summaryrefslogtreecommitdiff
path: root/config/default_php8.rules (unfollow)
AgeCommit message (Collapse)Author
2025-05-25Unify/fix the default.rules file across PHP versions, and add some new onesjvoisin
2024-06-09Forbid file:// protocol in Curlbohwaz
2024-06-09Wording updatesChristian Göttsche
2024-06-09Add option to specify the allowed "php" wrapper typesChristian Göttsche
In addition of the current possibility to filter wrappers by their protocol name, also add the option to filter the "php" wrapper by the requested kind. Especially the 'filter' backend can be disabled that way.
2024-03-24Fix yet another php surprised-rename of functions parametersjvoisin
2023-11-03Add some documentation in the default rules.jvoisin
2023-02-16Add another burned vuln to the php8 rulesJulien Voisin
2021-11-26PHP8 update parameters name in "move_uploaded_file" (#406)pfdutot
In the 8.0.8 and 8.1 version of PHP, the parameters name for move_uploaded_file are "from" and "to". This config file fail to apply the relevant rules unless the parameter names are updated using "to" instead of "destination".
2021-11-11inverted logic. set xxe_protection.enable() instead of disable_xxe.disable()Ben Fuhrmannek
2021-08-29updated documentation URLBen Fuhrmannek
2021-08-18updated documentation URLBen Fuhrmannek
2021-08-16Fix a few typos and inconsistencies in config filesGasper Vozel
2021-05-09Fix disable function chmodWhiteWinterWolf
2021-05-01Additional PHP 8 sample config argument name changesTristan Deloche
2021-05-01Improve our SQLI-related documentation and remove some useless rulesjvoisin
2021-04-27Update some parameter names which changed for PHP 8.0Tristan Deloche
2021-04-26Add a configuration file for php8jvoisin
2020-06-07Lockdown of the logging directivesjvoisin
This is done to prevent an attacker who obtained arbitrary code execution to mess with the logging configuration.
2020-04-25Fix and improve the previous commitjvoisin
2020-04-25Add yet an other stupid things to the default set of rulesjvoisin
2020-04-24Add yet another disabled_functions bypassjvoisin
2019-10-16Fix the default configurationjvoisin
ini_[sg]et first parameter is actually varname, and not var_name. Thanks to @gergo314 for flagging this!
2019-04-07Protect against a now-public open_basedir bypassjvoisin
2019-01-16Improve a bit the default rulesjvoisin
2018-12-25Tighten a bit the command-injection prevention rulejvoisin
2018-08-29Change how we're validating certificatesxXx-caillou-xXx
2018-08-29Verify certs (#223)jvoisin
Ensure that certificates are verified in curl should close #47
2018-07-23Improve a bit the default rulesjvoisin
- Use plain values instead of regexp where possible - Reduce the number of false positives (*cough* `curl_exec` *cough*)
2018-07-23Whitelist the inclusion of `.phtml` filesjvoisin
This is the extension used by PhpMyAdmin
2018-07-23Allow the inclusion of `.inc` filesjvoisin
2018-07-23Use SameSite on PHP's session cookie in the default rulesjvoisin
2018-07-23Activate more features in the default rulesjvoisin
2018-07-13Massively optimize how rules are handledxXx-caillou-xXx
This commit does a lot of things: - Use hashtables instead of lists to store the rules - Rules that can be applied at launch time won't be tried at runtime - Improve feedback when writing nonsensical rules - Make intensive use of `zend_string` instead of `char*`
2018-03-09Improve the performances of our default rulesjvoisin
2018-03-05Improve a bit the performances (+10%)jvoisin
2018-02-26Improve the previous commitjvoisin
2018-02-26Add a rule to prevent various sandbox escapesjvoisin
This used to be private, but since it apparently isn't anymore, we should forbid it ;)
2018-02-22Refactor a bit our rulesjvoisin
2018-01-17Our configuration files are ending in .rules, not .inijvoisin
This commit fixes the documentation, our shipped configuration files, and the related tests. Thanks to @remicollet for the tip
2017-10-11s/disable_functions/disable_function/gjvoisin
This should close #36 and #30