summaryrefslogtreecommitdiff
path: root/doc/source
diff options
context:
space:
mode:
Diffstat (limited to 'doc/source')
-rw-r--r--doc/source/config.rst16
1 files changed, 9 insertions, 7 deletions
diff --git a/doc/source/config.rst b/doc/source/config.rst
index 41863c8..ceb23bb 100644
--- a/doc/source/config.rst
+++ b/doc/source/config.rst
@@ -255,7 +255,7 @@ In the situation where you have a call to ``system()`` that lacks proper user-in
255:: 255::
256 256
257 # Allow `id.php` to restrict system() calls to `id` 257 # Allow `id.php` to restrict system() calls to `id`
258 sp.disable_function.function("system").filename("id.php").param("cmd").value("id").allow(); 258 sp.disable_function.function("system").filename("id.php").param("$cmd").value("id").allow();
259 sp.disable_function.function("system").filename("id.php").drop() 259 sp.disable_function.function("system").filename("id.php").drop()
260 260
261Of course, this is a trivial example, a lot can be achieved with this feature, as you will see below. 261Of course, this is a trivial example, a lot can be achieved with this feature, as you will see below.
@@ -281,6 +281,8 @@ Filters
281- ``value(value)``: match on a literal ``value`` 281- ``value(value)``: match on a literal ``value``
282- ``value_r(regexp)``: match on a value matching the ``regexp`` 282- ``value_r(regexp)``: match on a value matching the ``regexp``
283- ``var(name)``: match on a **local variable** ``name`` 283- ``var(name)``: match on a **local variable** ``name``
284- ``key(name)``: match on the presence of ``name`` as a key in the hashtable
285- ``key_r(regexp)``: match with ``regexp`` on keys in the hashtable
284 286
285The ``type`` must be one of the following values: 287The ``type`` must be one of the following values:
286 288
@@ -312,11 +314,11 @@ The ``function`` filter is able to do various dereferencing:
312 314
313The ``param`` filter is also able to do some dereferencing: 315The ``param`` filter is also able to do some dereferencing:
314 316
315- ``param(foo[bar])`` will get a match on the value corresponding to the ``bar`` key in the hashtable ``foo``. 317- ``param($foo[bar])`` will get a match on the value corresponding to the ``bar`` key in the hashtable ``foo``.
316 Remember that in PHP, almost every data structure is a hashtable. You can of course nest this like 318 Remember that in PHP, almost every data structure is a hashtable. You can of course nest this like
317 ``param(foo[bar][baz][batman])``. 319 ``param($foo[bar][$object->array['123']][$batman])``.
318- The ``var`` filter will walk the calltrace until it finds the variable name, or the end of the calltrace, 320- The ``var`` filter will walk the calltrace until it finds the variable name, or the end of the calltrace,
319 allowing the filter to match global variables: ``.var("_GET[param]")`` will match on the GET parameter ``param``. 321 allowing the filter to match global variables: ``.var("$_GET[\"param\"]")`` will match on the GET parameter ``param``.
320 322
321The ``filename`` filter requires a leading ``/``, since paths are absolutes (like ``/var/www/mywebsite/lib/parse.php``). 323The ``filename`` filter requires a leading ``/``, since paths are absolutes (like ``/var/www/mywebsite/lib/parse.php``).
322If you would like to have only one configuration file for several vhost in different folders, 324If you would like to have only one configuration file for several vhost in different folders,
@@ -351,9 +353,9 @@ The following rules will:
351 353
352:: 354::
353 355
354 sp.disable_function.function("system").param("cmd").value("id").allow(); 356 sp.disable_function.function("system").param("$cmd").value("id").allow();
355 sp.disable_function.function("system").param("cmd").value_r("^ping").drop().simulation(); 357 sp.disable_function.function("system").param("$cmd").value_r("^ping").drop().simulation();
356 sp.disable_function.function("system").param("cmd").drop(); 358 sp.disable_function.function("system").param("$cmd").drop();
357 359
358Miscellaneous examples 360Miscellaneous examples
359"""""""""""""""""""""" 361""""""""""""""""""""""