From baff5856be20579908497dba99e1e3eb20080684 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Sun, 17 Apr 2022 17:33:51 +0200
Subject: Improve the portability of the php7 rules

---
 config/default.rules | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'config')

diff --git a/config/default.rules b/config/default.rules
index f6d8893..a19d678 100644
--- a/config/default.rules
+++ b/config/default.rules
@@ -49,8 +49,8 @@ sp.disable_function.function("putenv").param("setting").value_r("LD_").drop()
 sp.disable_function.function("putenv").param("setting").value_r("GCONV_").drop()
 
 # Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector
-sp.disable_function.function("extract").param("var_array").value_r("^_").drop()
-sp.disable_function.function("extract").param("extract_type").value("0").drop()
+sp.disable_function.function("extract").pos("0").value_r("^_").drop()
+sp.disable_function.function("extract").pos("1").value("0").drop()
 
 # This is also burned:
 # ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd'));
@@ -71,7 +71,7 @@ sp.disable_function.function("include").drop()
 
 # Prevent `system`-related injections
 sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
-sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
+sp.disable_function.function("shell_exec").pos("0").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
 sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
 sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
 
-- 
cgit v1.3