From ad623f1d78151dfe2eaee85e93ed1058be1c7f91 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Sat, 8 May 2021 16:45:07 +0200 Subject: Add a test for #390 --- src/tests/disable_function/config/disabled_functions.ini | 1 + .../disabled_functions_shell_exec_wrong.phpt | 14 ++++++++++++++ 2 files changed, 15 insertions(+) create mode 100644 src/tests/disable_function/disabled_functions_shell_exec_wrong.phpt (limited to 'src/tests/disable_function') diff --git a/src/tests/disable_function/config/disabled_functions.ini b/src/tests/disable_function/config/disabled_functions.ini index df7013f..0758c98 100644 --- a/src/tests/disable_function/config/disabled_functions.ini +++ b/src/tests/disable_function/config/disabled_functions.ini @@ -7,3 +7,4 @@ sp.disable_function.function_r("^var_dump$").drop(); sp.disable_function.function("sprintf").filename("/wrong file name").drop(); sp.disable_function.function("sprintf").filename("/wrong file name").drop(); sp.disable_function.function("eval").drop(); +sp.disable_function.function("shell_exec").param("foo").value("bar").drop(); diff --git a/src/tests/disable_function/disabled_functions_shell_exec_wrong.phpt b/src/tests/disable_function/disabled_functions_shell_exec_wrong.phpt new file mode 100644 index 0000000..580679c --- /dev/null +++ b/src/tests/disable_function/disabled_functions_shell_exec_wrong.phpt @@ -0,0 +1,14 @@ +--TEST-- +Disable functions - shell_exec, with a non-existing command +--SKIPIF-- + +--INI-- +sp.configuration_file={PWD}/config/disabled_functions.ini +--FILE-- + +--EXPECTF-- +%sfoo: not found +YES -- cgit v1.3 From d5adcd6d17afc7015011088d8af5a2094fb3370d Mon Sep 17 00:00:00 2001 From: jvoisin Date: Sun, 9 May 2021 18:10:41 +0200 Subject: Fix the testsuite on fedora --- src/tests/disable_function/disabled_functions_shell_exec_wrong.phpt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/tests/disable_function') diff --git a/src/tests/disable_function/disabled_functions_shell_exec_wrong.phpt b/src/tests/disable_function/disabled_functions_shell_exec_wrong.phpt index 580679c..fe8e73a 100644 --- a/src/tests/disable_function/disabled_functions_shell_exec_wrong.phpt +++ b/src/tests/disable_function/disabled_functions_shell_exec_wrong.phpt @@ -10,5 +10,5 @@ $gs = exec( 'foo' ); echo "YES"; ?> --EXPECTF-- -%sfoo: not found +%snot found YES -- cgit v1.3 From ec67149705739f9c13dc1f5dee335768cab3d7a0 Mon Sep 17 00:00:00 2001 From: WhiteWinterWolf Date: Sun, 9 May 2021 18:56:38 +0200 Subject: Fix disable function chmod --- config/default.rules | 5 +++-- config/default_php8.rules | 5 +++-- .../disable_function/config/disabled_functions_chmod.ini | 4 ++++ src/tests/disable_function/disabled_functions_chmod.phpt | 14 ++++++++++++++ .../disable_function/disabled_functions_chmod_php8.phpt | 14 ++++++++++++++ 5 files changed, 38 insertions(+), 4 deletions(-) create mode 100644 src/tests/disable_function/config/disabled_functions_chmod.ini create mode 100644 src/tests/disable_function/disabled_functions_chmod.phpt create mode 100644 src/tests/disable_function/disabled_functions_chmod_php8.phpt (limited to 'src/tests/disable_function') diff --git a/config/default.rules b/config/default.rules index 74e1edb..ea65e01 100644 --- a/config/default.rules +++ b/config/default.rules @@ -33,8 +33,9 @@ sp.disable_xxe.enable(); # https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery sp.cookie.name("PHPSESSID").samesite("lax"); -# Harden the `chmod` function -sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop(); +# Harden the `chmod` function (0777 (oct = 511, 0666 = 438) +sp.disable_function.function("chmod").param("mode").value("438").drop(); +sp.disable_function.function("chmod").param("mode").value("511").drop(); # Prevent various `mail`-related vulnerabilities sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop(); diff --git a/config/default_php8.rules b/config/default_php8.rules index 893bfbc..c024176 100644 --- a/config/default_php8.rules +++ b/config/default_php8.rules @@ -34,8 +34,9 @@ sp.disable_xxe.enable(); # https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery sp.cookie.name("PHPSESSID").samesite("lax"); -# Harden the `chmod` function -sp.disable_function.function("chmod").param("permissions").value_r("^[0-9]{2}[67]$").drop(); +# Harden the `chmod` function (0777 (oct = 511, 0666 = 438) +sp.disable_function.function("chmod").param("permissions").value("438").drop(); +sp.disable_function.function("chmod").param("permissions").value("511").drop(); # Prevent various `mail`-related vulnerabilities sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop(); diff --git a/src/tests/disable_function/config/disabled_functions_chmod.ini b/src/tests/disable_function/config/disabled_functions_chmod.ini new file mode 100644 index 0000000..e601900 --- /dev/null +++ b/src/tests/disable_function/config/disabled_functions_chmod.ini @@ -0,0 +1,4 @@ +# PHP7 and below +sp.disable_function.function("chmod").param("mode").value("511").drop(); +# PHP8 +sp.disable_function.function("chmod").param("permissions").value("511").drop(); diff --git a/src/tests/disable_function/disabled_functions_chmod.phpt b/src/tests/disable_function/disabled_functions_chmod.phpt new file mode 100644 index 0000000..28f948d --- /dev/null +++ b/src/tests/disable_function/disabled_functions_chmod.phpt @@ -0,0 +1,14 @@ +--TEST-- +Disable functions - chmod +--SKIPIF-- + += 80000) print "skip"; ?> +--INI-- +sp.configuration_file={PWD}/config/disabled_functions_chmod.ini +--FILE-- + +--XFAIL-- +--EXPECTF-- +Fatal error: [snuffleupagus][0.0.0.0][disabled_function][drop] Aborted execution on call of the function 'chmod', because its argument '$mode' content (511) matched a rule in %a/disabled_function_chmod.php on line %d diff --git a/src/tests/disable_function/disabled_functions_chmod_php8.phpt b/src/tests/disable_function/disabled_functions_chmod_php8.phpt new file mode 100644 index 0000000..71bb034 --- /dev/null +++ b/src/tests/disable_function/disabled_functions_chmod_php8.phpt @@ -0,0 +1,14 @@ +--TEST-- +Disable functions - chmod, in php8 +--SKIPIF-- + + +--INI-- +sp.configuration_file={PWD}/config/disabled_functions_chmod.ini +--FILE-- + +--XFAIL-- +--EXPECTF-- +Fatal error: [snuffleupagus][0.0.0.0][disabled_function][drop] Aborted execution on call of the function 'chmod', because its argument '$permissions' content (511) matched a rule in %a/disabled_function_chmod_php8.php on line %d -- cgit v1.3