generate_rules.php: why forbid curl_exec and curl_multi_exec?

[bohwaz]

These functions cannot execute any code, they can just launch HTTP requests.

[jvoisin]

curl_exec can be used with file:// to read local files, as well as other not-that-know nasty tricks to perform interesting things™

[bohwaz]

Ah yes forgot about that! I suggested a PR to protect against this. This shouldn't break much existing code as I can't see a lot of use.

[jvoisin]

Unfortunately, curl supports a lot of protocols, I don't think a deny-list is the way to go. Moreover, another stupid vector would be SSRF as well.

[bohwaz]

Yes but only file:// allows to fetch local files :)

The best would be the ability for PHP to force the allowed CURL protocols using a ini setting.

[jvoisin]

Not really no: having an attacker able to control the parameter of curl_exec effectively results in a port-scanner/proxy, even when http/https is the only protocol enabled.

[bohwaz]

As with most of snuffleupagus features and rules, it will not help against all attacks, but this will still mitigate one class of attack, still useful IMHO.

[jvoisin]

Moving from "curl_exec can't be user-controlled easily" to "curl_exec can't use file://" does significatively reduce the amount of attacks that is defended against though.

[bohwaz]

Yes, but when you need to use curl, you don't have a choice :)

[jvoisin]

Then it would make sense to comment the rule, and add a new more tailored one. The default rules are meant as a starting point/example, not as a comprehensive solution :)