From 41da9b8265dc8c2e916eb15f480496d6239420dd Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Tue, 30 Sep 2025 17:04:22 +0200
Subject: Make the default rules compatible via PHP8

As suggested by @santii-git in https://github.com/jvoisin/snuffleupagus/issues/522
---
 config/default.rules | 34 +++++++++++++++++++++++++++++-----
 1 file changed, 29 insertions(+), 5 deletions(-)

(limited to 'config')

diff --git a/config/default.rules b/config/default.rules
index 817e62f..81c4072 100644
--- a/config/default.rules
+++ b/config/default.rules
@@ -36,8 +36,13 @@ sp.xxe_protection.enable();
 sp.cookie.name("PHPSESSID").samesite("lax");
 
 # Harden the `chmod` function (0777 (oct = 511, 0666 = 438)
-sp.disable_function.function("chmod").param("mode").value("438").drop();
-sp.disable_function.function("chmod").param("mode").value("511").drop();
+@condition PHP_VERSION_ID < 80000;
+    sp.disable_function.function("chmod").param("mode").value("438").drop();
+    sp.disable_function.function("chmod").param("mode").value("511").drop();
+@condition PHP_VERSION_ID >= 80000;
+    sp.disable_function.function("chmod").param("permissions").value("438").drop();
+    sp.disable_function.function("chmod").param("permissions").value("511").drop();
+@end_condition;
 
 # Prevent various `mail`-related vulnerabilities
 @condition PHP_VERSION_ID < 80300;
@@ -47,8 +52,13 @@ sp.disable_function.function("mail").param("additional_params").value_r("\\-").d
 @end_condition;
 
 # Since it's now burned, me might as well mitigate it publicly
-sp.disable_function.function("putenv").param("setting").value_r("LD_").drop();
-sp.disable_function.function("putenv").param("setting").value("PATH").drop();
+@condition PHP_VERSION_ID < 80000;
+    sp.disable_function.function("putenv").param("setting").value_r("LD_").drop();
+    sp.disable_function.function("putenv").param("setting").value("PATH").drop();
+@condition PHP_VERSION_ID >= 80000;
+    sp.disable_function.function("putenv").param("assignment").value_r("LD_").drop();
+    sp.disable_function.function("putenv").param("assignment").value("PATH").drop();
+@end_condition;
 
 # This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80
 sp.disable_function.function("putenv").param("setting").value_r("GCONV_").drop();
@@ -62,7 +72,11 @@ sp.disable_function.function("extract").pos("1").value("0").drop();
 # Since we have no way of matching on two parameters at the same time, we're
 # blocking calls to open_basedir altogether: nobody is using it via ini_set anyway.
 # Moreover, there are non-public bypasses that are also using this vector ;)
-sp.disable_function.function("ini_set").param("varname").value_r("open_basedir").drop();
+@condition PHP_VERSION_ID < 80000;
+    sp.disable_function.function("ini_set").param("varname").value_r("open_basedir").drop()
+@condition PHP_VERSION_ID >= 80000;
+    sp.disable_function.function("ini_set").param("option").value_r("open_basedir").drop()
+@end_condition;
 
 # Prevent various `include`-related vulnerabilities
 sp.disable_function.function("require_once").value_r("\.(inc|phtml|php)$").allow();
@@ -80,6 +94,16 @@ sp.disable_function.function("shell_exec").pos("0").value_r("[$|;&`\\n\\(\\)\\\\
 sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
 sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
 
+# Prevent `system`-related injections
+sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
+@condition PHP_VERSION_ID < 80000;
+    sp.disable_function.function("shell_exec").pos("0").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
+@condition PHP_VERSION_ID >= 80000;
+    sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
+@end_condition;
+sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
+sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
+
 # Prevent runtime modification of interesting things
 @condition PHP_VERSION_ID < 80000;
 sp.disable_function.function("ini_set").param("varname").value("assert.active").drop();
-- 
cgit v1.3