From b4996788445272c9f18e2cba84783b1b13bf6cf0 Mon Sep 17 00:00:00 2001
From: Ben Fuhrmannek
Date: Fri, 7 Jan 2022 18:59:52 +0100
Subject: added dangerous extension check

---
 config/detect_dangerous_extensions.rules | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 config/detect_dangerous_extensions.rules

(limited to 'config')

diff --git a/config/detect_dangerous_extensions.rules b/config/detect_dangerous_extensions.rules
new file mode 100644
index 0000000..8f10532
--- /dev/null
+++ b/config/detect_dangerous_extensions.rules
@@ -0,0 +1,12 @@
+## This example rules file shows how to detect and disable certain potentially
+## dangerous or unwanted extensions.
+
+@condition extension_loaded("runkit7");
+@error "The runkit7 extension can be used to rename classes and functions, thereby circumventing any filters set by Snuffleupagus. Please disable runkit7.";
+
+@condition extension_loaded("FFI");
+@warning "FFI extension is loaded. Disabling via 'ffi.enable=false'";
+sp.ini_protection.enable();
+sp.ini.key("ffi.enable").set("false").ro();
+@end_condition;
+
-- 
cgit v1.3