Eval blacklist

Add support for eval filtering, only blacklist for now

2 files changed, 27 insertions, 0 deletions

diff --git a/doc/source/config.rst b/doc/source/config.rst
index e42cb99..d16474f 100644
--- a/doc/source/config.rst
+++ b/doc/source/config.rst
@@ -246,6 +246,20 @@ disable_xxe
   sp.disable_xxe.enable();
 
 
+Eval white and blacklist
+^^^^^^^^^^^^^^^^^^^^^^^^
+ * `default: disabled`
+ * :ref:`more <eval-feature>`
+
+``eval_filter`` allows to specify white and blacklist of functions allowed and
+forbidden from being called inside ``eval``. The functions names are comma-separated.
+
+::
+
+  sp.eval_filter.blacklist("system,exec,shell_exec");
+  sp.eval_filter.whitelist("strlen,strcmp").simulation();
+
+
 Virtual-patching
 ----------------
 
diff --git a/doc/source/features.rst b/doc/source/features.rst
index afe139a..8ecf57d 100644
--- a/doc/source/features.rst
+++ b/doc/source/features.rst
@@ -321,6 +321,19 @@ Snuffleupagus can prevent the execution of this kind of file. A good practice
 would be to use a different user to run PHP than for administrating the website,
 and using this feature to lock this up.
 
+.. _eval-feature:
+
+White and blacklist in ``eval``
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+While `eval <https://secure.php.net/manual/en/function.eval.php>`__ is a
+dangerous primitive, tricky to use right, with almost no legitimate usage
+besides templating and building mathematical expressions based on user input,
+it's broadly (mis)used all around the web.
+
+Snuffleupagus provides a white and blacklist mechanism, to explicitly allow
+and forbid specific functions call from being issued inside ``eval``.
+
 
 Protection against cross site request forgery
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^