From 3c945d7ee7b7be6001a5e0b1eefc7cb8d396f1ac Mon Sep 17 00:00:00 2001 From: hoellen Date: Fri, 6 May 2022 09:26:00 +0200 Subject: [PATCH] snuffleupagus: Add exception rule for Nextcloud --- rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules b/rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules index 4f7a602..16741c1 100644 --- a/rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules +++ b/rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules @@ -1,7 +1,7 @@ # This is the default configuration file for Snuffleupagus (https://snuffleupagus.rtfd.io), # for php8. # It contains "reasonable" defaults that won't break your websites, -# and a lot of commented directives that you can enable if you want to +# and a lot of commented directives that you can enable if you want to # have a better protection. # Harden the PRNG @@ -34,7 +34,7 @@ sp.sloppy_comparison.enable(); # https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery sp.cookie.name("PHPSESSID").samesite("lax"); -# Nextcloud whitelist (tested with Nextcloud 23.0.2) +# Nextcloud whitelist (tested with Nextcloud 24.0.0) sp.disable_function.function("function_exists").param("function").value("proc_open").filename("/nextcloud/3rdparty/symfony/console/Terminal.php").allow(); sp.disable_function.function("proc_open").filename("/nextcloud/3rdparty/symfony/console/Terminal.php").allow(); sp.disable_function.function("ini_set").param("option").value_r("display_errors").filename("/nextcloud/lib/base.php").allow(); @@ -43,6 +43,7 @@ sp.disable_function.function("function_exists").param("function").value("exec"). sp.disable_function.function("ini_get").param("option").value_r("suhosin").filename("/nextcloud/3rdparty/bantu/ini-get-wrapper/src/IniGetWrapper.php").allow(); sp.disable_function.function("ini_get").param("option").value("open_basedir").filename("/nextcloud/apps2/twofactor_webauthn/vendor/symfony/process/ExecutableFinder.php").allow(); sp.disable_function.function("ini_get").param("option").value("open_basedir").filename("/nextcloud/3rdparty/symfony/process/ExecutableFinder.php").allow(); +sp.disable_function.function("ini_get").param("option").value("allow_url_fopen").filename("/nextcloud/3rdparty/guzzlehttp/guzzle/src/Utils.php").allow(); # Harden the `chmod` function (0777 (oct = 511, 0666 = 438) sp.disable_function.function("chmod").param("permissions").value("438").drop();