summaryrefslogtreecommitdiff
path: root/config (follow)
AgeCommit message (Collapse)Author
2022-04-17Improve the portability of the php7 rulesjvoisin
2022-03-20Merge remote-tracking branch 'sektioneins/master'jvoisin
2022-01-11make xxe protection conditional in default rulesBen Fuhrmannek
2022-01-11enable strict_mode in example configBen Fuhrmannek
2022-01-10renamed ini protection example rulesBen Fuhrmannek
2022-01-10added conditions to ini protection exampleBen Fuhrmannek
2022-01-07added dangerous extension checkBen Fuhrmannek
2021-11-26PHP8 update parameters name in "move_uploaded_file" (#406)pfdutot
In the 8.0.8 and 8.1 version of PHP, the parameters name for move_uploaded_file are "from" and "to". This config file fail to apply the relevant rules unless the parameter names are updated using "to" instead of "destination".
2021-11-11inverted logic. set xxe_protection.enable() instead of disable_xxe.disable()Ben Fuhrmannek
2021-08-30fixed typoBen Fuhrmannek
2021-08-29updated documentation URLBen Fuhrmannek
2021-08-18ported Suhosin rules to Snuffleupagus rulesBen Fuhrmannek
2021-08-18updated documentation URLBen Fuhrmannek
2021-08-16Fix a few typos and inconsistencies in config filesGasper Vozel
2021-08-07more ini protection featuresBen Fuhrmannek
2021-08-06default ruleset for ini protection featureBen Fuhrmannek
2021-05-09Fix disable function chmodWhiteWinterWolf
2021-05-01Additional PHP 8 sample config argument name changesTristan Deloche
2021-05-01Improve our SQLI-related documentation and remove some useless rulesjvoisin
2021-04-27Update some parameter names which changed for PHP 8.0Tristan Deloche
2021-04-26Add a configuration file for php8jvoisin
2020-06-07Lockdown of the logging directivesjvoisin
This is done to prevent an attacker who obtained arbitrary code execution to mess with the logging configuration.
2020-04-25Fix and improve the previous commitjvoisin
2020-04-25Add yet an other stupid things to the default set of rulesjvoisin
2020-04-24Add yet another disabled_functions bypassjvoisin
2019-10-16Fix the default configurationjvoisin
ini_[sg]et first parameter is actually varname, and not var_name. Thanks to @gergo314 for flagging this!
2019-04-07Protect against a now-public open_basedir bypassjvoisin
2019-01-16Improve a bit the default rulesjvoisin
2018-12-25Tighten a bit the command-injection prevention rulejvoisin
2018-08-29Change how we're validating certificatesxXx-caillou-xXx
2018-08-29Verify certs (#223)jvoisin
Ensure that certificates are verified in curl should close #47
2018-07-23Improve a bit the default rulesjvoisin
- Use plain values instead of regexp where possible - Reduce the number of false positives (*cough* `curl_exec` *cough*)
2018-07-23Whitelist the inclusion of `.phtml` filesjvoisin
This is the extension used by PhpMyAdmin
2018-07-23Allow the inclusion of `.inc` filesjvoisin
2018-07-23Use SameSite on PHP's session cookie in the default rulesjvoisin
2018-07-23Activate more features in the default rulesjvoisin
2018-07-13Massively optimize how rules are handledxXx-caillou-xXx
This commit does a lot of things: - Use hashtables instead of lists to store the rules - Rules that can be applied at launch time won't be tried at runtime - Improve feedback when writing nonsensical rules - Make intensive use of `zend_string` instead of `char*`
2018-03-09Improve the performances of our default rulesjvoisin
2018-03-09Vastly improve our typo3 rulesjvoisin
2018-03-05Improve a bit the performances (+10%)jvoisin
2018-03-02Add some rules for Typo3, courtesy of @kjojojvoisin
2018-02-26Improve the previous commitjvoisin
2018-02-26Add a rule to prevent various sandbox escapesjvoisin
This used to be private, but since it apparently isn't anymore, we should forbid it ;)
2018-02-22Refactor a bit our rulesjvoisin
2018-02-07Tested two more rules for Abantecart 1.2.8 from the RIPS calendarkjojo
2018-02-07Add an example rule from the rips calendar for abantecart's XSSkjojo
2018-01-17Our configuration files are ending in .rules, not .inijvoisin
This commit fixes the documentation, our shipped configuration files, and the related tests. Thanks to @remicollet for the tip
2017-12-27Fix the debian packageblotus
Add a default ini file to enable snuffleupagus to the debian package
2017-12-04Fix the configuration parser wrt. non-matching bracketsjvoisin
This validation step is a bit idiotic, but we'll replace it with a proper parser anyway.
2017-11-27Archlinux pkgxXx-caillou-xXx
Add a PKGBUILD for Archlinux