-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
phpMyAdmin 5 eval silently failing #425
Comments
The following should work: sp.disable_function.function("eval").filename_r("^/var/www/phpmyadmin/").allow();
sp.disable_function.function("eval").drop(); it's even tested in the testsuite You might also want to check out eval white and blacklist. |
Your suggested rules should have but did not work. I've certainly seen your suggested rules work plently of times, just not on phpMyAdmin 5. I've successfully compiled and configured snuffleupagus at least 7 different instances prior to this and what I'm experiencing now is unusual. I tried reconfiguring snuffleupagus with flags 1. When the conf file snuffleupages.rules has a single rule
The error log remains empty. 2. Changing snuffleupages.rules for the single rule to be commented out like so
And the error log:
Oddly, if i included extra line(s) at the end of the *.rules file the script execution succeeds. 3. To rule out modifications I've made to the operating environment, I repeated the test scenario above (ensuring only snuffleupagus and test.php file) on a fresh "micro" instance. Initially I was unable to replicate the issue operating entirely from the command line. However if I run Results in "success":
Results in "Could not startup.":
I copied over the offending snuffleupages.rules file and was able to replicate this issue on the new vm instance. So, transferring the configuration file from an IDE fails, but modifying the configuration on the command line succeeds (tried vim, nano). I really don't know, but to me it looks like the php configuration parser is flubbing this. If the *.rules ends with a non-parseable rule (even if it's a comment), then the configuration fails to load WHEN it is uploaded by an IDE that terminates the file with a NULL byte. This is easily corrected by opening the *.rules file in vim or nano, simply saving the file without making any changes and closing the file. 4. Back full circle to the trouble I was having upstairs: I'm still not able to get phpMyAdmin 5.2.0 to work using your suggested rule(s). I've had trouble getting this to work in the past and I tossed the idea since v4 works just fine. I really appreciate snuffleupagus, the clear documentation, and utility that it provides to harden PHPSEC, so I gave it a bigger effort this time around. Unfortunately, the way I am installing phpMyAdmin 5.2.0 does not fall in line with their official installation instructions.
Despite it being a completely functional phpMyAdmin 5, since it's not the official way of doing the installation and PHP exits silently when snuffleupagus attempts to conditionally disable For what it's worth, it appears that the snufflepagus rule |
@bef since you refactored the rules processing, can you take a look at this one? |
Looks like it chokes on |
Also, how the fuck is What an horrible language. |
I can confirm that So, whatever this is, it needs further investigation. |
Been using snuffleupagus for some time, and I see that phpMyAdmin 5.2.0 silently fails to load with a single rule:
sp.disable_function.function("eval").drop();
orsp.disable_function.function("eval").allow();
orsp.disable_function.function("eval").drop().simulate();
orsp.disable_function.function("eval").filename_r(".*").allow();
orsp.disable_function.function("eval").filename_r("var/www/phpmyadmin/.*$").allow();
No error is logged, and I get a blank page with 200 status.
An invalid conf rule such as:
sp.disable_function.function("eval").simulate();
will correctly log as:
[20-Jun-2022 16:09:20 UTC] PHP Fatal error: [snuffleupagus][1.2.3.4][config][log] Unexpected keyword 'simulate' on line 1 in Unknown on line 0
So the question is: How may I selectively enable eval for phpmyadmin?
I'm using snuffleupagus v0.8.2, and I tried this with php7.4-fpm and php-cgi7.4.
By disabling this single eval rule, the phpMyAdmin 5 page(s) will load.
The eval rule might be triggered because of this.
Also found these conversations which may be related:
• Snuffleupagus writable execution of eval'd code ? #409
• Is there any chance I can avoid using eval in Twig? #2428
The text was updated successfully, but these errors were encountered: