Add some documentation in the default rules.

author: jvoisin 2023-11-03 16:40:45 +0100
committer: jvoisin 2023-11-03 16:40:45 +0100
commit: 320b3f831f755e6bd4c7ac0334d719bb4b778723 (patch)
tree: 6761d4eaa94a478607b6f26ad660f5e1a38c7e4f /config/default_php8.rules
parent: cb3d7aed877ce2a0952c00f1950d57c72d664b49 (diff)
1 files changed, 1 insertions, 2 deletions
diff --git a/config/default_php8.rules b/config/default_php8.rules
index 4773b4e..580ba0a 100644
--- a/config/default_php8.rules
+++ b/config/default_php8.rules
@@ -52,8 +52,7 @@ sp.disable_function.function("putenv").param("assignment").value_r("GCONV_").dro
 sp.disable_function.function("extract").param("array").value_r("^_").drop()
 sp.disable_function.function("extract").param("flags").value("0").drop()
-# This is also burned:
+# See https://dustri.org/b/ini_set-based-open_basedir-bypass.html
-# ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd'));
 # Since we have no way of matching on two parameters at the same time, we're
 # blocking calls to open_basedir altogether: nobody is using it via ini_set anyway.
 # Moreover, there are non-public bypasses that are also using this vector ;)
author	jvoisin	2023-11-03 16:40:45 +0100
committer	jvoisin	2023-11-03 16:40:45 +0100
commit	320b3f831f755e6bd4c7ac0334d719bb4b778723 (patch)
tree	6761d4eaa94a478607b6f26ad660f5e1a38c7e4f /config/default_php8.rules
parent	cb3d7aed877ce2a0952c00f1950d57c72d664b49 (diff)

diff --git a/config/default_php8.rules b/config/default_php8.rules index 4773b4e..580ba0a 100644 --- a/config/default_php8.rules +++ b/config/default_php8.rules
@@ -52,8 +52,7 @@ sp.disable_function.function("putenv").param("assignment").value_r("GCONV_").dro
52	sp.disable_function.function("extract").param("array").value_r("^_").drop()	52	sp.disable_function.function("extract").param("array").value_r("^_").drop()
53	sp.disable_function.function("extract").param("flags").value("0").drop()	53	sp.disable_function.function("extract").param("flags").value("0").drop()
54		54
55	# This is also burned:	55	# See https://dustri.org/b/ini_set-based-open_basedir-bypass.html
56	# ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd'));
57	# Since we have no way of matching on two parameters at the same time, we're	56	# Since we have no way of matching on two parameters at the same time, we're
58	# blocking calls to open_basedir altogether: nobody is using it via ini_set anyway.	57	# blocking calls to open_basedir altogether: nobody is using it via ini_set anyway.
59	# Moreover, there are non-public bypasses that are also using this vector ;)	58	# Moreover, there are non-public bypasses that are also using this vector ;)