From e9ca6c39ac734e0e37f78405293e551d7f2863d0 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Thu, 1 Aug 2019 11:13:15 +0200
Subject: Lockdown of the logging directives

This is done to prevent an attacker who obtained
arbitrary code execution to mess with the logging
configuration.
---
 config/default.rules | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/config/default.rules b/config/default.rules
index 040a54b..05dd91d 100644
--- a/config/default.rules
+++ b/config/default.rules
@@ -138,3 +138,8 @@ sp.disable_function.function("curl_setopt").param("option").value("81").drop().a
 #File upload
 sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
 sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
+
+# Logging lockdown
+sp.disable_function.function("ini_set").param("varname").value_r("error_log").drop()
+sp.disable_function.function("ini_set").param("varname").value_r("error_reporting").drop()
+sp.disable_function.function("ini_set").param("varname").value_r("display_errors").drop()
-- 
cgit v1.3