Merge #3388

3388: Update snuffleupagus rules (backport #3386) r=mergify[bot] a=mergify[bot] ## What type of PR? bug-fix ## What does this PR do? Bring our rules in sync with upstream's defaults. ### Related issue(s) ## Prerequisites Before we can consider review and merge, please make sure the following list is done and checked. If an entry in not applicable, you can check it or remove it from the list. - [ ] In case of feature or enhancement: documentation updated accordingly - [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file. <hr>This is an automatic backport of pull request #3386 done by [Mergify](https://mergify.com). Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2025-03-05 14:55:20 +02:00 · 2024-08-26 19:44:37 +00:00 · 2024-08-26 19:44:37 +00:00 · 18a74c64eb
commit 18a74c64eb
parent d3cee8d3f2 83e10813cf
2 changed files with 8 additions and 2 deletions
--- a/towncrier/newsfragments/3384.bugfix
+++ b/towncrier/newsfragments/3384.bugfix
@ -0,0 +1 @@
+Ensure that file:// protocol is not allowed in CURL
--- a/webmails/snuffleupagus.rules
+++ b/webmails/snuffleupagus.rules
@ -39,7 +39,9 @@ sp.disable_function.function("chmod").param("permissions").value("438").drop();
 sp.disable_function.function("chmod").param("permissions").value("511").drop();

 # Prevent various `mail`-related vulnerabilities
+# Uncommend the second rule if you're using php8.3+
 sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
+sp.disable_function.function("mail").param("additional_params").value_r("\\-").drop();

 # Since it's now burned, me might as well mitigate it publicly
 sp.disable_function.function("putenv").param("assignment").value_r("LD_").drop()
@ -52,8 +54,7 @@ sp.disable_function.function("putenv").param("assignment").value_r("GCONV_").dro
 sp.disable_function.function("extract").param("array").value_r("^_").drop()
 sp.disable_function.function("extract").param("flags").value("0").drop()

-# This is also burned:
-# ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd'));
+# See https://dustri.org/b/ini_set-based-open_basedir-bypass.html
 # Since we have no way of matching on two parameters at the same time, we're
 # blocking calls to open_basedir altogether: nobody is using it via ini_set anyway.
 # Moreover, there are non-public bypasses that are also using this vector ;)
@ -119,6 +120,10 @@ sp.disable_function.function("curl_setopt").param("value").value("2").allow();
 sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYCLIENT off.");
 sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off.");

+# Ensure that file:// protocol is not allowed in CURL
+sp.disable_function.function("curl_setopt").param("value").value_r("file://").drop().alias("file:// protocol is disabled");
+sp.disable_function.function("curl_init").param("url").value_r("file://").drop().alias("file:// protocol is disabled");
+
 # File upload
 sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ph").drop();
 sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ht").drop();
				`@ -0,0 +1 @@`
				`Ensure that file:// protocol is not allowed in CURL`