From bcec0cafc9edbf1a563f184debf01169aed64c85 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Sat, 25 Apr 2026 22:25:27 +0200
Subject: Add a note about virtual-patching bypasses

---
 config/default.rules | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'config/default.rules')

diff --git a/config/default.rules b/config/default.rules
index 3e82ae3..0fa4878 100644
--- a/config/default.rules
+++ b/config/default.rules
@@ -35,6 +35,10 @@ sp.xxe_protection.enable();
 # https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery
 sp.cookie.name("PHPSESSID").samesite("lax");
 
+# Note that an attacker with arbitrary PHP code execution
+# can bypass some virtual-patching, by (as)using PHP feature.
+# A clever example would be to declare a class with a __toString method.
+
 # Harden the `chmod` function (0777 (oct = 511, 0666 = 438)
 @condition PHP_VERSION_ID < 80000;
     sp.disable_function.function("chmod").param("mode").value("438").drop();
-- 
cgit v1.3