From 096e7faa6a5e21e5416a7c8c484e27acd4636a66 Mon Sep 17 00:00:00 2001 From: xXx-caillou-xXx Date: Mon, 27 Aug 2018 13:56:44 +0200 Subject: Add whitelist support for php's wrappers --- doc/source/config.rst | 11 +++++++++++ doc/source/features.rst | 21 +++++++++++++++++++++ 2 files changed, 32 insertions(+) (limited to 'doc/source') diff --git a/doc/source/config.rst b/doc/source/config.rst index 14626ce..e209ecb 100644 --- a/doc/source/config.rst +++ b/doc/source/config.rst @@ -191,6 +191,17 @@ disable_xxe sp.disable_xxe.enable(); +Whitelist of stream-wrappers +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +:ref:`Stream-wrapper whitelist ` allows +to explicitly whitelist some `stream wrappers `__. + +:: + + sp.wrappers_whitelist.list("file,php,phar"); + + Eval white and blacklist ^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/doc/source/features.rst b/doc/source/features.rst index 60366d4..540e982 100644 --- a/doc/source/features.rst +++ b/doc/source/features.rst @@ -344,6 +344,27 @@ Snuffleupagus can prevent the execution of this kind of file. A good practice would be to use a different user to run PHP than for administrating the website, and using this feature to lock this up. +.. _stream-wrapper-whitelist-feature: + +Whitelist of stream-wrappers +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Php comes with a `lot of different `__ +`stream wrapper `__, and most of them +are enabled by default. + +The only way to tighten a bit this exposition surface is to use the +`allow_url_fopen/allow_url_include `__ +configuration options, but it's `not possible `__ +to deactivate them on an individual basis. + +Examples of related vulnerabilities +""""""""""""""""""""""""""""""""""" + +- `RCE via phar:// `__ +- `Data exfiltration via stream wrapper `__ +- `Inclusion via zip/phar `__ + .. _eval-feature: White and blacklist in ``eval`` -- cgit v1.3