From 9a928f8c7b68b8d0d537b85bb4cf1b695f48d16b Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sat, 16 Nov 2024 22:11:13 +0100 Subject: [PATCH] snuffleupagus 11 --- core/base/Dockerfile | 2 +- towncrier/newsfragments/3647.misc | 1 + webmails/snuffleupagus.rules | 2 ++ 3 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 towncrier/newsfragments/3647.misc diff --git a/core/base/Dockerfile b/core/base/Dockerfile index 5e3ad092..2f49c5ad 100644 --- a/core/base/Dockerfile +++ b/core/base/Dockerfile @@ -27,7 +27,7 @@ CMD /bin/bash FROM system as build ARG MAILU_DEPS=prod -ARG SNUFFLEUPAGUS_VERSION=0.10.0 +ARG SNUFFLEUPAGUS_VERSION=0.11.0 ENV VIRTUAL_ENV=/app/venv diff --git a/towncrier/newsfragments/3647.misc b/towncrier/newsfragments/3647.misc new file mode 100644 index 00000000..73400fb8 --- /dev/null +++ b/towncrier/newsfragments/3647.misc @@ -0,0 +1 @@ +Upgrade to snuffleupagus 0.11, filter php:// wrapper types diff --git a/webmails/snuffleupagus.rules b/webmails/snuffleupagus.rules index 3d4713f8..ba6947e8 100644 --- a/webmails/snuffleupagus.rules +++ b/webmails/snuffleupagus.rules @@ -26,6 +26,8 @@ sp.readonly_exec.enable(); # PHP has a lot of wrappers, most of them aren't usually useful, you should # only enable the ones you're using. sp.wrappers_whitelist.list("file,php,phar,mailsosubstreams,mailsoliteral,mailsotempfile,mailsobinary"); +# The "php" wrapper can be further filtered: we probably don't want 'filter' nor 'fd' +sp.wrappers_whitelist.php_list("stdout,stdin,stderr,input,output,memory,temp"); # Prevent sloppy comparisons. sp.sloppy_comparison.enable();