diff options
| author | santii-git | 2025-09-30 13:03:26 -0300 |
|---|---|---|
| committer | Julien Voisin | 2025-09-30 21:47:12 +0200 |
| commit | cfb22fc95c6a9acab607dfd30cdfe9fe05cbb69d (patch) | |
| tree | e015ab233a0dc7f17ccaa2cd66225589e557b004 /config/default.rules | |
| parent | 41da9b8265dc8c2e916eb15f480496d6239420dd (diff) | |
Make the default rules compatible via PHP8
Diffstat (limited to 'config/default.rules')
| -rw-r--r-- | config/default.rules | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/config/default.rules b/config/default.rules index 81c4072..c528191 100644 --- a/config/default.rules +++ b/config/default.rules | |||
| @@ -61,11 +61,20 @@ sp.disable_function.function("mail").param("additional_params").value_r("\\-").d | |||
| 61 | @end_condition; | 61 | @end_condition; |
| 62 | 62 | ||
| 63 | # This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80 | 63 | # This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80 |
| 64 | sp.disable_function.function("putenv").param("setting").value_r("GCONV_").drop(); | 64 | @condition PHP_VERSION_ID < 80000; |
| 65 | sp.disable_function.function("putenv").param("setting").value_r("GCONV_").drop() | ||
| 66 | @condition PHP_VERSION_ID >= 80000; | ||
| 67 | sp.disable_function.function("putenv").param("assignment").value_r("GCONV_").drop() | ||
| 68 | @end_condition; | ||
| 65 | 69 | ||
| 66 | # Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector | 70 | # Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector |
| 67 | sp.disable_function.function("extract").pos("0").value_r("^_").drop(); | 71 | @condition PHP_VERSION_ID < 80000; |
| 68 | sp.disable_function.function("extract").pos("1").value("0").drop(); | 72 | sp.disable_function.function("extract").pos("0").value_r("^_").drop() |
| 73 | sp.disable_function.function("extract").pos("1").value("0").drop() | ||
| 74 | @condition PHP_VERSION_ID >= 80000; | ||
| 75 | sp.disable_function.function("extract").param("array").value_r("^_").drop() | ||
| 76 | sp.disable_function.function("extract").param("flags").value("0").drop() | ||
| 77 | @end_condition; | ||
| 69 | 78 | ||
| 70 | # This is also burned: | 79 | # This is also burned: |
| 71 | # ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd')); | 80 | # ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd')); |
| @@ -90,12 +99,6 @@ sp.disable_function.function("include").drop(); | |||
| 90 | 99 | ||
| 91 | # Prevent `system`-related injections | 100 | # Prevent `system`-related injections |
| 92 | sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); | 101 | sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); |
| 93 | sp.disable_function.function("shell_exec").pos("0").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); | ||
| 94 | sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); | ||
| 95 | sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); | ||
| 96 | |||
| 97 | # Prevent `system`-related injections | ||
| 98 | sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); | ||
| 99 | @condition PHP_VERSION_ID < 80000; | 102 | @condition PHP_VERSION_ID < 80000; |
| 100 | sp.disable_function.function("shell_exec").pos("0").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); | 103 | sp.disable_function.function("shell_exec").pos("0").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); |
| 101 | @condition PHP_VERSION_ID >= 80000; | 104 | @condition PHP_VERSION_ID >= 80000; |