diff options
| author | Christian Göttsche | 2024-05-27 21:33:00 +0200 |
|---|---|---|
| committer | jvoisin | 2024-06-09 17:16:16 +0200 |
| commit | c7ce5c3528e8da8762e6e7067001549e109397ba (patch) | |
| tree | 4c9606730af25a8f893193b7cc5cb718a20c3f35 /doc | |
| parent | 849252c6a48b428dde3ad8930b40a2bdf9874cb7 (diff) | |
Add option to specify the allowed "php" wrapper types
In addition of the current possibility to filter wrappers by their
protocol name, also add the option to filter the "php" wrapper by the
requested kind.
Especially the 'filter' backend can be disabled that way.
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/source/config.rst | 11 | ||||
| -rw-r--r-- | doc/source/features.rst | 16 |
2 files changed, 26 insertions, 1 deletions
diff --git a/doc/source/config.rst b/doc/source/config.rst index 9781046..75392d7 100644 --- a/doc/source/config.rst +++ b/doc/source/config.rst | |||
| @@ -395,6 +395,17 @@ to explicitly whitelist some `stream wrappers <https://secure.php.net/manual/en/ | |||
| 395 | sp.wrappers_whitelist.list("file,php,phar"); | 395 | sp.wrappers_whitelist.list("file,php,phar"); |
| 396 | 396 | ||
| 397 | 397 | ||
| 398 | Allowlist of the php stream-wrapper | ||
| 399 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||
| 400 | |||
| 401 | :ref:`The php-stream-wrapper allowlist <php-stream-wrapper-allowlist-feature>` | ||
| 402 | allows to explicitly allow the builtin `php streams <https://www.php.net/manual/en/wrappers.php.php>`__. | ||
| 403 | |||
| 404 | :: | ||
| 405 | |||
| 406 | sp.wrappers_whitelist.php_list("stdout,stdin,stderr"); | ||
| 407 | |||
| 408 | |||
| 398 | Eval white and blacklist | 409 | Eval white and blacklist |
| 399 | ^^^^^^^^^^^^^^^^^^^^^^^^ | 410 | ^^^^^^^^^^^^^^^^^^^^^^^^ |
| 400 | 411 | ||
diff --git a/doc/source/features.rst b/doc/source/features.rst index d7f6f7f..3855f2a 100644 --- a/doc/source/features.rst +++ b/doc/source/features.rst | |||
| @@ -381,7 +381,7 @@ and using this feature to lock this up. | |||
| 381 | Whitelist of stream-wrappers | 381 | Whitelist of stream-wrappers |
| 382 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | 382 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 383 | 383 | ||
| 384 | Php comes with a `lot of different <https://secure.php.net/manual/en/wrappers.php>`__ | 384 | PHP comes with a `lot of different <https://secure.php.net/manual/en/wrappers.php>`__ |
| 385 | `stream wrapper <https://secure.php.net/manual/en/intro.stream.php>`__, and most of them | 385 | `stream wrapper <https://secure.php.net/manual/en/intro.stream.php>`__, and most of them |
| 386 | are enabled by default. | 386 | are enabled by default. |
| 387 | 387 | ||
| @@ -397,6 +397,20 @@ Examples of related vulnerabilities | |||
| 397 | - `Data exfiltration via stream wrapper <https://www.idontplaydarts.com/2011/02/using-php-filter-for-local-file-inclusion/>`__ | 397 | - `Data exfiltration via stream wrapper <https://www.idontplaydarts.com/2011/02/using-php-filter-for-local-file-inclusion/>`__ |
| 398 | - `Inclusion via zip/phar <https://lightless.me/archives/include-file-from-zip-or-phar.html>`__ | 398 | - `Inclusion via zip/phar <https://lightless.me/archives/include-file-from-zip-or-phar.html>`__ |
| 399 | 399 | ||
| 400 | .. _php-stream-wrapper-allowlist-feature: | ||
| 401 | |||
| 402 | Allowlist of php stream-wrapper | ||
| 403 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||
| 404 | |||
| 405 | The builtin `"php" stream wrapper <https://www.php.net/manual/en/wrappers.php.php>`__ | ||
| 406 | has support for common streams, like ``stdin``, ``stdout`` or ``stderr``, but | ||
| 407 | also for the dangerous ``filter`` one. | ||
| 408 | |||
| 409 | Examples of related vulnerability | ||
| 410 | """"""""""""""""""""""""""""""""" | ||
| 411 | |||
| 412 | - `CNEXT exploits <https://github.com/ambionics/cnext-exploits/>`__ | ||
| 413 | |||
| 400 | .. _eval-feature: | 414 | .. _eval-feature: |
| 401 | 415 | ||
| 402 | White and blacklist in ``eval`` | 416 | White and blacklist in ``eval`` |