1 files changed, 12 insertions, 0 deletions

diff --git a/config/default.rules b/config/default.rules
index 3e82ae3..818e73d 100644
--- a/config/default.rules
+++ b/config/default.rules
@@ -35,6 +35,10 @@ sp.xxe_protection.enable();
 # https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery
 sp.cookie.name("PHPSESSID").samesite("lax");
 
+# Note that an attacker with arbitrary PHP code execution
+# can bypass some virtual-patching, by (as)using PHP feature.
+# A clever example would be to declare a class with a __toString method.
+
 # Harden the `chmod` function (0777 (oct = 511, 0666 = 438)
 @condition PHP_VERSION_ID < 80000;
     sp.disable_function.function("chmod").param("mode").value("438").drop();
@@ -69,6 +73,14 @@ sp.cookie.name("PHPSESSID").samesite("lax");
     sp.disable_function.function("putenv").param("assignment").value_r("GCONV_").drop()
 @end_condition;
 
+# https://github.com/php/php-src/issues/22035
+# CURLOPT_SSLENGINE = 10089 
+@condition PHP_VERSION_ID < 80000;
+    sp.disable_function.function("curl_setopt").param("option").value("10089").drop()
+@condition PHP_VERSION_ID >= 80000;
+    sp.disable_function.function("curl_setopt").param("option").value("10089").drop()
+@end_condition;
+
 # Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector
 @condition PHP_VERSION_ID < 80000;
 sp.disable_function.function("extract").pos("0").value_r("^_").drop()