snuffleupagus, branch log2file

snuffleupagus, branch log2file Security module for php7 and php8 - Killing bugclasses and virtual-patching the rest! http://git.dustri.org/snuffleupagus/atom?h=log2file 2025-10-24T21:55:13Z feat(log): add the possibility to log to a file 2025-10-24T21:55:13Z jvoisin 2025-10-24T21:50:18Z urn:sha1:6ea4278a512bc9f1f816844222e65a4ea670db8e fix(unserialize): don't bail in simulation mode when there's no HMAC 2025-10-24T21:55:10Z jvoisin 2025-10-24T21:49:49Z urn:sha1:a167c4d23feb03e6c5b53f41724bbfcb813bf04b Bump alpine from PHP8.2 to PHP8.3 in the CI 2025-10-24T16:29:09Z jvoisin 2025-10-24T16:10:12Z urn:sha1:040f11d6c2ab54e3990a5887b8cebf7a00d17071 Add a test 2025-10-14T18:51:37Z jvoisin 2025-10-14T18:51:37Z urn:sha1:f06cafcfbced1af4978fbaf7f74f9c4f8045e0c5 fix(log): systematically drop when .drop() is used 2025-10-02T13:22:08Z jvoisin 2025-10-02T13:22:08Z urn:sha1:da8c7aebc5602c04b771ada71a098ccb23d83a48 When the `php` logging facility is used, the error could have been caught by using `set_error_handler` and whatnot. This commit ensures that if the `.drop()` option is set, we're calling `zend_bailout()` that can't be caught. An attacker could have used this issue to silently perform some recon of the running environment. This isn't considered a vulnerability as an attacker with arbitrary php code execution can simply use the use-after-free of the day to gain arbitrary (native) code execution anyway, after detecting that Snuffleupagus is in use, to take little risks of detection. Rename a handful of global constants 2025-10-02T10:16:29Z jvoisin 2025-10-02T10:16:29Z urn:sha1:09bc3ffc8734cf2437e14ab123c7b732db53b836 Fix a cookie-related warning for PHP8.5.0 2025-10-01T11:59:45Z jvoisin 2025-10-01T11:44:06Z urn:sha1:9509733befcb4010bc77b06fcf41e77078976e80 ``` ========DIFF======== 001- OK 001+ Fatal error: Uncaught ValueError: setcookie(): "partitioned" option cannot be used without "secure" option in /builddir/build/BUILD/snuffleupagus-1c7598c432551d0c49c2c57f249ccd5ccabce638/src/tests/samesite_cookies.php:2 002+ Stack trace: 003+ #0 /builddir/build/BUILD/snuffleupagus-1c7598c432551d0c49c2c57f249ccd5ccabce638/src/tests/samesite_cookies.php(2): setcookie('super_cookie', 'super_value') 004+ #1 {main} 005+ thrown in /builddir/build/BUILD/snuffleupagus-1c7598c432551d0c49c2c57f249ccd5ccabce638/src/tests/samesite_cookies.php on line 2 ========DONE======== FAIL Cookie samesite [tests/samesite_cookies.phpt] ``` Even though the warning might be spurious, let's fix this properly, by initialising `partitioned` to false, and by setting it only if `secure` is set as well. Update PHP8.5 from beta2 to rc1 in the CI 2025-10-01T11:41:38Z jvoisin 2025-10-01T11:34:10Z urn:sha1:5ddd783a19dfc1428cfd02cabc55177b3a488a28 Make the default rules compatible via PHP8 2025-09-30T19:47:12Z santii-git 2025-09-30T16:03:26Z urn:sha1:cfb22fc95c6a9acab607dfd30cdfe9fe05cbb69d Make the default rules compatible via PHP8 2025-09-30T15:04:22Z jvoisin 2025-09-30T15:04:22Z urn:sha1:41da9b8265dc8c2e916eb15f480496d6239420dd As suggested by @santii-git in https://github.com/jvoisin/snuffleupagus/issues/522