From bcec0cafc9edbf1a563f184debf01169aed64c85 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Sat, 25 Apr 2026 22:25:27 +0200
Subject: Add a note about virtual-patching bypasses

---
 config/default.rules    | 4 ++++
 doc/source/config.rst   | 2 +-
 doc/source/features.rst | 6 +++++-
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/config/default.rules b/config/default.rules
index 3e82ae3..0fa4878 100644
--- a/config/default.rules
+++ b/config/default.rules
@@ -35,6 +35,10 @@ sp.xxe_protection.enable();
 # https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery
 sp.cookie.name("PHPSESSID").samesite("lax");
 
+# Note that an attacker with arbitrary PHP code execution
+# can bypass some virtual-patching, by (as)using PHP feature.
+# A clever example would be to declare a class with a __toString method.
+
 # Harden the `chmod` function (0777 (oct = 511, 0666 = 438)
 @condition PHP_VERSION_ID < 80000;
     sp.disable_function.function("chmod").param("mode").value("438").drop();
diff --git a/doc/source/config.rst b/doc/source/config.rst
index 2053c2f..a84bb60 100644
--- a/doc/source/config.rst
+++ b/doc/source/config.rst
@@ -152,7 +152,7 @@ least astonishment
 <https://en.wikipedia.org/wiki/Principle_of_least_astonishment>`__. But since
 it's `possible to modify php's logging system via php
 <https://www.php.net/manual/en/errorfunc.configuration.php>`__, it's
-heavily recommended to use the ``syslog`` option instead. The ``file:` option
+heavily recommended to use the ``syslog`` option instead. The ``file:`` option
 might be useful if you're using Snuffleupagus to fuzz or audit a codebase.
 
 log_max_len
diff --git a/doc/source/features.rst b/doc/source/features.rst
index adb8779..517bbec 100644
--- a/doc/source/features.rst
+++ b/doc/source/features.rst
@@ -309,7 +309,11 @@ of dangerous functions, dropping them everywhere else:
    :language: php
 
 
-The intent is to make post-exploitation process (such as backdooring of legitimate code, or RAT usage) a lot harder for the attacker.
+The intent is to make post-exploitation process (such as backdooring of
+legitimate code, or RAT usage) a lot harder for the attacker.
+
+Note that an attacker able to run arbitrary PHP code can likely bypass some virtual-patching
+by (ab)using some PHP features.
 
 
 .. _global-strict-feature:
-- 
cgit v1.3