snuffleupagus/src/sp_upload_validation.c, branch master Security module for php7 and php8 - Killing bugclasses and virtual-patching the rest! http://git.dustri.org/snuffleupagus/atom?h=master 2026-04-24T10:14:01Z Fix an spprintf undefined behaviour 2026-04-24T10:14:01Z jvoisin 2026-04-24T10:14:01Z urn:sha1:314b10154495b91eca684124275407b8186bb762 `getenv("REMOTE_ADDR")` can return NULL, and it is passed directly to `spprintf`. While `spprintf` might handle `NULL` gracefully, it's not always the case. Cast format argument to expected type 2025-06-25T17:38:39Z Christian Göttsche 2025-06-25T09:39:44Z urn:sha1:66c711c1b98c0cafa0e4903b862bfbaedd638d7e Please GCC conversion warning: src/sp_upload_validation.c: In function 'sp_rfc1867_callback': src/sp_utils.h:61:53: warning: format '%lld' expects argument of type 'long long int', but argument 7 has type 'zend_long' {aka 'long int'} [-Wformat=] 61 | if (sp_debug_stderr > 0) dprintf(sp_debug_stderr, "[snuffleupagus][DEBUG] %s(): " fmt "\n", __FUNCTION__, ##__VA_ARGS__); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ src/sp_upload_validation.c:48:7: note: in expansion of macro 'sp_log_debug' 48 | sp_log_debug("Filename: %s\nTmpname: %s\nSize: %zd\nError: %lld\nScript: %s", | ^~~~~~~~~~~~ Declare file local variables and functions static 2024-06-06T14:27:31Z Christian Göttsche 2024-05-29T18:38:33Z urn:sha1:d82ab8d20191a9ebdb83f918c62fc6c32f068b01 Avoid missing prototype warnings by declaring variables and functions that are only used in a single file static. removed confusung newlines for better reading/searching 2021-12-20T16:58:23Z Ben Fuhrmannek 2021-12-20T16:58:23Z urn:sha1:f24151869a54a95da28b74beac5f1f87c06cfafe config is stack allocated now + some code improvements (see details) 2021-09-23T10:23:40Z Ben Fuhrmannek 2021-09-23T10:23:40Z urn:sha1:54c352c1b5aa08b187dd1e52e544709cad2b0fee * for easier memory manegement, the entire sp_config struct was merged into snuffleupagus_globals and allocated on stack where possible * SNUFFLEUPAGUS_G() can be written as SPG(), which is faster to type and easier to read * execution_depth is re-initialized to 0 for each request * function calls with inline string and length parameters consistently use ZEND_STRL instead of sizeof()-1 * execution is actually hooked if recursion protection is enabled * some line breaks were removed to make the code more readable fixed compiler warning 2021-08-07T20:31:55Z Ben Fuhrmannek 2021-08-07T20:31:55Z urn:sha1:51c020904f25ac7400e4db2e5174edc8c49fcb43 Add some checks to prevent recursion upon config reloading 2021-05-09T20:32:46Z jvoisin 2021-05-09T20:32:20Z urn:sha1:c3115fc26daebd0fa7135c202154272e42fbfcfd Allow empty configuration (#342) 2020-08-12T08:48:59Z jvoisin 2020-08-12T08:48:59Z urn:sha1:a0d21a189cf04bb963dce93dcbd0bd9694584a0b This commit allows php to run (with a warning) if there is no specified snuffleupagus configuration, instead of refusing to start. refactoring sp_log_* (#340) 2020-07-22T07:28:42Z Giovanni 2020-07-22T07:28:42Z urn:sha1:e8d3cd9b26f0b4d660e424f2657f11bbc01eb171 Co-authored-by: Giovanni Dante Grazioli <giovanni.dantegrazioli@nbs-system.com> %s/nbs-system/jvoisin 2020-03-04T18:30:42Z jvoisin 2020-03-04T18:30:42Z urn:sha1:d7b7a0d4e10d7b87b124889821b14e9858ed0a9c Since I'm the only one to maintain Snuffleupagus, let's adjust the links and contact addresses of my fork, to point to well… my fork.