Changelog

0.10.0 - Babar the Elephant 2023/09/20

New features

  • Compatibility with PHP8.3
  • Add sp.log_max_len to limit the maximum size of the log messages
  • Add an example configuration for Xenforo 2.2.12

Breaking Changes

  • Url encode functions arguments when logging them

Bug fixes

  • Fix a possible NULL-byte truncation when outputting parameters in the logs
  • Make readonly_exec play nice on readonly filesystems

0.9.0 - Elephant seal 2023/01/03

New features

  • Compatibility with PHP8.2
  • Add the ability block object unserialization globally.

0.8.3 - Elephant Gambit 2022/08/27

New features

  • Add the ability to dump the parameter passed to eval
  • Add the ability to match on eval’s parameter
  • Add optional extended checks for readonly_exec
  • Add config error for ini rules with identical key
  • Add disabled functions return type to config export

Breaking Changes

  • Mix the stacktrace in the sha256 for the filename of .dump()

Bug fixes

  • Make it actually possible to configure sloppy comparison on latests PHP7
  • Allow file:// prefix in include() wich readonly_exec mode
  • Fix a possible crash when exporting function list
  • Fix a minor memory leak when parsing cookie-related configuration

0.8.2 - Surus 2022/05/20

Bug fixes

  • Fix compilation when ZTS is used
  • Fix a possible infinite loop

0.8.1 - Batyr 2022/05/16

Bug fixes

  • Fix the version number
  • Fix a test on PHP7

Breaking Changes

  • disable_xxe is changed to xxe_protection

0.8.0 - Woolly Mammoth 2022/05/15

New features

  • Compatibility with PHP8.1
  • Check for unsupported PHP version
  • Backport of Suhosin-ng patches:
    • Maximum stack depth/recursion limit
    • Maximum length for session id
    • $_SERVER strip/encode
    • Configuration dump
    • Support for conditional rules
    • INI settings protection
    • Output SP logs to stderr
    • Ported Suhosin rules to SP

Improvements

  • Massive simplification of the configuration parser
  • Better memory management
  • Removal of internal calls to call_user_func
  • Increased portability of the default rules access different version of PHP
  • Start SP as late as possible, to hook as many things as possible

Bug fixes

  • XML and Session support are now checked at runtime instead of at compile time

0.7.1 - Proboscidea 2021/08/02

Improvements

  • Improve compatibility with various libpcre configurations/versions
  • Modernise the code by removing usage of strtok
  • Improve the default rules’ compatibility with php8
  • Prevent XXE in php8 as well
  • Improve a bit the verbosity of the logs
  • Add a rules file for php8

Bug fixes

  • Prevent a possible crash during configuration reloading
  • Fix the default rules to catch dangerous chmod calls
  • Fixed possible memory-leaks when hooking via regular expressions

0.7.0 - Los Elefantes 2021/01/02

New features

  • PHP8 support
  • Stacktraces in dumps
  • The > operator now skips over functions

Improvements

  • Move the CI from travis to gitlab-ci
  • Some code simplifications and constifications
  • PCRE2 is now used when possible
  • The generate_rules.php script is now more portable

Bug fixes

  • The strict mode can now be disabled

0.6.0 - Elephant in the room 2020/11/06

New features

  • Allow empty configurations

Improvements

  • More constification
  • Snuffleupagus should now be able to get client’s ip addresses in more cases
  • Documented compatibility with Heroku
  • Improved logging
  • Added a couple of tests

0.5.1 - Order of the Elephant 2020/06/20

New features

  • Add support for syslog

Improvements

  • Improve OSX support
  • Improve marginally of php8+ compatibility
  • Improve php7.4 compatibility
  • Improve the default ruleset
  • Improve the documentation
  • Improve the gitlab CI

0.5.0 - Elephant Flats 2019/06/12

Improvements

  • Tighten a bit a command-injection prevention rule in the default rules set
  • Increased the portability of the testsuite
  • Improved documentation
  • Usual code cleanup
  • Snuffleupagus will throw an informative error when compiled for PHP5
  • Snuffleupagus will throw an informative error when compiled without PCRE support
  • The testsuite is now run on Alpine, Fedora, Debian and Ubuntu.
  • Some rules against now-known vulnerabilities/techniques were added

Bug fixes

  • PHP7.4 is fully supported, without any compilation warning
  • Snuffleupagus can now be used with PHP compiled without sessions support as a builtin (which is the case on Alpine).
  • Fix a compilation warning on FreeBSD
  • Cookies hardening is now supported on PHP7.3+

0.4.1 - Loxodonta 2018/12/21

Improvements

  • Improve and clarify the documentation
  • Add support for PHP7.3
  • Improve the coverage, we have reached 99% of coverage
  • Improve mb_string hooking logic
  • The script that check uploaded file is now available in PHP

Bug fixes

  • Fix segfault on 32-bit for PHP7.3
  • Fix segfault when using sloppy_comparison feature with array

0.4.0 - Oliphant Chuckerbutty 2018/08/31

New features

  • Add the possibility to whitelist stream wrappers
  • Snuffleupagus is now using php’s logging mechanisms, instead of outputting its log directly into the syslog.
  • PHP is now prevented from ever disabling certificate verification thanks to a few lines in our default configuration.

Improvements

  • Significant code simplification for cookies handling thanks to Remi Collet
  • Our sloppy comparison feature is now complete
  • Snuffleupagus won’t start with an invalid config anymore, except if the sp.allow_broken_configuration is set.
  • It’s now possible to place virtual-patches on the return value of user-defined functions.
  • Since Snuffleupagus is used by more and more organisations, we added a bunch of them in our propaganda page.

Bug fixes

  • Add some missing pieces of documentation and fix some links
  • Fix the make install command
  • Fix various compilation warnings
  • Snuffleupagus is now running on platforms that aren’t using the glibc, thanks to an external contributor Antoine Tenart

0.3.1 - Elephant Arch 2018/08/20

Improvements

  • Disable XXE and harden PRNG by default
  • Use SameSite on PHP’s session cookie in the default rules
  • Relax a bit what files can be included in the default rules
  • Add the possibility to ignore files hashes when generating rules
  • The filename filter is now accepting phar paths

Bug fixes

  • The harden rand_feature is not ignoring parameters anymore in function calls
  • Fix possible crashes/hangs when using php-fpm’s pools
  • Fix an infinite loop on echo hook
  • Fix an issue with filename filter
  • Fix some documentation issues
  • Fix the Arch Linux’s PKGBUILD

0.3.0 - Dentalium elephantinum 2018/07/17

New features

Improvements

  • The .filename() filter is now matching on the file where the function is called instead on the one where it’s defined.
  • Vastly optimize the way we hook native functions
  • The format of the logs has been streamlined to ease their processing

Bug fixes

  • Better handling of filters for built-in functions
  • Fix various possible integer overflows
  • Fix an annoying memory leak impacting mostly mod_php

0.2.2 - Elephant Moraine 2018/04/12

New features

  • The .dump() filter is now supported for unserialize, readonly_exec, and eval black/whitelist

Improvements

  • Add some assertions
  • Add more rules examples
  • Provide a script to check for malicious file uploads
  • Significant performances improvement (at least +20%)
  • Significantly improve the performances of our default rules set
  • Our readme file is now shinier
  • Minor code simplification

Bug fixes

  • Fix a crash related to variadic functions

0.2.1 - Elephant Point 2018/02/07

Bug fixes

  • The testsuite can now be successfully run as root
  • Fix a double execution when snuffleupagus is used with some other extensions
  • Fix an execution-context related crash

Improvements

  • Support PCRE2, since it’s required for PHP7.3
  • Improve a bit the portability of the code
  • Minor code simplification

0.2.0 - Elephant Rally - 2018/01/18

New features

  • Glob support in sp.configuration_file
  • Whitelist/blacklist functions in eval
  • phpinfo shows if the configuration is valid or not

Bug fixes

  • Off-by-one in configuration parsing fixed
  • Minor cookie-encryption related memory leaks fixes
  • Various crashes spotted by fr33tux fixes
  • Configuration files with windows EOL are correctly handled

Improvements

  • General code clean-up
  • Documentation overhaul
  • Compilation on FreeBSD and CentOS
  • Select which cookies to encrypt via regular expressions
  • Match on return values from user-defined functions

External contributions

  • Simplification and clean up of our linked-list implementation by smagnin

0.1.0 - Mighty Mammoth - 2017/12/21

  • Initial release