From 95afce1fe46c91025b5c53aa05582e09c6534cd0 Mon Sep 17 00:00:00 2001
From: bohwaz
Date: Sun, 24 Mar 2024 19:04:23 +0100
Subject: Forbid file:// protocol in Curl

---
 config/default.rules      | 4 ++++
 config/default_php8.rules | 4 ++++
 2 files changed, 8 insertions(+)

(limited to 'config')

diff --git a/config/default.rules b/config/default.rules
index 2fa77d5..a3e779b 100644
--- a/config/default.rules
+++ b/config/default.rules
@@ -112,6 +112,10 @@ sp.disable_function.function("curl_setopt").param("value").value("2").allow();
 sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYCLIENT off.");
 sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off.");
 
+# Ensure that file:// protocol is not allowed in CURL
+sp.disable_function.function("curl_setopt").param("value").value_r("file://").drop().alias("file:// protocol is disabled");
+sp.disable_function.function("curl_init").param("url").value_r("file://").drop().alias("file:// protocol is disabled");
+
 # File upload
 # On old PHP7 versions
 #sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
diff --git a/config/default_php8.rules b/config/default_php8.rules
index a6edfbe..0490654 100644
--- a/config/default_php8.rules
+++ b/config/default_php8.rules
@@ -114,6 +114,10 @@ sp.disable_function.function("curl_setopt").param("value").value("2").allow();
 sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYCLIENT off.");
 sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off.");
 
+# Ensure that file:// protocol is not allowed in CURL
+sp.disable_function.function("curl_setopt").param("value").value_r("file://").drop().alias("file:// protocol is disabled");
+sp.disable_function.function("curl_init").param("url").value_r("file://").drop().alias("file:// protocol is disabled");
+
 # File upload
 sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ph").drop();
 sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ht").drop();
-- 
cgit v1.3