-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Snuffleupagus 0.10.0 when loaded via Apache only applies ruleset when it has no comments #477
Comments
This sounds both equally wrong and horrible. The configuration parser was a bit simplified in cee5535, so odds are that if something is wrong, it should be in it. However, Snuffleupagus doesn't care whether it's running under Apache or whatever else. Do you have some funky sandboxing going on with Apache that might prevent the php process from reading the rules? If it's the case, Snuffleupagus should complain about it in its logs and in a You can use the |
We are using |
Also, it did not complain about any parsing issues in either the Apache log file or in |
Indeed, but you said that it's working in the cli, which is super-duper-confusing :/ Are you sure you're running the same versions in the cli and in apache? |
Yes, there's only a single |
@remicollet might know :) Anyway, the plot thickens! I'll try to play with comments in configuration files maybe tomorrow, more likely this weekend. |
FWIW, I tried to use my rebuilt RPM with a copy of the config with the comments restored, and it did the same thing (I built the package with |
I didn't manage to reproduce the issue on my end :/ |
Can I suggest dumping put the phpinfo()/php -i for cli and for Apache? It's entirely possible they're using different ini files |
I'm experimenting with using Snuffleupagus to further secure our PHP runtime environments. With 0.9.0, the ruleset I'd worked up applies and catches denied function calls, and with 0.10.0, when run via the PHP CLI it does as well.
However, I discovered that with 0.10.0, the same ruleset does... literally nothing with PHP loaded into Apache. I removed everything but a single
drop()
directive and it worked, then I tried re-adding some other material and it again didn't work.A bit more experimentation revealed that, when I removed all the inline comments, the ruleset then worked. I'm not sure why it's only when loaded via Apache, but that is definitely the case; after removing comments, the function
drop()
directives work as expected.Please let me know what further information I can provide. Thanks.
The text was updated successfully, but these errors were encountered: