Allow named params & non-CSPRNG insecure calls & PHP 8.2 #152
Closed
spaze
announced in
Announcements
Replies: 1 comment
-
2.11.1 was just released to fix a bug which prevented the named param config to work properly (#156). |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Overview
Bit more things this time I even had to use headings. In no particular order:
allowParams*
config options, see below, previously only positional params were accepted (Support named parameters in allowParams* config keys #141, thanks @ilazaridis for the inital implementation)allowParamFlagsAnywhere
#151)disallowed-insecure-calls.neon
bundled config file now disallows insecure randomness functionsrand()
,mt_rand()
,lcg_value()
,uniqid()
(Disallow insecure randomness functions #145, thanks @compwright)disable_functions
,disable_classes
) and now there's a config generator script inbin/generate-from-disabled.php
which will read the PHP config and dump the generated NEON config to STDOUT which you can fine-tune and commit to your repository (A script to generate config from 'disable_functions' & 'disable_classes' #149, loosely based on an idea by @staabm, thanks)Named params
Named params are now fully supported, even mixed usage of both positional and named
For example, to allow a function
foo(string $message, bool $alert): void
when called with$alert
=true
:All keys are optional although I'd definitely recommend adding both
position
andname
. Thevalue
key doesn't need to be specified withallowParams*AnyValue
.The old-style shortcusts still work:
But they're not recommended because sometimes, somewhere, you may suddenly use a named parameter and you'd start to see disallowed calls for no apparent reason. Some of the bundled config files still use these shortcuts, so they'll be supported for, I think, ever.
Allow a call with a flag in a bitmask param
This very same excerpt was also added to the README.
Some functions can be called with flags or bitmasks, for example
Let's say you want to disallow
json_encode()
except when called withJSON_HEX_APOS
(integer4
) flag. In the call above, the value of the second parameter (JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_QUOT
) is13
(1 | 4 | 8
).For the extension to be able to "find" the
4
in13
, you need to use theParamFlags
family of config options:allowParamFlagsInAllowed
allowParamFlagsAnywhere
allowExceptParamFlagsInAllowed
ordisallowParamFlagsInAllowed
allowExceptParamFlags
ordisallowParamFlags
They work like their non-flags
Param
counterparts except they're looking if specific bits in the mask parameter are set.The
json_encode()
example mentioned above would look like the following snippet:This discussion was created from the release Allow named params & non-CSPRNG insecure calls & PHP 8.2.
Beta Was this translation helpful? Give feedback.
All reactions