From b0fb67199808af09d78abc2ebfcdc10b8c45677c Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Mon, 26 Feb 2018 10:40:09 +0100
Subject: Add a rule to prevent various sandbox escapes

This used to be private, but since it apparently
isn't anymore, we should forbid it ;)
---
 config/default.rules | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'config/default.rules')

diff --git a/config/default.rules b/config/default.rules
index b52ae4c..8ac4498 100644
--- a/config/default.rules
+++ b/config/default.rules
@@ -4,6 +4,9 @@ sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").dr
 # Prevent various `mail`-related vulnerabilities
 sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
 
+# Since it's now burned, me might as well mitigate it publicly
+sp.disable_function.function("putenv").param("setting").value_r("LD_PRELOAD").drop()
+
 ##Prevent various `include`-related vulnerabilities
 sp.disable_function.function_r("^(?:require|include)_once$").value_r("\\.(?:php|php7|inc|tpl)$").allow();
 sp.disable_function.function_r("^require|include$").value_r("\\.(?:php|php7|inc|tpl)$").allow();
-- 
cgit v1.3