diff options
Diffstat (limited to 'config')
| -rw-r--r-- | config/default.rules | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/config/default.rules b/config/default.rules index 3e82ae3..0fa4878 100644 --- a/config/default.rules +++ b/config/default.rules | |||
| @@ -35,6 +35,10 @@ sp.xxe_protection.enable(); | |||
| 35 | # https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery | 35 | # https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery |
| 36 | sp.cookie.name("PHPSESSID").samesite("lax"); | 36 | sp.cookie.name("PHPSESSID").samesite("lax"); |
| 37 | 37 | ||
| 38 | # Note that an attacker with arbitrary PHP code execution | ||
| 39 | # can bypass some virtual-patching, by (as)using PHP feature. | ||
| 40 | # A clever example would be to declare a class with a __toString method. | ||
| 41 | |||
| 38 | # Harden the `chmod` function (0777 (oct = 511, 0666 = 438) | 42 | # Harden the `chmod` function (0777 (oct = 511, 0666 = 438) |
| 39 | @condition PHP_VERSION_ID < 80000; | 43 | @condition PHP_VERSION_ID < 80000; |
| 40 | sp.disable_function.function("chmod").param("mode").value("438").drop(); | 44 | sp.disable_function.function("chmod").param("mode").value("438").drop(); |