self-hosted/Mailu
1
0
Fork 0
mirror of https://github.com/Mailu/Mailu.git synced 2025-08-10 22:31:47 +02:00
Code Issues Releases Activity

Update snuffleupagus rules

Browse Source
This commit is contained in:
Florent Daigniere
2024-08-26 10:10:54 +02:00
parent d94bc11057
commit cf1088f1c5
2 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
towncrier/newsfragments/3384.bugfix Normal file
View File

@@ -0,0 +1 @@
Ensure that file:// protocol is not allowed in CURL

9
webmails/snuffleupagus.rules
View File

@@ -39,7 +39,9 @@ sp.disable_function.function("chmod").param("permissions").value("438").drop();
sp.disable_function.function("chmod").param("permissions").value("511").drop(); sp.disable_function.function("chmod").param("permissions").value("511").drop();
# Prevent various `mail`-related vulnerabilities # Prevent various `mail`-related vulnerabilities
# Uncommend the second rule if you're using php8.3+
sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop(); sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
sp.disable_function.function("mail").param("additional_params").value_r("\\-").drop();
# Since it's now burned, me might as well mitigate it publicly # Since it's now burned, me might as well mitigate it publicly
sp.disable_function.function("putenv").param("assignment").value_r("LD_").drop() sp.disable_function.function("putenv").param("assignment").value_r("LD_").drop()
@@ -52,8 +54,7 @@ sp.disable_function.function("putenv").param("assignment").value_r("GCONV_").dro
sp.disable_function.function("extract").param("array").value_r("^_").drop() sp.disable_function.function("extract").param("array").value_r("^_").drop()
sp.disable_function.function("extract").param("flags").value("0").drop() sp.disable_function.function("extract").param("flags").value("0").drop()
# This is also burned: # See https://dustri.org/b/ini_set-based-open_basedir-bypass.html
# ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd'));
# Since we have no way of matching on two parameters at the same time, we're # Since we have no way of matching on two parameters at the same time, we're
# blocking calls to open_basedir altogether: nobody is using it via ini_set anyway. # blocking calls to open_basedir altogether: nobody is using it via ini_set anyway.
# Moreover, there are non-public bypasses that are also using this vector ;) # Moreover, there are non-public bypasses that are also using this vector ;)
@@ -119,6 +120,10 @@ sp.disable_function.function("curl_setopt").param("value").value("2").allow();
sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYCLIENT off."); sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYCLIENT off.");
sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off."); sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off.");
# Ensure that file:// protocol is not allowed in CURL
sp.disable_function.function("curl_setopt").param("value").value_r("file://").drop().alias("file:// protocol is disabled");
sp.disable_function.function("curl_init").param("url").value_r("file://").drop().alias("file:// protocol is disabled");
# File upload # File upload
sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ph").drop(); sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ph").drop();
sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ht").drop(); sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ht").drop();