3 files changed, 16 insertions, 16 deletions
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index acf7220..623d4ba 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -6,7 +6,7 @@ First off, thank you for considering contributing to snuffleupagus.
 If you've noticed a bug or have a question,
 look at the [faq](https://snuffleupagus.readthedocs.io/faq.html) and
-[search the issue tracker](https://github.com/nbs-system/snuffleupagus/issues) 
+[search the issue tracker](https://github.com/nbs-system/snuffleupagus/issues)
 to see if someone else has already created a ticket. If not, go ahead and
 [make one](https://github.com/nbs-system/snuffleupagus/issues/new)!
@@ -25,7 +25,7 @@ git checkout -b 325-kill-sql-injections
 ### 3. Get the test suite running
 Just type `make coverage` or `make debug`, the testsuite should be run
-automatically.
+automatically. Please do add tests if you're fixing a bug or adding a new feature.
 ### 4. Did you find a bug?
@@ -70,7 +70,7 @@ Finally, go to GitHub and [make a Pull Request](https://help.github.com/articles
 Travis CI will run our test suite against all supported PHP versions. We care
 about quality, so your PR won't be merged until all tests pass. It's unlikely,
 but it's possible that your changes pass tests in one PHP version but fail in
-another. In that case, you'll have to setup your development environment 
+another. In that case, you'll have to setup your development environment
 to use the problematic PHP version, and investigate
 what's going on!
diff --git a/doc/source/config.rst b/doc/source/config.rst
index 84fc193..25a6b73 100644
--- a/doc/source/config.rst
+++ b/doc/source/config.rst
@@ -38,7 +38,7 @@ global_strict
 ^^^^^^^^^^^^^
 `default: disabled`
-``global_strict`` will enable the `strict <https://secure.php.net/manual/en/functions.arguments.php#functions.arguments.type-declaration.strict>`_ mode globally, 
+``global_strict`` will enable the `strict <https://secure.php.net/manual/en/functions.arguments.php#functions.arguments.type-declaration.strict>`_ mode globally,
 forcing PHP to throw a `TypeError <https://secure.php.net/manual/en/class.typeerror.php>`_
 exception if an argument type being passed to a function does not match its corresponding declared parameter type.
@@ -53,7 +53,7 @@ harden_random
 ^^^^^^^^^^^^^
 * `default: enabled`
 * `more <features.html#weak-prng-via-rand-mt-rand>`__
- 
 ``harden_random`` will silently replace the insecure `rand <https://secure.php.net/manual/en/function.rand.php>`_
 and `mt_rand <https://secure.php.net/manual/en/function.mt-rand.php>`_ functions with
 the secure PRNG `random_int <https://secure.php.net/manual/en/function.random-int.php>`_.
@@ -85,7 +85,7 @@ unserialize_hmac
 ^^^^^^^^^^^^^^^^
 * `default: disabled`
 * `more <features.html#unserialize-related-magic>`__
- 
 ``unserialize_hmac`` will add integrity check to ``unserialize`` calls, preventing
 abritrary code execution in their context.
@@ -101,7 +101,7 @@ auto_cookie_secure
 ^^^^^^^^^^^^^^^^^^
 * `default: disabled`
 * `more <features.html#session-cookie-stealing-via-xss>`__
- 
 ``auto_cookie_secure`` will automatically mark cookies as `secure <https://en.wikipedia.org/wiki/HTTP_cookie#Secure_cookie>`_
 when the web page is requested over HTTPS.
@@ -116,7 +116,7 @@ cookie_encryption
 ^^^^^^^^^^^^^^^^^
 * `default: disabled`
 * `more <features.html#session-cookie-stealing-via-xss>`__
-   
 .. warning::
  To use this feature, you **must** set the :ref:`global.secret_key <config_global>` variable.
@@ -151,7 +151,7 @@ upload_validation
 * `default: disabled`
 * `more <features.html#remote-code-execution-via-file-upload>`__
-``upload_validation`` will call a given script upon a file upload, with the path 
+``upload_validation`` will call a given script upon a file upload, with the path
 to the file being uploaded as argument, and various information about it in the environment:
 * ``SP_FILENAME``: the name of the uploaded file
@@ -192,8 +192,8 @@ Snuffleupagus provides virtual-patching, via the ``disable_functions`` directive
 Admitting you have a call to ``system()`` that lacks proper user-input validation, thus leading to an **RCE**, this might be the right tool.
 ::
-   
-  # Allow `id.php` to restrict system() calls to `id`
+  # Restrict calls to `system` to `id` in the `id.php` file
  sp.disable_functions.function("system").filename("id.php").param("cmd").value("id").allow();
  sp.disable_functions.function("system").filename("id.php").drop()
diff --git a/doc/source/features.rst b/doc/source/features.rst
index bf535e1..fbb2a64 100644
--- a/doc/source/features.rst
+++ b/doc/source/features.rst
@@ -3,7 +3,7 @@ Features
 Snuffleupagus has a lot of features that can be divided in two main categories: bug-classes
 killers and virtual-patching. The first category provides primitives to kill various
-bug families (like arbitrary code execution via ``unserialize`` for example) or rise the 
+bug families (like arbitrary code execution via ``unserialize`` for example) or rise the
 cost of exploitation, the second one is a highly configurable system to patch functions in php itself.
 Bug classes killed or mitigated
@@ -171,7 +171,7 @@ It's worth noting that the PHP documentation contains the following warning:
  ``min`` ``max`` range must be within the range ``getrandmax()``. i.e. ``(max - min) <= getrandmax()``.
  Otherwise, ``rand()`` may return poor-quality random numbers.
-  
  --- `The PHP documentation about rand <https://secure.php.net/manual/en/function.rand.php>`_
 This is of course addressed as well by the ``harden_rand`` feature.
@@ -279,7 +279,7 @@ PHP7 introduced a **strict mode**, in which variables won't be coerced anymore,
 and a `TypeError <https://php.net/manual/en/class.typeerror.php>`_ exception will
 be raised if the types aren't matching.
 `Scalar type declarations <https://secure.php.net/manual/en/migration70.new-features.php#migration70.new-features.scalar-type-declarations>`_
-are optional, but you don't have to used them in your code to benefit from them,
+are optional, but you don't have to use them in your code to benefit from them,
 since every internal function from php has them.
 This option provide a switch to globally activate this strict mode,
@@ -307,7 +307,7 @@ and using this feature to lock this up.
 Dumping capabilities
 ^^^^^^^^^^^^^^^^^^^^
 It's possible to apply the ``dump()`` filter to any virtual-patching rule,
-to dump the complete web request, along with the filename and the corresponding 
+to dump the complete web request, along with the filename and the corresponding
 line number. By using the *right* set of restrictive rules (or by using the
 *overly* restrictives ones in ``simulation`` mode), you might be able
 to gather interesting vulnerabilities used against your website.
@@ -332,7 +332,7 @@ or ``is_callable`` with *suspicious* parameters.
 ``chmod`` hardening
 """""""""""""""""""
-Some PHP applications are using broad rights when using the ``chmod`` function, 
+Some PHP applications are using broad rights when using the ``chmod`` function,
 like the infamous ``chmod(777)`` command, effectively making the file writable by everyone.
 Snuffleupagus is preventing this kind of behaviour by restricting the parameters
 than can be passer to ``chmod``.

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index acf7220..623d4ba 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md
@@ -6,7 +6,7 @@ First off, thank you for considering contributing to snuffleupagus.
6		6
7	If you've noticed a bug or have a question,	7	If you've noticed a bug or have a question,
8	look at the [faq](https://snuffleupagus.readthedocs.io/faq.html) and	8	look at the [faq](https://snuffleupagus.readthedocs.io/faq.html) and
9	[search the issue tracker](https://github.com/nbs-system/snuffleupagus/issues)	9	[search the issue tracker](https://github.com/nbs-system/snuffleupagus/issues)
10	to see if someone else has already created a ticket. If not, go ahead and	10	to see if someone else has already created a ticket. If not, go ahead and
11	[make one](https://github.com/nbs-system/snuffleupagus/issues/new)!	11	[make one](https://github.com/nbs-system/snuffleupagus/issues/new)!
12		12
@@ -25,7 +25,7 @@ git checkout -b 325-kill-sql-injections
25	### 3. Get the test suite running	25	### 3. Get the test suite running
26		26
27	Just type `make coverage` or `make debug`, the testsuite should be run	27	Just type `make coverage` or `make debug`, the testsuite should be run
28	automatically.	28	automatically. Please do add tests if you're fixing a bug or adding a new feature.
29		29
30	### 4. Did you find a bug?	30	### 4. Did you find a bug?
31		31
@@ -70,7 +70,7 @@ Finally, go to GitHub and [make a Pull Request](https://help.github.com/articles
70	Travis CI will run our test suite against all supported PHP versions. We care	70	Travis CI will run our test suite against all supported PHP versions. We care
71	about quality, so your PR won't be merged until all tests pass. It's unlikely,	71	about quality, so your PR won't be merged until all tests pass. It's unlikely,
72	but it's possible that your changes pass tests in one PHP version but fail in	72	but it's possible that your changes pass tests in one PHP version but fail in
73	another. In that case, you'll have to setup your development environment	73	another. In that case, you'll have to setup your development environment
74	to use the problematic PHP version, and investigate	74	to use the problematic PHP version, and investigate
75	what's going on!	75	what's going on!
76		76


diff --git a/doc/source/config.rst b/doc/source/config.rst index 84fc193..25a6b73 100644 --- a/doc/source/config.rst +++ b/doc/source/config.rst
@@ -38,7 +38,7 @@ global_strict
38	^^^^^^^^^^^^^	38	^^^^^^^^^^^^^
39	`default: disabled`	39	`default: disabled`
40		40
41	``global_strict`` will enable the `strict <https://secure.php.net/manual/en/functions.arguments.php#functions.arguments.type-declaration.strict>`_ mode globally,	41	``global_strict`` will enable the `strict <https://secure.php.net/manual/en/functions.arguments.php#functions.arguments.type-declaration.strict>`_ mode globally,
42	forcing PHP to throw a `TypeError <https://secure.php.net/manual/en/class.typeerror.php>`_	42	forcing PHP to throw a `TypeError <https://secure.php.net/manual/en/class.typeerror.php>`_
43	exception if an argument type being passed to a function does not match its corresponding declared parameter type.	43	exception if an argument type being passed to a function does not match its corresponding declared parameter type.
44		44
@@ -53,7 +53,7 @@ harden_random
53	^^^^^^^^^^^^^	53	^^^^^^^^^^^^^
54	* `default: enabled`	54	* `default: enabled`
55	* `more <features.html#weak-prng-via-rand-mt-rand>`__	55	* `more <features.html#weak-prng-via-rand-mt-rand>`__
56		56
57	``harden_random`` will silently replace the insecure `rand <https://secure.php.net/manual/en/function.rand.php>`_	57	``harden_random`` will silently replace the insecure `rand <https://secure.php.net/manual/en/function.rand.php>`_
58	and `mt_rand <https://secure.php.net/manual/en/function.mt-rand.php>`_ functions with	58	and `mt_rand <https://secure.php.net/manual/en/function.mt-rand.php>`_ functions with
59	the secure PRNG `random_int <https://secure.php.net/manual/en/function.random-int.php>`_.	59	the secure PRNG `random_int <https://secure.php.net/manual/en/function.random-int.php>`_.
@@ -85,7 +85,7 @@ unserialize_hmac
85	^^^^^^^^^^^^^^^^	85	^^^^^^^^^^^^^^^^
86	* `default: disabled`	86	* `default: disabled`
87	* `more <features.html#unserialize-related-magic>`__	87	* `more <features.html#unserialize-related-magic>`__
88		88
89	``unserialize_hmac`` will add integrity check to ``unserialize`` calls, preventing	89	``unserialize_hmac`` will add integrity check to ``unserialize`` calls, preventing
90	abritrary code execution in their context.	90	abritrary code execution in their context.
91		91
@@ -101,7 +101,7 @@ auto_cookie_secure
101	^^^^^^^^^^^^^^^^^^	101	^^^^^^^^^^^^^^^^^^
102	* `default: disabled`	102	* `default: disabled`
103	* `more <features.html#session-cookie-stealing-via-xss>`__	103	* `more <features.html#session-cookie-stealing-via-xss>`__
104		104
105	``auto_cookie_secure`` will automatically mark cookies as `secure <https://en.wikipedia.org/wiki/HTTP_cookie#Secure_cookie>`_	105	``auto_cookie_secure`` will automatically mark cookies as `secure <https://en.wikipedia.org/wiki/HTTP_cookie#Secure_cookie>`_
106	when the web page is requested over HTTPS.	106	when the web page is requested over HTTPS.
107		107
@@ -116,7 +116,7 @@ cookie_encryption
116	^^^^^^^^^^^^^^^^^	116	^^^^^^^^^^^^^^^^^
117	* `default: disabled`	117	* `default: disabled`
118	* `more <features.html#session-cookie-stealing-via-xss>`__	118	* `more <features.html#session-cookie-stealing-via-xss>`__
119		119
120	.. warning::	120	.. warning::
121		121
122	To use this feature, you must set the :ref:`global.secret_key <config_global>` variable.	122	To use this feature, you must set the :ref:`global.secret_key <config_global>` variable.
@@ -151,7 +151,7 @@ upload_validation
151	* `default: disabled`	151	* `default: disabled`
152	* `more <features.html#remote-code-execution-via-file-upload>`__	152	* `more <features.html#remote-code-execution-via-file-upload>`__
153		153
154	``upload_validation`` will call a given script upon a file upload, with the path	154	``upload_validation`` will call a given script upon a file upload, with the path
155	to the file being uploaded as argument, and various information about it in the environment:	155	to the file being uploaded as argument, and various information about it in the environment:
156		156
157	* ``SP_FILENAME``: the name of the uploaded file	157	* ``SP_FILENAME``: the name of the uploaded file
@@ -192,8 +192,8 @@ Snuffleupagus provides virtual-patching, via the ``disable_functions`` directive
192	Admitting you have a call to ``system()`` that lacks proper user-input validation, thus leading to an RCE, this might be the right tool.	192	Admitting you have a call to ``system()`` that lacks proper user-input validation, thus leading to an RCE, this might be the right tool.
193		193
194	::	194	::
195		195
196	# Allow `id.php` to restrict system() calls to `id`	196	# Restrict calls to `system` to `id` in the `id.php` file
197	sp.disable_functions.function("system").filename("id.php").param("cmd").value("id").allow();	197	sp.disable_functions.function("system").filename("id.php").param("cmd").value("id").allow();
198	sp.disable_functions.function("system").filename("id.php").drop()	198	sp.disable_functions.function("system").filename("id.php").drop()
199		199


diff --git a/doc/source/features.rst b/doc/source/features.rst index bf535e1..fbb2a64 100644 --- a/doc/source/features.rst +++ b/doc/source/features.rst
@@ -3,7 +3,7 @@ Features
3		3
4	Snuffleupagus has a lot of features that can be divided in two main categories: bug-classes	4	Snuffleupagus has a lot of features that can be divided in two main categories: bug-classes
5	killers and virtual-patching. The first category provides primitives to kill various	5	killers and virtual-patching. The first category provides primitives to kill various
6	bug families (like arbitrary code execution via ``unserialize`` for example) or rise the	6	bug families (like arbitrary code execution via ``unserialize`` for example) or rise the
7	cost of exploitation, the second one is a highly configurable system to patch functions in php itself.	7	cost of exploitation, the second one is a highly configurable system to patch functions in php itself.
8		8
9	Bug classes killed or mitigated	9	Bug classes killed or mitigated
@@ -171,7 +171,7 @@ It's worth noting that the PHP documentation contains the following warning:
171		171
172	``min`` ``max`` range must be within the range ``getrandmax()``. i.e. ``(max - min) <= getrandmax()``.	172	``min`` ``max`` range must be within the range ``getrandmax()``. i.e. ``(max - min) <= getrandmax()``.
173	Otherwise, ``rand()`` may return poor-quality random numbers.	173	Otherwise, ``rand()`` may return poor-quality random numbers.
174		174
175	--- `The PHP documentation about rand <https://secure.php.net/manual/en/function.rand.php>`_	175	--- `The PHP documentation about rand <https://secure.php.net/manual/en/function.rand.php>`_
176		176
177	This is of course addressed as well by the ``harden_rand`` feature.	177	This is of course addressed as well by the ``harden_rand`` feature.
@@ -279,7 +279,7 @@ PHP7 introduced a strict mode, in which variables won't be coerced anymore,
279	and a `TypeError <https://php.net/manual/en/class.typeerror.php>`_ exception will	279	and a `TypeError <https://php.net/manual/en/class.typeerror.php>`_ exception will
280	be raised if the types aren't matching.	280	be raised if the types aren't matching.
281	`Scalar type declarations <https://secure.php.net/manual/en/migration70.new-features.php#migration70.new-features.scalar-type-declarations>`_	281	`Scalar type declarations <https://secure.php.net/manual/en/migration70.new-features.php#migration70.new-features.scalar-type-declarations>`_
282	are optional, but you don't have to used them in your code to benefit from them,	282	are optional, but you don't have to use them in your code to benefit from them,
283	since every internal function from php has them.	283	since every internal function from php has them.
284		284
285	This option provide a switch to globally activate this strict mode,	285	This option provide a switch to globally activate this strict mode,
@@ -307,7 +307,7 @@ and using this feature to lock this up.
307	Dumping capabilities	307	Dumping capabilities
308	^^^^^^^^^^^^^^^^^^^^	308	^^^^^^^^^^^^^^^^^^^^
309	It's possible to apply the ``dump()`` filter to any virtual-patching rule,	309	It's possible to apply the ``dump()`` filter to any virtual-patching rule,
310	to dump the complete web request, along with the filename and the corresponding	310	to dump the complete web request, along with the filename and the corresponding
311	line number. By using the right set of restrictive rules (or by using the	311	line number. By using the right set of restrictive rules (or by using the
312	overly restrictives ones in ``simulation`` mode), you might be able	312	overly restrictives ones in ``simulation`` mode), you might be able
313	to gather interesting vulnerabilities used against your website.	313	to gather interesting vulnerabilities used against your website.
@@ -332,7 +332,7 @@ or ``is_callable`` with suspicious parameters.
332	``chmod`` hardening	332	``chmod`` hardening
333	"""""""""""""""""""	333	"""""""""""""""""""
334		334
335	Some PHP applications are using broad rights when using the ``chmod`` function,	335	Some PHP applications are using broad rights when using the ``chmod`` function,
336	like the infamous ``chmod(777)`` command, effectively making the file writable by everyone.	336	like the infamous ``chmod(777)`` command, effectively making the file writable by everyone.
337	Snuffleupagus is preventing this kind of behaviour by restricting the parameters	337	Snuffleupagus is preventing this kind of behaviour by restricting the parameters
338	than can be passer to ``chmod``.	338	than can be passer to ``chmod``.