diff options
Diffstat (limited to 'doc/source')
| -rw-r--r-- | doc/source/features.rst | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/doc/source/features.rst b/doc/source/features.rst index dd35e2b..4f8edb9 100644 --- a/doc/source/features.rst +++ b/doc/source/features.rst | |||
| @@ -439,9 +439,19 @@ Arbitrary file inclusion hardening | |||
| 439 | """""""""""""""""""""""""""""""""" | 439 | """""""""""""""""""""""""""""""""" |
| 440 | 440 | ||
| 441 | Arbitrary file inclusion is a common vulnerability, that might be detected | 441 | Arbitrary file inclusion is a common vulnerability, that might be detected |
| 442 | by preventing the inclusion of anything that doens't match a strict set | 442 | by preventing the inclusion of anything that doesn't match a strict set |
| 443 | of file extensions in calls to ``include`` or ``require``. | 443 | of file extensions in calls to ``include`` or ``require``. |
| 444 | 444 | ||
| 445 | |||
| 446 | Enforcing certificate validation when using curl | ||
| 447 | """""""""""""""""""""""""""""""""""""""""""""""" | ||
| 448 | |||
| 449 | While it might be convenient to disable certificate validation on preproduction | ||
| 450 | or during tests, it's `common <https://twitter.com/CiPHPerCoder/status/1056974646363516928>`__ | ||
| 451 | to see that people are disabling it on production too. | ||
| 452 | We're detecting/preventing this by not allowing the ``CURLOPT_SSL_VERIFYPEER`` and | ||
| 453 | ``CURLOPT_SSL_VERIFYHOST`` options from being set to ``0``. | ||
| 454 | |||
| 445 | *Cheap* SQL injections detection | 455 | *Cheap* SQL injections detection |
| 446 | """""""""""""""""""""""""""""""" | 456 | """""""""""""""""""""""""""""""" |
| 447 | 457 | ||