snuffleupagus/src/sp_utils.c, branch optim85

snuffleupagus/src/sp_utils.c, branch optim85 Security module for php7 and php8 - Killing bugclasses and virtual-patching the rest! http://git.dustri.org/snuffleupagus/atom?h=optim85 2026-04-24T09:50:40Z Fix a memory leak in sp_log_disable/sp_log_disable_ret 2026-04-24T09:50:40Z jvoisin 2026-04-24T09:50:40Z urn:sha1:36179282f5f52a7e54be34964b4afd4fd0194e4f php_raw_url_encode returned a new zend_string, but the old arg_value_dup is never released. Also arg_value_dup was reassigned, leaking the initial zend_string_init allocation. Harden against snprintf(3) truncation 2026-02-22T22:57:53Z Christian Göttsche 2026-02-22T21:41:39Z urn:sha1:b441bfe693435f5d8c8ae4fd04ec3d4dae49070f Define PATH_MAX and update its usage 2026-02-22T20:10:10Z cgzones 2026-02-22T20:10:10Z urn:sha1:50fb9d8a8f040729c3472998aea0bdd14b1b7805 feat(log): add the possibility to log to a file 2025-10-24T21:55:13Z jvoisin 2025-10-24T21:50:18Z urn:sha1:6ea4278a512bc9f1f816844222e65a4ea670db8e fix(log): systematically drop when .drop() is used 2025-10-02T13:22:08Z jvoisin 2025-10-02T13:22:08Z urn:sha1:da8c7aebc5602c04b771ada71a098ccb23d83a48 When the `php` logging facility is used, the error could have been caught by using `set_error_handler` and whatnot. This commit ensures that if the `.drop()` option is set, we're calling `zend_bailout()` that can't be caught. An attacker could have used this issue to silently perform some recon of the running environment. This isn't considered a vulnerability as an attacker with arbitrary php code execution can simply use the use-after-free of the day to gain arbitrary (native) code execution anyway, after detecting that Snuffleupagus is in use, to take little risks of detection. Rename a handful of global constants 2025-10-02T10:16:29Z jvoisin 2025-10-02T10:16:29Z urn:sha1:09bc3ffc8734cf2437e14ab123c7b732db53b836 Fix a portability issue 2024-06-14T17:26:31Z jvoisin 2024-06-14T17:26:31Z urn:sha1:b005df282da43a2ba17b38e7da06a69353ea2845 This should fix the following compilation issue: ``` /wrkdirs/usr/ports/security/snuffleupagus/work-php83/snuffleupagus-0.10.0/src/sp_utils.c:438:37: error: too few arguments provided to function-like macro invocation 438 | memcpy(mb_name, ZEND_STRL("mb_")); | ^ /usr/include/ssp/string.h:117:9: note: macro 'memcpy' defined here 117 | #define memcpy(dst, src, len) __ssp_bos_check3(memcpy, dst, src, len) ``` Declare file local variables and functions static 2024-06-06T14:27:31Z Christian Göttsche 2024-05-29T18:38:33Z urn:sha1:d82ab8d20191a9ebdb83f918c62fc6c32f068b01 Avoid missing prototype warnings by declaring variables and functions that are only used in a single file static. Url encode functions arguments when logging them 2023-02-02T12:17:22Z jvoisin 2023-02-01T20:12:58Z urn:sha1:2dcf2a2d7578d1e43ee7e3fa69386ccc5afebbf0 Fix a possible NULL-byte truncation when outputting parameters in the logs 2023-02-01T19:35:23Z jvoisin 2023-02-01T19:35:23Z urn:sha1:f4d3c01bd196400548f5712223171007563ab834