5 files changed, 38 insertions, 4 deletions
diff --git a/config/default.rules b/config/default.rules
index 74e1edb..ea65e01 100644
--- a/config/default.rules
+++ b/config/default.rules
@@ -33,8 +33,9 @@ sp.disable_xxe.enable();
 # https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery
 sp.cookie.name("PHPSESSID").samesite("lax");
-# Harden the `chmod` function
+# Harden the `chmod` function (0777 (oct = 511, 0666 = 438)
-sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop();
+sp.disable_function.function("chmod").param("mode").value("438").drop();
+sp.disable_function.function("chmod").param("mode").value("511").drop();
 # Prevent various `mail`-related vulnerabilities
 sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
diff --git a/config/default_php8.rules b/config/default_php8.rules
index 893bfbc..c024176 100644
--- a/config/default_php8.rules
+++ b/config/default_php8.rules
@@ -34,8 +34,9 @@ sp.disable_xxe.enable();
 # https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery
 sp.cookie.name("PHPSESSID").samesite("lax");
-# Harden the `chmod` function
+# Harden the `chmod` function (0777 (oct = 511, 0666 = 438)
-sp.disable_function.function("chmod").param("permissions").value_r("^[0-9]{2}[67]$").drop();
+sp.disable_function.function("chmod").param("permissions").value("438").drop();
+sp.disable_function.function("chmod").param("permissions").value("511").drop();
 # Prevent various `mail`-related vulnerabilities
 sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
diff --git a/src/tests/disable_function/config/disabled_functions_chmod.ini b/src/tests/disable_function/config/disabled_functions_chmod.ini
new file mode 100644
index 0000000..e601900
--- /dev/null
+++ b/src/tests/disable_function/config/disabled_functions_chmod.ini
@@ -0,0 +1,4 @@
+# PHP7 and below
+sp.disable_function.function("chmod").param("mode").value("511").drop();
+# PHP8
+sp.disable_function.function("chmod").param("permissions").value("511").drop();
diff --git a/src/tests/disable_function/disabled_functions_chmod.phpt b/src/tests/disable_function/disabled_functions_chmod.phpt
new file mode 100644
index 0000000..28f948d
--- /dev/null
+++ b/src/tests/disable_function/disabled_functions_chmod.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Disable functions - chmod
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+<?php if (PHP_VERSION_ID >= 80000) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_functions_chmod.ini
+--FILE--
+<?php
+chmod( 'foo', 0777 );
+?>
+--XFAIL--
+--EXPECTF--
+Fatal error: [snuffleupagus][0.0.0.0][disabled_function][drop] Aborted execution on call of the function 'chmod', because its argument '$mode' content (511) matched a rule in %a/disabled_function_chmod.php on line %d
diff --git a/src/tests/disable_function/disabled_functions_chmod_php8.phpt b/src/tests/disable_function/disabled_functions_chmod_php8.phpt
new file mode 100644
index 0000000..71bb034
--- /dev/null
+++ b/src/tests/disable_function/disabled_functions_chmod_php8.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Disable functions - chmod, in php8
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+<?php if (PHP_VERSION_ID < 80000) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_functions_chmod.ini
+--FILE--
+<?php
+chmod( 'foo', 0777 );
+?>
+--XFAIL--
+--EXPECTF--
+Fatal error: [snuffleupagus][0.0.0.0][disabled_function][drop] Aborted execution on call of the function 'chmod', because its argument '$permissions' content (511) matched a rule in %a/disabled_function_chmod_php8.php on line %d

diff --git a/config/default.rules b/config/default.rules index 74e1edb..ea65e01 100644 --- a/config/default.rules +++ b/config/default.rules
@@ -33,8 +33,9 @@ sp.disable_xxe.enable();
33	# https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery	33	# https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery
34	sp.cookie.name("PHPSESSID").samesite("lax");	34	sp.cookie.name("PHPSESSID").samesite("lax");
35		35
36	# Harden the `chmod` function	36	# Harden the `chmod` function (0777 (oct = 511, 0666 = 438)
37	sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop();	37	sp.disable_function.function("chmod").param("mode").value("438").drop();
		38	sp.disable_function.function("chmod").param("mode").value("511").drop();
38		39
39	# Prevent various `mail`-related vulnerabilities	40	# Prevent various `mail`-related vulnerabilities
40	sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();	41	sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();


diff --git a/config/default_php8.rules b/config/default_php8.rules index 893bfbc..c024176 100644 --- a/config/default_php8.rules +++ b/config/default_php8.rules
@@ -34,8 +34,9 @@ sp.disable_xxe.enable();
34	# https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery	34	# https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery
35	sp.cookie.name("PHPSESSID").samesite("lax");	35	sp.cookie.name("PHPSESSID").samesite("lax");
36		36
37	# Harden the `chmod` function	37	# Harden the `chmod` function (0777 (oct = 511, 0666 = 438)
38	sp.disable_function.function("chmod").param("permissions").value_r("^[0-9]{2}[67]$").drop();	38	sp.disable_function.function("chmod").param("permissions").value("438").drop();
		39	sp.disable_function.function("chmod").param("permissions").value("511").drop();
39		40
40	# Prevent various `mail`-related vulnerabilities	41	# Prevent various `mail`-related vulnerabilities
41	sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();	42	sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();


diff --git a/src/tests/disable_function/config/disabled_functions_chmod.ini b/src/tests/disable_function/config/disabled_functions_chmod.ini new file mode 100644 index 0000000..e601900 --- /dev/null +++ b/src/tests/disable_function/config/disabled_functions_chmod.ini
@@ -0,0 +1,4 @@
		1	# PHP7 and below
		2	sp.disable_function.function("chmod").param("mode").value("511").drop();
		3	# PHP8
		4	sp.disable_function.function("chmod").param("permissions").value("511").drop();


diff --git a/src/tests/disable_function/disabled_functions_chmod.phpt b/src/tests/disable_function/disabled_functions_chmod.phpt new file mode 100644 index 0000000..28f948d --- /dev/null +++ b/src/tests/disable_function/disabled_functions_chmod.phpt
@@ -0,0 +1,14 @@
		1	--TEST--
		2	Disable functions - chmod
		3	--SKIPIF--
		4	<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
		5	<?php if (PHP_VERSION_ID >= 80000) print "skip"; ?>
		6	--INI--
		7	sp.configuration_file={PWD}/config/disabled_functions_chmod.ini
		8	--FILE--
		9	<?php
		10	chmod( 'foo', 0777 );
		11	?>
		12	--XFAIL--
		13	--EXPECTF--
		14	Fatal error: [snuffleupagus][0.0.0.0][disabled_function][drop] Aborted execution on call of the function 'chmod', because its argument '$mode' content (511) matched a rule in %a/disabled_function_chmod.php on line %d


diff --git a/src/tests/disable_function/disabled_functions_chmod_php8.phpt b/src/tests/disable_function/disabled_functions_chmod_php8.phpt new file mode 100644 index 0000000..71bb034 --- /dev/null +++ b/src/tests/disable_function/disabled_functions_chmod_php8.phpt
@@ -0,0 +1,14 @@
		1	--TEST--
		2	Disable functions - chmod, in php8
		3	--SKIPIF--
		4	<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
		5	<?php if (PHP_VERSION_ID < 80000) print "skip"; ?>
		6	--INI--
		7	sp.configuration_file={PWD}/config/disabled_functions_chmod.ini
		8	--FILE--
		9	<?php
		10	chmod( 'foo', 0777 );
		11	?>
		12	--XFAIL--
		13	--EXPECTF--
		14	Fatal error: [snuffleupagus][0.0.0.0][disabled_function][drop] Aborted execution on call of the function 'chmod', because its argument '$permissions' content (511) matched a rule in %a/disabled_function_chmod_php8.php on line %d