snuffleupagus 11

core/base/Dockerfile

@@ -27,7 +27,7 @@ CMD /bin/bash
 FROM system as build
 
 ARG MAILU_DEPS=prod
-ARG SNUFFLEUPAGUS_VERSION=0.10.0
+ARG SNUFFLEUPAGUS_VERSION=0.11.0
 
 ENV VIRTUAL_ENV=/app/venv
 

towncrier/newsfragments/3647.misc

@@ -0,0 +1 @@
+Upgrade to snuffleupagus 0.11, filter php:// wrapper types

webmails/snuffleupagus.rules

@@ -26,6 +26,8 @@ sp.readonly_exec.enable();
 # PHP has a lot of wrappers, most of them aren't usually useful, you should
 # only enable the ones you're using.
 sp.wrappers_whitelist.list("file,php,phar,mailsosubstreams,mailsoliteral,mailsotempfile,mailsobinary");
+# The "php" wrapper can be further filtered: we probably don't want 'filter' nor 'fd'
+sp.wrappers_whitelist.php_list("stdout,stdin,stderr,input,output,memory,temp");
 
 # Prevent sloppy comparisons.
 sp.sloppy_comparison.enable();