From 3b113be573cdbca20ce9ec9c0a6efb25ccf51db5 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Thu, 4 Jan 2018 15:59:59 +0100 Subject: Eval blacklist Add support for eval filtering, only blacklist for now--- doc/source/config.rst | 14 ++++++++++++++ doc/source/features.rst | 13 +++++++++++++ 2 files changed, 27 insertions(+) (limited to 'doc/source') diff --git a/doc/source/config.rst b/doc/source/config.rst index e42cb99..d16474f 100644 --- a/doc/source/config.rst +++ b/doc/source/config.rst @@ -246,6 +246,20 @@ disable_xxe sp.disable_xxe.enable(); +Eval white and blacklist +^^^^^^^^^^^^^^^^^^^^^^^^ + * `default: disabled` + * :ref:`more ` + +``eval_filter`` allows to specify white and blacklist of functions allowed and +forbidden from being called inside ``eval``. The functions names are comma-separated. + +:: + + sp.eval_filter.blacklist("system,exec,shell_exec"); + sp.eval_filter.whitelist("strlen,strcmp").simulation(); + + Virtual-patching ---------------- diff --git a/doc/source/features.rst b/doc/source/features.rst index afe139a..8ecf57d 100644 --- a/doc/source/features.rst +++ b/doc/source/features.rst @@ -321,6 +321,19 @@ Snuffleupagus can prevent the execution of this kind of file. A good practice would be to use a different user to run PHP than for administrating the website, and using this feature to lock this up. +.. _eval-feature: + +White and blacklist in ``eval`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +While `eval `__ is a +dangerous primitive, tricky to use right, with almost no legitimate usage +besides templating and building mathematical expressions based on user input, +it's broadly (mis)used all around the web. + +Snuffleupagus provides a white and blacklist mechanism, to explicitly allow +and forbid specific functions call from being issued inside ``eval``. + Protection against cross site request forgery ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -- cgit v1.3