summaryrefslogtreecommitdiff
path: root/doc/source
diff options
context:
space:
mode:
authorjvoisin2017-12-21 17:41:42 +0100
committerjvoisin2017-12-21 17:41:53 +0100
commitc399f66db5eefaecce065d4f5ea7dcc725b8e106 (patch)
tree426f78f1023a7dd41dc72b711bc6c309f3472de0 /doc/source
parent185eb9601fe179efb160126a7a94a7a7e5c6924e (diff)
Improve a bit the documentation wrt. limitations
Diffstat (limited to 'doc/source')
-rw-r--r--doc/source/config.rst21
-rw-r--r--doc/source/features.rst2
2 files changed, 18 insertions, 5 deletions
diff --git a/doc/source/config.rst b/doc/source/config.rst
index ceb23bb..5e323db 100644
--- a/doc/source/config.rst
+++ b/doc/source/config.rst
@@ -322,7 +322,7 @@ The ``param`` filter is also able to do some dereferencing:
322 322
323The ``filename`` filter requires a leading ``/``, since paths are absolutes (like ``/var/www/mywebsite/lib/parse.php``). 323The ``filename`` filter requires a leading ``/``, since paths are absolutes (like ``/var/www/mywebsite/lib/parse.php``).
324If you would like to have only one configuration file for several vhost in different folders, 324If you would like to have only one configuration file for several vhost in different folders,
325you can use the the ``filename_r`` directive to match on the filename (like ``/lib/parse\.php``). 325you can use the ``filename_r`` directive to match on the filename (like ``/lib/parse\.php``).
326 326
327For clarity, the presence of the ``allow`` or ``drop`` action is **mandatory**. 327For clarity, the presence of the ``allow`` or ``drop`` action is **mandatory**.
328 328
@@ -333,9 +333,22 @@ For clarity, the presence of the ``allow`` or ``drop`` action is **mandatory**.
333 more narrowed way later, the call will be denied, 333 more narrowed way later, the call will be denied,
334 because it'll match the deny first. 334 because it'll match the deny first.
335 335
336If you're paranoid, we're providing a php script to automatically generate 336If you're paranoid, we're providing a `php script
337hash of files containing dangerous functions, 337<https://github.com/nbs-system/snuffleupagus/blob/master/scripts/generate_rules.php>`__
338and blacklisting them everywhere else. 338to automatically generate hash of files containing dangerous functions, and
339blacklisting them everywhere else.
340
341Limitations
342^^^^^^^^^^^
343
344It's currently not possible to:
345
346- Hook every `language construct <https://secure.php.net/manual/en/reserved.keywords.php>`__,
347 because each of them requires a specific implementation.
348- Hook on the return value of user-defined functions
349- Use extra-convoluted rulesfor matching, like ``${$A}$$B->${'}[1]``, because if you're writing
350 things like this, odds are that you're doing something wrong anyway.
351
339 352
340Examples 353Examples
341^^^^^^^^ 354^^^^^^^^
diff --git a/doc/source/features.rst b/doc/source/features.rst
index e560925..ee39682 100644
--- a/doc/source/features.rst
+++ b/doc/source/features.rst
@@ -274,7 +274,7 @@ disable them - at the risk of breaking critical features.
274Snuffleupagus allows the user to restrict usage of specific functions per file, or per 274Snuffleupagus allows the user to restrict usage of specific functions per file, or per
275file with a matching (sha256) hash, thus allowing the use of such functions **only** in the intended places. 275file with a matching (sha256) hash, thus allowing the use of such functions **only** in the intended places.
276 276
277Furthermore, running the `following script <FIXME>`_ will generate an hash and line-based whitelist 277Furthermore, running the `following script <https://github.com/nbs-system/snuffleupagus/blob/master/scripts/generate_rules.php>`_ will generate an hash and line-based whitelist
278of dangerous functions, droping them everywhere else: 278of dangerous functions, droping them everywhere else:
279 279
280 280