Whitelist the inclusion of `.phtml` files

This is the extension used by PhpMyAdmin
author: jvoisin 2018-07-23 16:46:14 +0200
committer: jvoisin 2018-07-23 16:46:14 +0200
commit: 94fae0f7a5cc1667c1568de775860f7e4f4f403f (patch)
tree: 332a3b627f0fb01616af1d1e4280234eebf30270 /config
parent: a40c6c11be746af62e90eb871c108008d7f91c1d (diff)
1 files changed, 4 insertions, 4 deletions
diff --git a/config/default.rules b/config/default.rules
index 6cc67e6..2567f08 100644
--- a/config/default.rules
+++ b/config/default.rules
@@ -17,10 +17,10 @@ sp.disable_function.function("mail").param("additional_parameters").value_r("\\-
 sp.disable_function.function("putenv").param("setting").value_r("LD_").drop()
 ##Prevent various `include`-related vulnerabilities
-sp.disable_function.function("require_once").value_r("\.(php|inc)$").allow();
+sp.disable_function.function("require_once").value_r("\.(inc|phtml|php)$").allow();
-sp.disable_function.function("include_once").value_r("\.(php|inc)$").allow();
+sp.disable_function.function("include_once").value_r("\.(inc|phtml|php)$").allow();
-sp.disable_function.function("require").value_r("\.(php|inc)$").allow();
+sp.disable_function.function("require").value_r("\.(inc|phtml|php)$").allow();
-sp.disable_function.function("include").value_r("\.(php|inc)$").allow();
+sp.disable_function.function("include").value_r("\.(inc|phtml|php)$").allow();
 sp.disable_function.function("require_once").drop()
 sp.disable_function.function("include_once").drop()
 sp.disable_function.function("require").drop()
author	jvoisin	2018-07-23 16:46:14 +0200
committer	jvoisin	2018-07-23 16:46:14 +0200
commit	94fae0f7a5cc1667c1568de775860f7e4f4f403f (patch)
tree	332a3b627f0fb01616af1d1e4280234eebf30270 /config
parent	a40c6c11be746af62e90eb871c108008d7f91c1d (diff)

diff --git a/config/default.rules b/config/default.rules index 6cc67e6..2567f08 100644 --- a/config/default.rules +++ b/config/default.rules
@@ -17,10 +17,10 @@ sp.disable_function.function("mail").param("additional_parameters").value_r("\\-
17	sp.disable_function.function("putenv").param("setting").value_r("LD_").drop()	17	sp.disable_function.function("putenv").param("setting").value_r("LD_").drop()
18		18
19	##Prevent various `include`-related vulnerabilities	19	##Prevent various `include`-related vulnerabilities
20	sp.disable_function.function("require_once").value_r("\.(php\|inc)$").allow();	20	sp.disable_function.function("require_once").value_r("\.(inc\|phtml\|php)$").allow();
21	sp.disable_function.function("include_once").value_r("\.(php\|inc)$").allow();	21	sp.disable_function.function("include_once").value_r("\.(inc\|phtml\|php)$").allow();
22	sp.disable_function.function("require").value_r("\.(php\|inc)$").allow();	22	sp.disable_function.function("require").value_r("\.(inc\|phtml\|php)$").allow();
23	sp.disable_function.function("include").value_r("\.(php\|inc)$").allow();	23	sp.disable_function.function("include").value_r("\.(inc\|phtml\|php)$").allow();
24	sp.disable_function.function("require_once").drop()	24	sp.disable_function.function("require_once").drop()
25	sp.disable_function.function("include_once").drop()	25	sp.disable_function.function("include_once").drop()
26	sp.disable_function.function("require").drop()	26	sp.disable_function.function("require").drop()