0.10.0 - Babar the Elephant 2023/09/20

New features

  • Compatibility with PHP8.3

  • Add sp.log_max_len to limit the maximum size of the log messages

  • Add an example configuration for Xenforo 2.2.12

Breaking Changes

  • Url encode functions arguments when logging them

Bug fixes

  • Fix a possible NULL-byte truncation when outputting parameters in the logs

  • Make readonly_exec play nice on readonly filesystems

0.9.0 - Elephant seal 2023/01/03

New features

  • Compatibility with PHP8.2

  • Add the ability block object unserialization globally.

0.8.3 - Elephant Gambit 2022/08/27

New features

  • Add the ability to dump the parameter passed to eval

  • Add the ability to match on eval’s parameter

  • Add optional extended checks for readonly_exec

  • Add config error for ini rules with identical key

  • Add disabled functions return type to config export

Breaking Changes

  • Mix the stacktrace in the sha256 for the filename of .dump()

Bug fixes

  • Make it actually possible to configure sloppy comparison on latests PHP7

  • Allow file:// prefix in include() wich readonly_exec mode

  • Fix a possible crash when exporting function list

  • Fix a minor memory leak when parsing cookie-related configuration

0.8.2 - Surus 2022/05/20

Bug fixes

  • Fix compilation when ZTS is used

  • Fix a possible infinite loop

0.8.1 - Batyr 2022/05/16

Bug fixes

  • Fix the version number

  • Fix a test on PHP7

Breaking Changes

  • disable_xxe is changed to xxe_protection

0.8.0 - Woolly Mammoth 2022/05/15

New features

  • Compatibility with PHP8.1

  • Check for unsupported PHP version

  • Backport of Suhosin-ng patches:

    • Maximum stack depth/recursion limit

    • Maximum length for session id

    • $_SERVER strip/encode

    • Configuration dump

    • Support for conditional rules

    • INI settings protection

    • Output SP logs to stderr

    • Ported Suhosin rules to SP


  • Massive simplification of the configuration parser

  • Better memory management

  • Removal of internal calls to call_user_func

  • Increased portability of the default rules access different version of PHP

  • Start SP as late as possible, to hook as many things as possible

Bug fixes

  • XML and Session support are now checked at runtime instead of at compile time

0.7.1 - Proboscidea 2021/08/02


  • Improve compatibility with various libpcre configurations/versions

  • Modernise the code by removing usage of strtok

  • Improve the default rules’ compatibility with php8

  • Prevent XXE in php8 as well

  • Improve a bit the verbosity of the logs

  • Add a rules file for php8

Bug fixes

  • Prevent a possible crash during configuration reloading

  • Fix the default rules to catch dangerous chmod calls

  • Fixed possible memory-leaks when hooking via regular expressions

0.7.0 - Los Elefantes 2021/01/02

New features

  • PHP8 support

  • Stacktraces in dumps

  • The > operator now skips over functions


  • Move the CI from travis to gitlab-ci

  • Some code simplifications and constifications

  • PCRE2 is now used when possible

  • The generate_rules.php script is now more portable

Bug fixes

  • The strict mode can now be disabled

0.6.0 - Elephant in the room 2020/11/06

New features

  • Allow empty configurations


  • More constification

  • Snuffleupagus should now be able to get client’s ip addresses in more cases

  • Documented compatibility with Heroku

  • Improved logging

  • Added a couple of tests

0.5.1 - Order of the Elephant 2020/06/20

New features

  • Add support for syslog


  • Improve OSX support

  • Improve marginally of php8+ compatibility

  • Improve php7.4 compatibility

  • Improve the default ruleset

  • Improve the documentation

  • Improve the gitlab CI

0.5.0 - Elephant Flats 2019/06/12


  • Tighten a bit a command-injection prevention rule in the default rules set

  • Increased the portability of the testsuite

  • Improved documentation

  • Usual code cleanup

  • Snuffleupagus will throw an informative error when compiled for PHP5

  • Snuffleupagus will throw an informative error when compiled without PCRE support

  • The testsuite is now run on Alpine, Fedora, Debian and Ubuntu.

  • Some rules against now-known vulnerabilities/techniques were added

Bug fixes

  • PHP7.4 is fully supported, without any compilation warning

  • Snuffleupagus can now be used with PHP compiled without sessions support as a builtin (which is the case on Alpine).

  • Fix a compilation warning on FreeBSD

  • Cookies hardening is now supported on PHP7.3+

0.4.1 - Loxodonta 2018/12/21


  • Improve and clarify the documentation

  • Add support for PHP7.3

  • Improve the coverage, we have reached 99% of coverage

  • Improve mb_string hooking logic

  • The script that check uploaded file is now available in PHP

Bug fixes

  • Fix segfault on 32-bit for PHP7.3

  • Fix segfault when using sloppy_comparison feature with array

0.4.0 - Oliphant Chuckerbutty 2018/08/31

New features

  • Add the possibility to whitelist stream wrappers

  • Snuffleupagus is now using php’s logging mechanisms, instead of outputting its log directly into the syslog.

  • PHP is now prevented from ever disabling certificate verification thanks to a few lines in our default configuration.


  • Significant code simplification for cookies handling thanks to Remi Collet

  • Our sloppy comparison feature is now complete

  • Snuffleupagus won’t start with an invalid config anymore, except if the sp.allow_broken_configuration is set.

  • It’s now possible to place virtual-patches on the return value of user-defined functions.

  • Since Snuffleupagus is used by more and more organisations, we added a bunch of them in our propaganda page.

Bug fixes

  • Add some missing pieces of documentation and fix some links

  • Fix the make install command

  • Fix various compilation warnings

  • Snuffleupagus is now running on platforms that aren’t using the glibc, thanks to an external contributor Antoine Tenart

0.3.1 - Elephant Arch 2018/08/20


  • Disable XXE and harden PRNG by default

  • Use SameSite on PHP’s session cookie in the default rules

  • Relax a bit what files can be included in the default rules

  • Add the possibility to ignore files hashes when generating rules

  • The filename filter is now accepting phar paths

Bug fixes

  • The harden rand_feature is not ignoring parameters anymore in function calls

  • Fix possible crashes/hangs when using php-fpm’s pools

  • Fix an infinite loop on echo hook

  • Fix an issue with filename filter

  • Fix some documentation issues

  • Fix the Arch Linux’s PKGBUILD

0.3.0 - Dentalium elephantinum 2018/07/17

New features


  • The .filename() filter is now matching on the file where the function is called instead on the one where it’s defined.

  • Vastly optimize the way we hook native functions

  • The format of the logs has been streamlined to ease their processing

Bug fixes

  • Better handling of filters for built-in functions

  • Fix various possible integer overflows

  • Fix an annoying memory leak impacting mostly mod_php

0.2.2 - Elephant Moraine 2018/04/12

New features

  • The .dump() filter is now supported for unserialize, readonly_exec, and eval black/whitelist


  • Add some assertions

  • Add more rules examples

  • Provide a script to check for malicious file uploads

  • Significant performances improvement (at least +20%)

  • Significantly improve the performances of our default rules set

  • Our readme file is now shinier

  • Minor code simplification

Bug fixes

  • Fix a crash related to variadic functions

0.2.1 - Elephant Point 2018/02/07

Bug fixes

  • The testsuite can now be successfully run as root

  • Fix a double execution when snuffleupagus is used with some other extensions

  • Fix an execution-context related crash


  • Support PCRE2, since it’s required for PHP7.3

  • Improve a bit the portability of the code

  • Minor code simplification

0.2.0 - Elephant Rally - 2018/01/18

New features

  • Glob support in sp.configuration_file

  • Whitelist/blacklist functions in eval

  • phpinfo shows if the configuration is valid or not

Bug fixes

  • Off-by-one in configuration parsing fixed

  • Minor cookie-encryption related memory leaks fixes

  • Various crashes spotted by fr33tux fixes

  • Configuration files with windows EOL are correctly handled


  • General code clean-up

  • Documentation overhaul

  • Compilation on FreeBSD and CentOS

  • Select which cookies to encrypt via regular expressions

  • Match on return values from user-defined functions

External contributions

  • Simplification and clean up of our linked-list implementation by smagnin

0.1.0 - Mighty Mammoth - 2017/12/21

  • Initial release