Some functions can be called with flags or bitmasks, for example
json_encode($foo, JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_QUOT);Let's say you want to disallow json_encode() except when called with JSON_HEX_APOS (integer 4) flag. In the call above, the value of the second parameter (JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_QUOT) is 13 (1 | 4 | 8).
For the extension to be able to "find" the 4 in 13, you need to use the ParamFlags family of config options:
allowParamFlagsInAllowedallowParamFlagsAnywhereallowExceptParamFlagsInAllowedordisallowParamFlagsInAllowedallowExceptParamFlagsordisallowParamFlags
They work like their non-flags Param counterparts except they're looking if specific bits in the mask parameter are set.
The json_encode() example mentioned above would look like the following snippet:
parameters:
disallowedFunctionCalls:
function: 'json_encode'
allowParamFlagsAnywhere:
-
position: 2
value: ::JSON_HEX_APOS