From fd60cd5c1ef701710bccc407272f72b9e9ac3f7c Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Fri, 9 Mar 2018 17:32:17 +0100
Subject: Vastly improve our typo3 rules

---
 config/typo3.rules | 38 ++++++++++++++++++--------------------
 1 file changed, 18 insertions(+), 20 deletions(-)

diff --git a/config/typo3.rules b/config/typo3.rules
index 57fafd1..c76cf91 100644
--- a/config/typo3.rules
+++ b/config/typo3.rules
@@ -2,22 +2,20 @@
 sp.disable_function.function("chmod").param("mode").filename_r("typo3/sysext/core/Classes/Utility/GeneralUtility.php$").value_r("^[0-9]{2}6$").allow();
 sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop();
 
-# Prevent various `mail`-related vulnerabilities
-sp.disable_function.function("mail").param("additional_parameters").value("").allow();
-# use swiftmailer to send email
-sp.disable_function.function("mail").drop();
-
-
 ##Prevent various `include`-related vulnerabilities
-sp.disable_function.function_r("^(?:require|include)_once$").value_r("\.php$").allow();
-sp.disable_function.function_r("^require|include$").value_r("\.php$").allow();
-sp.disable_function.function_r("^(?:require|include)_once$").drop();
-sp.disable_function.function_r("^require|include$").drop();
+sp.disable_function.function("require_once").value_r("\.php$").allow();
+sp.disable_function.function("include_once").value_r("\.php$").allow();
+sp.disable_function.function("require").value_r("\.php$").allow();
+sp.disable_function.function("include").value_r("\.php$").allow();
+sp.disable_function.function("require_once").drop()
+sp.disable_function.function("include_once").drop()
+sp.disable_function.function("require").drop()
+sp.disable_function.function("include").drop()
 
 # Prevent `system`-related injections
 sp.disable_function.function("system").drop();
 sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n]").drop();
-sp.disable_function.function("exec").param("command").filename_r("typo3/sysext/core/Classes/Utility/CommandUtility.php$").value_r("^'/usr/bin/convert' [a-zA-Z0-9_\\-\\.\\*'\+\\[\\] \/]+ 2>&1$").allow();
+sp.disable_function.function("exec").param("command").filename_r("typo3/sysext/core/Classes/Utility/CommandUtility.php$").value_r("^'/usr/bin/convert' [a-zA-Z0-9_\\.'\+\\[\\] \/\\-]+ 2>&1$").allow();
 sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n]").drop();
 sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n]").drop();
 
@@ -34,21 +32,21 @@ sp.disable_function.function("ini_get").param("var_name").filename_r("typo3/syse
 sp.disable_function.function("ini_get").param("var_name").filename_r("typo3/sysext/install/Classes/SystemEnvironment/Check.php$").value("open_basedir").allow();
 sp.disable_function.function("ini_get").param("var_name").filename_r("typo3/sysext/install/Classes/SystemEnvironment/SetupCheck.php$").value("allow_url_fopen").allow();
 sp.disable_function.function("ini_get").param("var_name").filename_r("vendor/guzzlehttp/guzzle/src/functions.php$").value("allow_url_fopen").allow();
-sp.disable_function.function("ini_get").param("var_name").value_r("(?:allow_url_fopen|open_basedir|suhosin)").drop();
+sp.disable_function.function("ini_get").param("var_name").value_r("^(?:allow_url_fopen|open_basedir|suhosin)$").drop();
 
 #need to be allow for example to execute Scheduled tasks
-sp.disable_function.function("function_exists").param("function_name").filename_r("vendor/guzzlehttp/guzzle/src/functions.php$").value_r("^curl_multi_exec$|^curl_exec$").allow();
+sp.disable_function.function("function_exists").param("function_name").filename_r("vendor/guzzlehttp/guzzle/src/functions.php$").value_r("^(?:curl_multi_exec|curl_exec)$").allow();
 sp.disable_function.function("function_exists").param("function_name").value_r("(?:eval|exec|system)").drop();
 sp.disable_function.function("is_callable").param("var").value_r("(?:eval|exec|system)").drop();
 
 # Ghetto sqli hardening
-sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("/\\*").drop();
-sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("--").drop();
-sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("#").drop();
-sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r(";.*;").drop();
-sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("benchmark").drop();
-sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("sleep").drop();
-sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("information_schema").drop();
+sp.disable_function.function("QueryBuilder::setParameter").param("value").value_r("/\\*").drop();
+sp.disable_function.function("QueryBuilder::setParameter").param("value").value_r("--").drop();
+sp.disable_function.function("QueryBuilder::setParameter").param("value").value_r("#").drop();
+sp.disable_function.function("QueryBuilder::setParameter").param("value").value_r(";.*;").drop();
+sp.disable_function.function("QueryBuilder::setParameter").param("value").value_r("benchmark").drop();
+sp.disable_function.function("QueryBuilder::setParameter").param("value").value_r("sleep").drop();
+sp.disable_function.function("QueryBuilder::setParameter").param("value").value_r("information_schema").drop();
 
 #File upload
 sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
-- 
cgit v1.3