From 0aaa9e51bbf102c37a9f545309c07650b6ee527b Mon Sep 17 00:00:00 2001 From: jvoisin Date: Mon, 26 Apr 2021 21:19:59 +0200 Subject: Add a configuration file for php8 --- config/default_php8.rules | 146 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 146 insertions(+) create mode 100644 config/default_php8.rules (limited to 'config') diff --git a/config/default_php8.rules b/config/default_php8.rules new file mode 100644 index 0000000..5517eb7 --- /dev/null +++ b/config/default_php8.rules @@ -0,0 +1,146 @@ +# This is the default configuration file for Snuffleupagus (https://snuffleupagus.rtfd.io), +# for php8. +# It contains "reasonable" defaults that won't break your websites, +# and a lot of commented directives that you can enable if you want to +# have a better protection. + +# Harden the PRNG +sp.harden_random.enable(); + +# Disabled XXE +sp.disable_xxe.enable(); + +# Global configuration variables +# sp.global.secret_key("YOU _DO_ NEED TO CHANGE THIS WITH SOME RANDOM CHARACTERS."); + +# Globally activate strict mode +# https://secure.php.net/manual/en/functions.arguments.php#functions.arguments.type-declaration.strict +# sp.global_strict.enable(); + +# Prevent unserialize-related exploits +# sp.unserialize_hmac.enable(); + +# Only allow execution of read-only files. This is a low-hanging fruit that you should enable. +# sp.readonly_exec.enable(); + +# Php has a lot of wrappers, most of them aren't usually useful, you should +# only enable the ones you're using. +# sp.wrappers_whitelist.list("file,php,phar"); + +# Prevent sloppy comparisons. +# sp.sloppy_comparison.enable(); + +# use SameSite on session cookie +# https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery +sp.cookie.name("PHPSESSID").samesite("lax"); + +# Harden the `chmod` function +sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop(); + +# Prevent various `mail`-related vulnerabilities +sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop(); + +# Since it's now burned, me might as well mitigate it publicly +sp.disable_function.function("putenv").param("setting").value_r("LD_").drop() + +# This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80 +sp.disable_function.function("putenv").param("setting").value_r("GCONV_").drop() + +# Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector +sp.disable_function.function("extract").param("var_array").value_r("^_").drop() +sp.disable_function.function("extract").param("extract_type").value("0").drop() + +# This is also burned: +# ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd')); +# Since we have no way of matching on two parameters at the same time, we're +# blocking calls to open_basedir altogether: nobody is using it via ini_set anyway. +# Moreover, there are non-public bypasses that are also using this vector ;) +sp.disable_function.function("ini_set").param("option").value_r("open_basedir").drop() + +##Prevent various `include`-related vulnerabilities +sp.disable_function.function("require_once").value_r("\.(inc|phtml|php)$").allow(); +sp.disable_function.function("include_once").value_r("\.(inc|phtml|php)$").allow(); +sp.disable_function.function("require").value_r("\.(inc|phtml|php)$").allow(); +sp.disable_function.function("include").value_r("\.(inc|phtml|php)$").allow(); +sp.disable_function.function("require_once").drop() +sp.disable_function.function("include_once").drop() +sp.disable_function.function("require").drop() +sp.disable_function.function("include").drop() + +# Prevent `system`-related injections +sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); +sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); +sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); +sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); + +# Prevent runtime modification of interesting things +sp.disable_function.function("ini_set").param("option").value("assert.active").drop(); +sp.disable_function.function("ini_set").param("option").value("zend.assertions").drop(); +sp.disable_function.function("ini_set").param("option").value("memory_limit").drop(); +sp.disable_function.function("ini_set").param("option").value("include_path").drop(); +sp.disable_function.function("ini_set").param("option").value("open_basedir").drop(); + +# Detect some backdoors via environnement recon +sp.disable_function.function("ini_get").param("varname").value("allow_url_fopen").drop(); +sp.disable_function.function("ini_get").param("varname").value("open_basedir").drop(); +sp.disable_function.function("ini_get").param("varname").value_r("suhosin").drop(); +sp.disable_function.function("function_exists").param("function").value("eval").drop(); +sp.disable_function.function("function_exists").param("function").value("exec").drop(); +sp.disable_function.function("function_exists").param("function").value("system").drop(); +sp.disable_function.function("function_exists").param("function").value("shell_exec").drop(); +sp.disable_function.function("function_exists").param("function").value("proc_open").drop(); +sp.disable_function.function("function_exists").param("function").value("passthru").drop(); +sp.disable_function.function("is_callable").param("var").value("eval").drop(); +sp.disable_function.function("is_callable").param("var").value("exec").drop(); +sp.disable_function.function("is_callable").param("var").value("system").drop(); +sp.disable_function.function("is_callable").param("var").value("shell_exec").drop(); +sp.disable_function.function("is_callable").param("var").value("proc_open").drop(); +sp.disable_function.function("is_callable").param("var").value("passthru").drop(); + +# Commenting sqli related stuff to improve performance. +# TODO figure out why these functions can't be hooked at startup +# Ghetto sqli hardening +# sp.disable_function.function("mysql_query").param("query").value_r("/\\*").drop(); +# sp.disable_function.function("mysql_query").param("query").value_r("--").drop(); +# sp.disable_function.function("mysql_query").param("query").value_r("#").drop(); +# sp.disable_function.function("mysql_query").param("query").value_r(";.*;").drop(); +# sp.disable_function.function("mysql_query").param("query").value_r("benchmark").drop(); +# sp.disable_function.function("mysql_query").param("query").value_r("sleep").drop(); +# sp.disable_function.function("mysql_query").param("query").value_r("information_schema").drop(); + +# sp.disable_function.function("mysqli_query").param("query").value_r("/\\*").drop(); +# sp.disable_function.function("mysqli_query").param("query").value_r("--").drop(); +# sp.disable_function.function("mysqli_query").param("query").value_r("#").drop(); +# sp.disable_function.function("mysqli_query").param("query").value_r(";.*;").drop(); +# sp.disable_function.function("mysqli_query").param("query").value_r("benchmark").drop(); +# sp.disable_function.function("mysqli_query").param("query").value_r("sleep").drop(); +# sp.disable_function.function("mysqli_query").param("query").value_r("information_schema").drop(); + +# sp.disable_function.function("PDO::query").param("query").value_r("/\\*").drop(); +# sp.disable_function.function("PDO::query").param("query").value_r("--").drop(); +# sp.disable_function.function("PDO::query").param("query").value_r("#").drop(); +# sp.disable_function.function("PDO::query").param("query").value_r(";.*;").drop(); +# sp.disable_function.function("PDO::query").param("query").value_r("benchmark\\s*\\(").drop(); +# sp.disable_function.function("PDO::query").param("query").value_r("sleep\\s*\\(").drop(); +# sp.disable_function.function("PDO::query").param("query").value_r("information_schema").drop(); + +# Ghetto sqli detection +# sp.disable_function.function("mysql_query").ret("FALSE").drop(); +# sp.disable_function.function("mysqli_query").ret("FALSE").drop(); +# sp.disable_function.function("PDO::query").ret("FALSE").drop(); + +# Ensure that certificates are properly verified +sp.disable_function.function("curl_setopt").param("value").value("1").allow(); +sp.disable_function.function("curl_setopt").param("value").value("2").allow(); +# `81` is SSL_VERIFYHOST and `64` SSL_VERIFYPEER +sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYCLIENT off."); +sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off."); + +#File upload +sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop(); +sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop(); + +# Logging lockdown +sp.disable_function.function("ini_set").param("option").value_r("error_log").drop() +sp.disable_function.function("ini_set").param("option").value_r("error_reporting").drop() +sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop() -- cgit v1.3 From a3feae2fb319899d13ab5013f510b51ce20b4db4 Mon Sep 17 00:00:00 2001 From: Tristan Deloche Date: Tue, 27 Apr 2021 20:52:42 +0100 Subject: Update some parameter names which changed for PHP 8.0 --- config/default_php8.rules | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) (limited to 'config') diff --git a/config/default_php8.rules b/config/default_php8.rules index 5517eb7..fa3120e 100644 --- a/config/default_php8.rules +++ b/config/default_php8.rules @@ -23,7 +23,7 @@ sp.disable_xxe.enable(); # Only allow execution of read-only files. This is a low-hanging fruit that you should enable. # sp.readonly_exec.enable(); -# Php has a lot of wrappers, most of them aren't usually useful, you should +# Php has a lot of wrappers, most of them aren't usually useful, you should # only enable the ones you're using. # sp.wrappers_whitelist.list("file,php,phar"); @@ -41,14 +41,14 @@ sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").dr sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop(); # Since it's now burned, me might as well mitigate it publicly -sp.disable_function.function("putenv").param("setting").value_r("LD_").drop() +sp.disable_function.function("putenv").param("assignment").value_r("LD_").drop() # This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80 -sp.disable_function.function("putenv").param("setting").value_r("GCONV_").drop() +sp.disable_function.function("putenv").param("assignment").value_r("GCONV_").drop() # Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector -sp.disable_function.function("extract").param("var_array").value_r("^_").drop() -sp.disable_function.function("extract").param("extract_type").value("0").drop() +sp.disable_function.function("extract").param("array").value_r("^_").drop() +sp.disable_function.function("extract").param("flags").value("0").drop() # This is also burned: # ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd')); @@ -80,22 +80,22 @@ sp.disable_function.function("ini_set").param("option").value("memory_limit").dr sp.disable_function.function("ini_set").param("option").value("include_path").drop(); sp.disable_function.function("ini_set").param("option").value("open_basedir").drop(); -# Detect some backdoors via environnement recon -sp.disable_function.function("ini_get").param("varname").value("allow_url_fopen").drop(); -sp.disable_function.function("ini_get").param("varname").value("open_basedir").drop(); -sp.disable_function.function("ini_get").param("varname").value_r("suhosin").drop(); +# Detect some backdoors via environment recon +sp.disable_function.function("ini_get").param("option").value("allow_url_fopen").drop(); +sp.disable_function.function("ini_get").param("option").value("open_basedir").drop(); +sp.disable_function.function("ini_get").param("option").value_r("suhosin").drop(); sp.disable_function.function("function_exists").param("function").value("eval").drop(); sp.disable_function.function("function_exists").param("function").value("exec").drop(); sp.disable_function.function("function_exists").param("function").value("system").drop(); sp.disable_function.function("function_exists").param("function").value("shell_exec").drop(); sp.disable_function.function("function_exists").param("function").value("proc_open").drop(); sp.disable_function.function("function_exists").param("function").value("passthru").drop(); -sp.disable_function.function("is_callable").param("var").value("eval").drop(); -sp.disable_function.function("is_callable").param("var").value("exec").drop(); -sp.disable_function.function("is_callable").param("var").value("system").drop(); -sp.disable_function.function("is_callable").param("var").value("shell_exec").drop(); -sp.disable_function.function("is_callable").param("var").value("proc_open").drop(); -sp.disable_function.function("is_callable").param("var").value("passthru").drop(); +sp.disable_function.function("is_callable").param("value").value("eval").drop(); +sp.disable_function.function("is_callable").param("value").value("exec").drop(); +sp.disable_function.function("is_callable").param("value").value("system").drop(); +sp.disable_function.function("is_callable").param("value").value("shell_exec").drop(); +sp.disable_function.function("is_callable").param("value").value("proc_open").drop(); +sp.disable_function.function("is_callable").param("value").value("passthru").drop(); # Commenting sqli related stuff to improve performance. # TODO figure out why these functions can't be hooked at startup @@ -136,7 +136,7 @@ sp.disable_function.function("curl_setopt").param("value").value("2").allow(); sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYCLIENT off."); sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off."); -#File upload +# File upload sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop(); sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop(); -- cgit v1.3 From 73f764647baa7cdfb66eb6bf4b2feb96e190ef88 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Sat, 1 May 2021 17:50:32 +0200 Subject: Improve our SQLI-related documentation and remove some useless rules --- config/default.rules | 29 +---------------------------- config/default_php8.rules | 29 +---------------------------- doc/source/features.rst | 12 +++--------- 3 files changed, 5 insertions(+), 65 deletions(-) (limited to 'config') diff --git a/config/default.rules b/config/default.rules index 05dd91d..74e1edb 100644 --- a/config/default.rules +++ b/config/default.rules @@ -96,34 +96,7 @@ sp.disable_function.function("is_callable").param("var").value("shell_exec").dro sp.disable_function.function("is_callable").param("var").value("proc_open").drop(); sp.disable_function.function("is_callable").param("var").value("passthru").drop(); -# Commenting sqli related stuff to improve performance. -# TODO figure out why these functions can't be hooked at startup -# Ghetto sqli hardening -# sp.disable_function.function("mysql_query").param("query").value_r("/\\*").drop(); -# sp.disable_function.function("mysql_query").param("query").value_r("--").drop(); -# sp.disable_function.function("mysql_query").param("query").value_r("#").drop(); -# sp.disable_function.function("mysql_query").param("query").value_r(";.*;").drop(); -# sp.disable_function.function("mysql_query").param("query").value_r("benchmark").drop(); -# sp.disable_function.function("mysql_query").param("query").value_r("sleep").drop(); -# sp.disable_function.function("mysql_query").param("query").value_r("information_schema").drop(); - -# sp.disable_function.function("mysqli_query").param("query").value_r("/\\*").drop(); -# sp.disable_function.function("mysqli_query").param("query").value_r("--").drop(); -# sp.disable_function.function("mysqli_query").param("query").value_r("#").drop(); -# sp.disable_function.function("mysqli_query").param("query").value_r(";.*;").drop(); -# sp.disable_function.function("mysqli_query").param("query").value_r("benchmark").drop(); -# sp.disable_function.function("mysqli_query").param("query").value_r("sleep").drop(); -# sp.disable_function.function("mysqli_query").param("query").value_r("information_schema").drop(); - -# sp.disable_function.function("PDO::query").param("query").value_r("/\\*").drop(); -# sp.disable_function.function("PDO::query").param("query").value_r("--").drop(); -# sp.disable_function.function("PDO::query").param("query").value_r("#").drop(); -# sp.disable_function.function("PDO::query").param("query").value_r(";.*;").drop(); -# sp.disable_function.function("PDO::query").param("query").value_r("benchmark\\s*\\(").drop(); -# sp.disable_function.function("PDO::query").param("query").value_r("sleep\\s*\\(").drop(); -# sp.disable_function.function("PDO::query").param("query").value_r("information_schema").drop(); - -# Ghetto sqli detection +# Ghetto error-based sqli detection # sp.disable_function.function("mysql_query").ret("FALSE").drop(); # sp.disable_function.function("mysqli_query").ret("FALSE").drop(); # sp.disable_function.function("PDO::query").ret("FALSE").drop(); diff --git a/config/default_php8.rules b/config/default_php8.rules index fa3120e..427dcaf 100644 --- a/config/default_php8.rules +++ b/config/default_php8.rules @@ -97,34 +97,7 @@ sp.disable_function.function("is_callable").param("value").value("shell_exec").d sp.disable_function.function("is_callable").param("value").value("proc_open").drop(); sp.disable_function.function("is_callable").param("value").value("passthru").drop(); -# Commenting sqli related stuff to improve performance. -# TODO figure out why these functions can't be hooked at startup -# Ghetto sqli hardening -# sp.disable_function.function("mysql_query").param("query").value_r("/\\*").drop(); -# sp.disable_function.function("mysql_query").param("query").value_r("--").drop(); -# sp.disable_function.function("mysql_query").param("query").value_r("#").drop(); -# sp.disable_function.function("mysql_query").param("query").value_r(";.*;").drop(); -# sp.disable_function.function("mysql_query").param("query").value_r("benchmark").drop(); -# sp.disable_function.function("mysql_query").param("query").value_r("sleep").drop(); -# sp.disable_function.function("mysql_query").param("query").value_r("information_schema").drop(); - -# sp.disable_function.function("mysqli_query").param("query").value_r("/\\*").drop(); -# sp.disable_function.function("mysqli_query").param("query").value_r("--").drop(); -# sp.disable_function.function("mysqli_query").param("query").value_r("#").drop(); -# sp.disable_function.function("mysqli_query").param("query").value_r(";.*;").drop(); -# sp.disable_function.function("mysqli_query").param("query").value_r("benchmark").drop(); -# sp.disable_function.function("mysqli_query").param("query").value_r("sleep").drop(); -# sp.disable_function.function("mysqli_query").param("query").value_r("information_schema").drop(); - -# sp.disable_function.function("PDO::query").param("query").value_r("/\\*").drop(); -# sp.disable_function.function("PDO::query").param("query").value_r("--").drop(); -# sp.disable_function.function("PDO::query").param("query").value_r("#").drop(); -# sp.disable_function.function("PDO::query").param("query").value_r(";.*;").drop(); -# sp.disable_function.function("PDO::query").param("query").value_r("benchmark\\s*\\(").drop(); -# sp.disable_function.function("PDO::query").param("query").value_r("sleep\\s*\\(").drop(); -# sp.disable_function.function("PDO::query").param("query").value_r("information_schema").drop(); - -# Ghetto sqli detection +# Ghetto error-based sqli detection # sp.disable_function.function("mysql_query").ret("FALSE").drop(); # sp.disable_function.function("mysqli_query").ret("FALSE").drop(); # sp.disable_function.function("PDO::query").ret("FALSE").drop(); diff --git a/doc/source/features.rst b/doc/source/features.rst index 2eebc88..25fd62d 100644 --- a/doc/source/features.rst +++ b/doc/source/features.rst @@ -480,15 +480,9 @@ to see that people are disabling it on production too. We're detecting/preventing this by not allowing the ``CURLOPT_SSL_VERIFYPEER`` and ``CURLOPT_SSL_VERIFYHOST`` options from being set to ``0``. -*Cheap* SQL injections detection -"""""""""""""""""""""""""""""""" +*Cheap* error-based SQL injections detection +"""""""""""""""""""""""""""""""""""""""""""" -In some SQL injections, attackers might need to use comments, a feature that is -often not used in production system, so it might be a good idea to filter -queries that contains some. The same filtering idea can be used against -SQL functions that are frequently used in SQL injections, like ``sleep``, ``benchmark`` -or strings like ``version_info``. - -On the topic of SQL injections, if a function performing a query returns ``FALSE`` +If a function performing a SQL query returns ``FALSE`` (indicating an error), it might be useful to dump the request for further analysis. -- cgit v1.3 From 3babf77bb88c6dbd465e83b6da5946f273c890c1 Mon Sep 17 00:00:00 2001 From: Tristan Deloche Date: Sat, 1 May 2021 18:42:35 +0100 Subject: Additional PHP 8 sample config argument name changes --- config/default_php8.rules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config') diff --git a/config/default_php8.rules b/config/default_php8.rules index 427dcaf..893bfbc 100644 --- a/config/default_php8.rules +++ b/config/default_php8.rules @@ -35,7 +35,7 @@ sp.disable_xxe.enable(); sp.cookie.name("PHPSESSID").samesite("lax"); # Harden the `chmod` function -sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop(); +sp.disable_function.function("chmod").param("permissions").value_r("^[0-9]{2}[67]$").drop(); # Prevent various `mail`-related vulnerabilities sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop(); -- cgit v1.3 From ec67149705739f9c13dc1f5dee335768cab3d7a0 Mon Sep 17 00:00:00 2001 From: WhiteWinterWolf Date: Sun, 9 May 2021 18:56:38 +0200 Subject: Fix disable function chmod --- config/default.rules | 5 +++-- config/default_php8.rules | 5 +++-- .../disable_function/config/disabled_functions_chmod.ini | 4 ++++ src/tests/disable_function/disabled_functions_chmod.phpt | 14 ++++++++++++++ .../disable_function/disabled_functions_chmod_php8.phpt | 14 ++++++++++++++ 5 files changed, 38 insertions(+), 4 deletions(-) create mode 100644 src/tests/disable_function/config/disabled_functions_chmod.ini create mode 100644 src/tests/disable_function/disabled_functions_chmod.phpt create mode 100644 src/tests/disable_function/disabled_functions_chmod_php8.phpt (limited to 'config') diff --git a/config/default.rules b/config/default.rules index 74e1edb..ea65e01 100644 --- a/config/default.rules +++ b/config/default.rules @@ -33,8 +33,9 @@ sp.disable_xxe.enable(); # https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery sp.cookie.name("PHPSESSID").samesite("lax"); -# Harden the `chmod` function -sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop(); +# Harden the `chmod` function (0777 (oct = 511, 0666 = 438) +sp.disable_function.function("chmod").param("mode").value("438").drop(); +sp.disable_function.function("chmod").param("mode").value("511").drop(); # Prevent various `mail`-related vulnerabilities sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop(); diff --git a/config/default_php8.rules b/config/default_php8.rules index 893bfbc..c024176 100644 --- a/config/default_php8.rules +++ b/config/default_php8.rules @@ -34,8 +34,9 @@ sp.disable_xxe.enable(); # https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery sp.cookie.name("PHPSESSID").samesite("lax"); -# Harden the `chmod` function -sp.disable_function.function("chmod").param("permissions").value_r("^[0-9]{2}[67]$").drop(); +# Harden the `chmod` function (0777 (oct = 511, 0666 = 438) +sp.disable_function.function("chmod").param("permissions").value("438").drop(); +sp.disable_function.function("chmod").param("permissions").value("511").drop(); # Prevent various `mail`-related vulnerabilities sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop(); diff --git a/src/tests/disable_function/config/disabled_functions_chmod.ini b/src/tests/disable_function/config/disabled_functions_chmod.ini new file mode 100644 index 0000000..e601900 --- /dev/null +++ b/src/tests/disable_function/config/disabled_functions_chmod.ini @@ -0,0 +1,4 @@ +# PHP7 and below +sp.disable_function.function("chmod").param("mode").value("511").drop(); +# PHP8 +sp.disable_function.function("chmod").param("permissions").value("511").drop(); diff --git a/src/tests/disable_function/disabled_functions_chmod.phpt b/src/tests/disable_function/disabled_functions_chmod.phpt new file mode 100644 index 0000000..28f948d --- /dev/null +++ b/src/tests/disable_function/disabled_functions_chmod.phpt @@ -0,0 +1,14 @@ +--TEST-- +Disable functions - chmod +--SKIPIF-- + += 80000) print "skip"; ?> +--INI-- +sp.configuration_file={PWD}/config/disabled_functions_chmod.ini +--FILE-- + +--XFAIL-- +--EXPECTF-- +Fatal error: [snuffleupagus][0.0.0.0][disabled_function][drop] Aborted execution on call of the function 'chmod', because its argument '$mode' content (511) matched a rule in %a/disabled_function_chmod.php on line %d diff --git a/src/tests/disable_function/disabled_functions_chmod_php8.phpt b/src/tests/disable_function/disabled_functions_chmod_php8.phpt new file mode 100644 index 0000000..71bb034 --- /dev/null +++ b/src/tests/disable_function/disabled_functions_chmod_php8.phpt @@ -0,0 +1,14 @@ +--TEST-- +Disable functions - chmod, in php8 +--SKIPIF-- + + +--INI-- +sp.configuration_file={PWD}/config/disabled_functions_chmod.ini +--FILE-- + +--XFAIL-- +--EXPECTF-- +Fatal error: [snuffleupagus][0.0.0.0][disabled_function][drop] Aborted execution on call of the function 'chmod', because its argument '$permissions' content (511) matched a rule in %a/disabled_function_chmod_php8.php on line %d -- cgit v1.3