From c7ce5c3528e8da8762e6e7067001549e109397ba Mon Sep 17 00:00:00 2001 From: Christian Göttsche Date: Mon, 27 May 2024 21:33:00 +0200 Subject: Add option to specify the allowed "php" wrapper types In addition of the current possibility to filter wrappers by their protocol name, also add the option to filter the "php" wrapper by the requested kind. Especially the 'filter' backend can be disabled that way. --- doc/source/config.rst | 11 +++++++++++ doc/source/features.rst | 16 +++++++++++++++- 2 files changed, 26 insertions(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/source/config.rst b/doc/source/config.rst index 9781046..75392d7 100644 --- a/doc/source/config.rst +++ b/doc/source/config.rst @@ -395,6 +395,17 @@ to explicitly whitelist some `stream wrappers ` +allows to explicitly allow the builtin `php streams `__. + +:: + + sp.wrappers_whitelist.php_list("stdout,stdin,stderr"); + + Eval white and blacklist ^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/doc/source/features.rst b/doc/source/features.rst index d7f6f7f..3855f2a 100644 --- a/doc/source/features.rst +++ b/doc/source/features.rst @@ -381,7 +381,7 @@ and using this feature to lock this up. Whitelist of stream-wrappers ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Php comes with a `lot of different `__ +PHP comes with a `lot of different `__ `stream wrapper `__, and most of them are enabled by default. @@ -397,6 +397,20 @@ Examples of related vulnerabilities - `Data exfiltration via stream wrapper `__ - `Inclusion via zip/phar `__ +.. _php-stream-wrapper-allowlist-feature: + +Allowlist of php stream-wrapper +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The builtin `"php" stream wrapper `__ +has support for common streams, like ``stdin``, ``stdout`` or ``stderr``, but +also for the dangerous ``filter`` one. + +Examples of related vulnerability +""""""""""""""""""""""""""""""""" + +- `CNEXT exploits `__ + .. _eval-feature: White and blacklist in ``eval`` -- cgit v1.3