Changelog

0.4.0 - Oliphant Chuckerbutty 2018/08/31

New features

  • Add the possibility to whitelist stream wrappers
  • Snuffleupagus is now using php’s logging mechanisms, instead of outputting its log directly into the syslog.
  • PHP is now prevented from ever disabling certificate verification thanks to a few lines in our default configuration.

Improvements

  • Significant code simplification for cookies handling thanks to Remi Collet
  • Our sloppy comparison feature is now complete
  • Snuffleupagus won’t start with an invalid config anymore, except if the sp.allow_broken_configuration is set.
  • It’s now possible to place virtual-patches on the return value of user-defined functions.
  • Since Snuffleupagus is used by more and more organisations, we added a bunch of them in our propaganda page.

Bug fixes

  • Add some missing pieces of documentation and fix some links
  • Fix the make install command
  • Fix various compilation warnings
  • Snuffleupagus is now running on platforms that aren’t using the glibc, thanks to an external contributor Antoine Tenart

0.3.1 - Elephant Arch 2018/08/20

Improvements

  • Disable XXE and harden PRNG by default
  • Use SameSite on PHP’s session cookie in the default rules
  • Relax a bit what files can be included in the default rules
  • Add the possibility to ignore files hashes when generating rules
  • The filename filter is now accepting phar paths

Bug fixes

  • The harden rand_feature is not ignoring parameters anymore in function calls
  • Fix possible crashes/hangs when using php-fpm’s pools
  • Fix an infinite loop on echo hook
  • Fix an issue with filename filter
  • Fix some documentation issues
  • Fix the Arch Linux’s PKGBUILD

0.3.0 - Dentalium elephantinum 2018/07/17

New features

Improvements

  • The .filename() filter is now matching on the file where the function is called instead on the one where it’s defined.
  • Vastly optimize the way we hook native functions
  • The format of the logs has been streamlined to ease their processing

Bug fixes

  • Better handling of filters for built-in functions
  • Fix various possible integer overflows
  • Fix an annoying memory leak impacting mostly mod_php

0.2.2 - Elephant Moraine 2018/04/12

New features

  • The .dump() filter is now supported for unserialize, readonly_exec, and eval black/whitelist

Improvements

  • Add some assertions
  • Add more rules examples
  • Provide a script to check for malicious file uploads
  • Significant performances improvement (at least +20%)
  • Significantly improve the performances of our default rules set
  • Our readme file is now shinier
  • Minor code simplification

Bug fixes

  • Fix a crash related to variadic functions

0.2.1 - Elephant Point 2018/02/07

Bug fixes

  • The testsuite can now be successfully run as root
  • Fix a double execution when snuffleupagus is used with some other extensions
  • Fix an execution-context related crash

Improvements

  • Support PCRE2, since it’s required for PHP7.3
  • Improve a bit the portability of the code
  • Minor code simplification

0.2.0 - Elephant Rally - 2018/01/18

New features

  • Glob support in sp.configuration_file
  • Whitelist/blacklist functions in eval
  • phpinfo shows if the configuration is valid or not

Bug fixes

  • Off-by-one in configuration parsing fixed
  • Minor cookie-encryption related memory leaks fixes
  • Various crashes spotted by fr33tux fixes
  • Configuration files with windows EOL are correctly handled

Improvements

  • General code clean-up
  • Documentation overhaul
  • Compilation on FreeBSD and CentOS
  • Select which cookies to encrypt via regular expressions
  • Match on return values from user-defined functions

External contributions

  • Simplification and clean up of our linked-list implementation by smagnin

0.1.0 - Mighty Mammoth - 2017/12/21

  • Initial release