Mascali
/
raspisms
mirror of https://github.com/RaspbianFrance/raspisms.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix major security by overriding Symfony ExpressionLanguage default constant() method. The ExpressionLanguage is used by ruler for conditional group and could have been leverage to guess constants values such as db credentials

This commit is contained in:
osaajani 2020-04-03 21:22:13 +02:00
parent 3a27a3ba73
commit d699a2db80
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
controllers/internals/ExpressionProvider.php
View File

@ -18,7 +18,17 @@ class ExpressionProvider implements ExpressionFunctionProviderInterface
{
public function getFunctions()
{
//Override default constant() function to make it return null
//This will prevent the use of constant() func to read constants with security impact (such as session, db credentials, etc.)
$neutralized_constant = new ExpressionFunction('constant', function ($str) {
return null;
}, function ($arguments, $str) {
return null;
});
return [
$neutralized_constant,
ExpressionFunction::fromPhp('is_null', 'exists'),
ExpressionFunction::fromPhp('mb_strtolower', 'lower'),
ExpressionFunction::fromPhp('mb_strtoupper', 'upper'),