From 320b3f831f755e6bd4c7ac0334d719bb4b778723 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Fri, 3 Nov 2023 16:40:45 +0100
Subject: Add some documentation in the default rules.

---
 config/default_php8.rules | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'config/default_php8.rules')

diff --git a/config/default_php8.rules b/config/default_php8.rules
index 4773b4e..580ba0a 100644
--- a/config/default_php8.rules
+++ b/config/default_php8.rules
@@ -52,8 +52,7 @@ sp.disable_function.function("putenv").param("assignment").value_r("GCONV_").dro
 sp.disable_function.function("extract").param("array").value_r("^_").drop()
 sp.disable_function.function("extract").param("flags").value("0").drop()
 
-# This is also burned:
-# ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd'));
+# See https://dustri.org/b/ini_set-based-open_basedir-bypass.html
 # Since we have no way of matching on two parameters at the same time, we're
 # blocking calls to open_basedir altogether: nobody is using it via ini_set anyway.
 # Moreover, there are non-public bypasses that are also using this vector ;)
-- 
cgit v1.3