Changelog
New features
- Compatibility with PHP8.2
- Add the ability block object unserialization globally.
New features
- Add the ability to dump the parameter passed to eval
- Add the ability to match on eval’s parameter
- Add optional extended checks for readonly_exec
- Add config error for ini rules with identical key
- Add disabled functions return type to config export
Breaking Changes
- Mix the stacktrace in the sha256 for the filename of .dump()
Bug fixes
- Make it actually possible to configure sloppy comparison on latests PHP7
- Allow file:// prefix in include() wich readonly_exec mode
- Fix a possible crash when exporting function list
- Fix a minor memory leak when parsing cookie-related configuration
0.8.2 - Surus 2022/05/20
Bug fixes
- Fix compilation when ZTS is used
- Fix a possible infinite loop
0.8.1 - Batyr 2022/05/16
Bug fixes
- Fix the version number
- Fix a test on PHP7
Breaking Changes
- disable_xxe is changed to xxe_protection
New features
- Compatibility with PHP8.1
- Check for unsupported PHP version
- Backport of Suhosin-ng patches:
- Maximum stack depth/recursion limit
- Maximum length for session id
- $_SERVER strip/encode
- Configuration dump
- Support for conditional rules
- INI settings protection
- Output SP logs to stderr
- Ported Suhosin rules to SP
Improvements
- Massive simplification of the configuration parser
- Better memory management
- Removal of internal calls to call_user_func
- Increased portability of the default rules access different version of PHP
- Start SP as late as possible, to hook as many things as possible
Bug fixes
- XML and Session support are now checked at runtime instead of at compile time
Improvements
- Improve compatibility with various libpcre configurations/versions
- Modernise the code by removing usage of strtok
- Improve the default rules’ compatibility with php8
- Prevent XXE in php8 as well
- Improve a bit the verbosity of the logs
- Add a rules file for php8
Bug fixes
- Prevent a possible crash during configuration reloading
- Fix the default rules to catch dangerous chmod calls
- Fixed possible memory-leaks when hooking via regular expressions
New features
- PHP8 support
- Stacktraces in dumps
- The
> operator now skips over functions
Improvements
- Move the CI from travis to gitlab-ci
- Some code simplifications and constifications
- PCRE2 is now used when possible
- The
generate_rules.php script is now more portable
Bug fixes
- The strict mode can now be disabled
New features
- Allow empty configurations
Improvements
- More constification
- Snuffleupagus should now be able to get client’s ip addresses in more cases
- Documented compatibility with Heroku
- Improved logging
- Added a couple of tests
Improvements
- Improve OSX support
- Improve marginally of php8+ compatibility
- Improve php7.4 compatibility
- Improve the default ruleset
- Improve the documentation
- Improve the gitlab CI
Improvements
- Tighten a bit a command-injection prevention rule in the default rules set
- Increased the portability of the testsuite
- Improved documentation
- Usual code cleanup
- Snuffleupagus will throw an informative error when compiled for PHP5
- Snuffleupagus will throw an informative error when compiled without PCRE support
- The testsuite is now run on Alpine, Fedora, Debian and Ubuntu.
- Some rules against now-known vulnerabilities/techniques were added
Bug fixes
- PHP7.4 is fully supported, without any compilation warning
- Snuffleupagus can now be used with PHP compiled without sessions support as a builtin (which is the case on Alpine).
- Fix a compilation warning on FreeBSD
- Cookies hardening is now supported on PHP7.3+
0.4.1 - Loxodonta 2018/12/21
Improvements
- Improve and clarify the documentation
- Add support for PHP7.3
- Improve the coverage, we have reached 99% of coverage
- Improve mb_string hooking logic
- The script that check uploaded file is now available in PHP
Bug fixes
- Fix segfault on 32-bit for PHP7.3
- Fix segfault when using sloppy_comparison feature with array
New features
- Add the possibility to whitelist stream
wrappers
- Snuffleupagus is now using php’s logging mechanisms, instead of
outputting its log directly into the syslog.
- PHP is now prevented from ever disabling certificate verification
thanks to a few lines in our default configuration.
Improvements
- Significant code simplification for cookies handling
thanks to Remi Collet
- Our
sloppy comparison feature is now complete
- Snuffleupagus won’t start with an invalid config anymore,
except if the
sp.allow_broken_configuration is set.
- It’s now possible to place virtual-patches on the return value
of user-defined functions.
- Since Snuffleupagus is used by more and more organisations,
we added a bunch of them in our propaganda page.
Bug fixes
- Add some missing pieces of documentation and fix some links
- Fix the
make install command
- Fix various compilation warnings
- Snuffleupagus is now running on platforms that aren’t using
the glibc, thanks to an external contributor Antoine Tenart
Improvements
- Disable XXE and harden PRNG by default
- Use
SameSite on PHP’s session cookie in the default rules
- Relax a bit what files can be included in the default rules
- Add the possibility to ignore files hashes when generating rules
- The
filename filter is now accepting phar paths
Bug fixes
- The harden rand_feature is not ignoring parameters anymore in function calls
- Fix possible crashes/hangs when using php-fpm’s pools
- Fix an infinite loop on
echo hook
- Fix an issue with
filename filter
- Fix some documentation issues
- Fix the Arch Linux’s PKGBUILD
Improvements
- The .filename() filter is now matching on the file where the function is called instead on the one where it’s defined.
- Vastly optimize the way we hook native functions
- The format of the logs has been streamlined to ease their processing
Bug fixes
- Better handling of filters for built-in functions
- Fix various possible integer overflows
- Fix an annoying memory leak impacting mostly mod_php
New features
- The .dump() filter is now supported for unserialize, readonly_exec, and eval black/whitelist
Improvements
- Add some assertions
- Add more rules examples
- Provide a script to check for malicious file uploads
- Significant performances improvement (at least +20%)
- Significantly improve the performances of our default rules set
- Our readme file is now shinier
- Minor code simplification
Bug fixes
- Fix a crash related to variadic functions
Bug fixes
- The testsuite can now be successfully run as root
- Fix a double execution when snuffleupagus is used with some other extensions
- Fix an execution-context related crash
Improvements
- Support PCRE2, since it’s required for PHP7.3
- Improve a bit the portability of the code
- Minor code simplification
New features
- Glob support in
sp.configuration_file
- Whitelist/blacklist functions in
eval
phpinfo shows if the configuration is valid or not
Bug fixes
- Off-by-one in configuration parsing fixed
- Minor cookie-encryption related memory leaks fixes
- Various crashes spotted by fr33tux fixes
- Configuration files with windows EOL are correctly handled
Improvements
- General code clean-up
- Documentation overhaul
- Compilation on FreeBSD and CentOS
- Select which cookies to encrypt via regular expressions
- Match on return values from user-defined functions
External contributions
- Simplification and clean up of our linked-list implementation by smagnin
