Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Default config allows .inc to be included but doesn't include it in move_uploaded_file blacklist #502

Open
milansimek opened this issue Oct 28, 2024 · 2 comments

Comments

@milansimek
Copy link

Here inc, php and phtml are whitelisted:

# Prevent various `include`-related vulnerabilities
sp.disable_function.function("require_once").value_r("\.(inc|phtml|php)$").allow();
sp.disable_function.function("include_once").value_r("\.(inc|phtml|php)$").allow();
sp.disable_function.function("require").value_r("\.(inc|phtml|php)$").allow();
sp.disable_function.function("include").value_r("\.(inc|phtml|php)$").allow();
sp.disable_function.function("require_once").drop()
sp.disable_function.function("include_once").drop()
sp.disable_function.function("require").drop()
sp.disable_function.function("include").drop()

However, only \\.ph and \\.ht are blacklisted in the move_uploaded_file rule:

# File upload
# On old PHP7 versions
#sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
#sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
# On PHP7.4+
sp.disable_function.function("move_uploaded_file").param("new_path").value_r("\\.ph").drop();
sp.disable_function.function("move_uploaded_file").param("new_path").value_r("\\.ht").drop();

Is this intentional? If not would you like me to submit a pull request to update the upload related rule?

@jvoisin
Copy link
Owner

jvoisin commented Oct 28, 2024

The ruleset allows to include/require .php, .phtml and .inc files, but php isn't allowed to rename uploaded files containing .ph or .ht. The absence of .inc in the move_uploaded_file deny-list is indeed an oversight, and a pull-request would indeed be welcome :)

@milansimek
Copy link
Author

Exactly what I thought, thanks! Will submit a pull request with the changes :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants