-
Notifications
You must be signed in to change notification settings - Fork 94
Description
The default rules matching the exec-like functions (tested with exec() and system()) crashes PHP with an Out-Of-Memory error.
Using the following minimal test file directly invoked from the web root:
<?php
$gs = exec( 'foo' );
echo "YES";
The default rule:
sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
Generates the following error:
snuffleupagus[8497]: [snuffleupagus][0.0.0.0][regexp][log] Something went wrong with a regexp (-51). in /█████/test.php on line 4
syslogd: last message repeated 6222 times
httpd[8497]: PHP Fatal error: Out of memory (allocated 2097152) (tried to allocate 4096 bytes) in /██████/test.php on line 4
This issue is not linked to the regex or even anything actually related to the parameter, as replacing this rule by:
sp.disable_function.function("exec").param("command").value("bar").drop();
or even:
sp.disable_function.function("exec").param("foo").value("bar").drop();
Generates even worse Out-Of-Memory errors, this time uncontrolled by PHP: the HTTP process goes from around 100 MB to over 1 GB, depending what limit is imposed by the OS, and finally gets killed by the OS, producing either:
mmap() failed: [12] Cannot allocate memory
or more often:
[core:notice] [pid 36478:tid AH00052: child pid 37333 exit signal Illegal instruction (4)
error messages.
Commenting-out these rules in Snuffleupagus configuration removes the issues.
Other rules seem to work OK, including regex rules matching on SQL requests for instance which use the same syntax. I have therefore the impression that this issue is linked to some specific behavior or implementation of these exec-like functions.
I'm using FreeBSD with PHP as an Apache module, latest packages version: php80-8.0.6, php80-snuffleupagus-0.7.0.