Eval blacklist

Add support for eval filtering, only blacklist for now
author: jvoisin 2018-01-04 15:59:59 +0100
committer: GitHub 2018-01-04 15:59:59 +0100
commit: 3b113be573cdbca20ce9ec9c0a6efb25ccf51db5 (patch)
tree: 5fabbd1da7cd740f26354ffbd2234eba71ffdead /doc/source/features.rst
parent: 84e423300c440e96c34ada2620e0f78f827592e8 (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/doc/source/features.rst b/doc/source/features.rst
index afe139a..8ecf57d 100644
--- a/doc/source/features.rst
+++ b/doc/source/features.rst
@@ -321,6 +321,19 @@ Snuffleupagus can prevent the execution of this kind of file. A good practice
 would be to use a different user to run PHP than for administrating the website,
 and using this feature to lock this up.
+.. _eval-feature:
+White and blacklist in ``eval``
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+While `eval <https://secure.php.net/manual/en/function.eval.php>`__ is a
+dangerous primitive, tricky to use right, with almost no legitimate usage
+besides templating and building mathematical expressions based on user input,
+it's broadly (mis)used all around the web.
+Snuffleupagus provides a white and blacklist mechanism, to explicitly allow
+and forbid specific functions call from being issued inside ``eval``.
 Protection against cross site request forgery
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
author	jvoisin	2018-01-04 15:59:59 +0100
committer	GitHub	2018-01-04 15:59:59 +0100
commit	3b113be573cdbca20ce9ec9c0a6efb25ccf51db5 (patch)
tree	5fabbd1da7cd740f26354ffbd2234eba71ffdead /doc/source/features.rst
parent	84e423300c440e96c34ada2620e0f78f827592e8 (diff)

diff --git a/doc/source/features.rst b/doc/source/features.rst index afe139a..8ecf57d 100644 --- a/doc/source/features.rst +++ b/doc/source/features.rst
@@ -321,6 +321,19 @@ Snuffleupagus can prevent the execution of this kind of file. A good practice
321	would be to use a different user to run PHP than for administrating the website,	321	would be to use a different user to run PHP than for administrating the website,
322	and using this feature to lock this up.	322	and using this feature to lock this up.
323		323
		324	.. _eval-feature:
		325
		326	White and blacklist in ``eval``
		327	^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
		328
		329	While `eval <https://secure.php.net/manual/en/function.eval.php>`__ is a
		330	dangerous primitive, tricky to use right, with almost no legitimate usage
		331	besides templating and building mathematical expressions based on user input,
		332	it's broadly (mis)used all around the web.
		333
		334	Snuffleupagus provides a white and blacklist mechanism, to explicitly allow
		335	and forbid specific functions call from being issued inside ``eval``.
		336
324		337
325	Protection against cross site request forgery	338	Protection against cross site request forgery
326	^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^	339	^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^