From cc9ccec7297ebb1853e0fbca6ba9a686583e5a45 Mon Sep 17 00:00:00 2001 From: Ben Fuhrmannek Date: Tue, 18 Nov 2014 20:49:30 +0100 Subject: Set default array index blacklist to '"+-<>;() --- Changelog | 1 + suhosin.c | 2 +- suhosin.ini | 15 ++++++++++++--- 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/Changelog b/Changelog index 947d2a8..eb717de 100644 --- a/Changelog +++ b/Changelog @@ -15,6 +15,7 @@ - Fixed potential NULL-pointer dereference with func.blacklist and logging - Logging timestamps are localtime instead of gmt now (thanks to mkrokos) - Added new array index filter (character whitelist/blacklist) + - Set default array index blacklist to '"+-<>;() - Added option to suppress date/time for suhosin file logging (suhosin.log.file.time=0) - Added simple script to create binary Debian package - Fixed additional recursion problems with session handler diff --git a/suhosin.c b/suhosin.c index 564adf8..059e49d 100644 --- a/suhosin.c +++ b/suhosin.c @@ -822,7 +822,7 @@ PHP_INI_BEGIN() STD_PHP_INI_ENTRY("suhosin.request.max_totalname_length", "256", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestLong, max_totalname_length, zend_suhosin_globals, suhosin_globals) STD_PHP_INI_ENTRY("suhosin.request.max_array_index_length", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestLong, max_array_index_length, zend_suhosin_globals, suhosin_globals) STD_PHP_INI_ENTRY("suhosin.request.array_index_whitelist", "", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateString, array_index_whitelist, zend_suhosin_globals, suhosin_globals) - STD_PHP_INI_ENTRY("suhosin.request.array_index_blacklist", "", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateString, array_index_blacklist, zend_suhosin_globals, suhosin_globals) + STD_PHP_INI_ENTRY("suhosin.request.array_index_blacklist", "'\"+-<>;()", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateString, array_index_blacklist, zend_suhosin_globals, suhosin_globals) STD_PHP_INI_ENTRY("suhosin.request.disallow_nul", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestBool, disallow_nul, zend_suhosin_globals, suhosin_globals) STD_PHP_INI_ENTRY("suhosin.request.disallow_ws", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestBool, disallow_ws, zend_suhosin_globals, suhosin_globals) diff --git a/suhosin.ini b/suhosin.ini index 6887c09..f844b9e 100644 --- a/suhosin.ini +++ b/suhosin.ini @@ -338,6 +338,8 @@ ; specify the beginning of allowed URLs. (f.e.: php://stdin) If no whitelist is ; specified, then the blacklist is evaluated. ; +; Note: This setting deactivates suhosin.executor.include.blacklist. +; ;suhosin.executor.include.whitelist = ; @@ -377,6 +379,8 @@ ; whitelist is empty the blacklist is evaluated, otherwise calling a function not ; in the whitelist will terminate the script and get logged. ; +; Note: This setting deactivates suhosin.executor.func.blacklist. +; ;suhosin.executor.func.whitelist = ; @@ -402,6 +406,8 @@ ; calling a function not in the whitelist will terminate the script and get ; logged. Please read the instructions carefully. ; +; Note: This setting deactivates suhosin.executor.eval.blacklist. +; ;suhosin.executor.eval.whitelist = ; @@ -901,6 +907,8 @@ ; In case some cookies should not be encrypted this is a comma separated list of ; cookies that do not get encrypted. All other cookies will be encrypted. ; +; Note: This setting deactivates suhosin.cookie.cryptlist. +; ;suhosin.cookie.plainlist = ; @@ -1197,12 +1205,11 @@ ; suhosin.request.array_index_blacklist ; ------------------------------------- ; * Type: String -; * Default: -; * Example: ";-+" +; * Default: "'\"+-<>;()" ; ; Defines a character blacklist for array indices not allowed in user input. ; -;suhosin.request.array_index_blacklist = +;suhosin.request.array_index_blacklist = "'\"+-<>;()" ; ; suhosin.request.array_index_whitelist @@ -1213,6 +1220,8 @@ ; ; Defines a character whitelist for array indices allowed in user input. ; +; Note: This setting deactivates suhosin.request.array_index_blacklist. +; ;suhosin.request.array_index_whitelist = ; -- cgit v1.3