summaryrefslogtreecommitdiff
path: root/config/default.rules (unfollow)
AgeCommit message (Collapse)Author
2026-01-21Update default.rulessantii-git
Set the correct PHP versions for each rule and add the mb_send_mail function.
2025-09-30Make the default rules compatible via PHP8santii-git
2025-09-30Make the default rules compatible via PHP8jvoisin
As suggested by @santii-git in https://github.com/jvoisin/snuffleupagus/issues/522
2025-05-25Unify/fix the default.rules file across PHP versions, and add some new onesjvoisin
2024-06-09Forbid file:// protocol in Curlbohwaz
2023-02-16Add another burned vuln to the php7 rulesJulien Voisin
2022-08-18Fix the default configuration on php7.4+jvoisin
2022-04-17Improve the portability of the php7 rulesjvoisin
2022-01-11make xxe protection conditional in default rulesBen Fuhrmannek
2021-11-11inverted logic. set xxe_protection.enable() instead of disable_xxe.disable()Ben Fuhrmannek
2021-08-29updated documentation URLBen Fuhrmannek
2021-08-18updated documentation URLBen Fuhrmannek
2021-08-16Fix a few typos and inconsistencies in config filesGasper Vozel
2021-05-09Fix disable function chmodWhiteWinterWolf
2021-05-01Improve our SQLI-related documentation and remove some useless rulesjvoisin
2020-06-07Lockdown of the logging directivesjvoisin
This is done to prevent an attacker who obtained arbitrary code execution to mess with the logging configuration.
2020-04-25Fix and improve the previous commitjvoisin
2020-04-25Add yet an other stupid things to the default set of rulesjvoisin
2020-04-24Add yet another disabled_functions bypassjvoisin
2019-10-16Fix the default configurationjvoisin
ini_[sg]et first parameter is actually varname, and not var_name. Thanks to @gergo314 for flagging this!
2019-04-07Protect against a now-public open_basedir bypassjvoisin
2019-01-16Improve a bit the default rulesjvoisin
2018-12-25Tighten a bit the command-injection prevention rulejvoisin
2018-08-29Change how we're validating certificatesxXx-caillou-xXx
2018-08-29Verify certs (#223)jvoisin
Ensure that certificates are verified in curl should close #47
2018-07-23Improve a bit the default rulesjvoisin
- Use plain values instead of regexp where possible - Reduce the number of false positives (*cough* `curl_exec` *cough*)
2018-07-23Whitelist the inclusion of `.phtml` filesjvoisin
This is the extension used by PhpMyAdmin
2018-07-23Allow the inclusion of `.inc` filesjvoisin
2018-07-23Use SameSite on PHP's session cookie in the default rulesjvoisin
2018-07-23Activate more features in the default rulesjvoisin
2018-07-13Massively optimize how rules are handledxXx-caillou-xXx
This commit does a lot of things: - Use hashtables instead of lists to store the rules - Rules that can be applied at launch time won't be tried at runtime - Improve feedback when writing nonsensical rules - Make intensive use of `zend_string` instead of `char*`
2018-03-09Improve the performances of our default rulesjvoisin
2018-03-05Improve a bit the performances (+10%)jvoisin
2018-02-26Improve the previous commitjvoisin
2018-02-26Add a rule to prevent various sandbox escapesjvoisin
This used to be private, but since it apparently isn't anymore, we should forbid it ;)
2018-02-22Refactor a bit our rulesjvoisin
2018-01-17Our configuration files are ending in .rules, not .inijvoisin
This commit fixes the documentation, our shipped configuration files, and the related tests. Thanks to @remicollet for the tip
2017-10-11s/disable_functions/disable_function/gjvoisin
This should close #36 and #30