snuffleupagus/src/tests, branch optim85Security module for php7 and php8 - Killing bugclasses and virtual-patching the rest!
http://git.dustri.org/snuffleupagus/atom?h=optim852026-05-09T23:01:43ZPrevent opcache from inlining functions with return-value rules on PHP 8.5+2026-05-09T23:01:43Zjvoisin2026-05-09T23:01:43Zurn:sha1:5f754c32df4bd8643d62babf6f805defe59c8c92
PHP 8.5's opcache optimizer can inline trivial user functions (constant
return values), completely eliminating the DO_UCALL opcode. When this
happens, zend_execute_ex is never invoked and snuffleupagus's
return-value monitoring hooks never fire.
Fix this by setting ZEND_ACC_HAS_TYPE_HINTS on monitored functions'
op_arrays during compilation (via sp_op_array_handler). This flag is
checked by opcache's zend_try_inline_call() and prevents inlining.
For 0-arg functions — the only ones eligible for inlining — there are
no RECV opcodes, so the runtime impact is zero.
To enable sp_op_array_handler when return-value rules are configured,
the extension now registers itself as a zend extension and sets
ZEND_COMPILE_HANDLE_OP_ARRAY (previously only done for global_strict).
The disabled_function_echo_2 test is updated to use separate echo
statements and opcache.optimization_level=0, since opcache's echo
merging is a compile-time string concatenation that cannot be prevented
per-function.
This is a bit ugly, but it's the less awful solution to be able to hook return
values.
Skip a test on ≥PHP8.52026-05-09T22:09:44Zjvoisin2026-05-09T22:09:44Zurn:sha1:0cc8e708ebbff02abe7e3c2d0dc0660585ccd98c
PHP is now optimizing `echo A,B,C` into `echo A B C`, so the test is pointless.
Add a test for validate idempotence of (un)serialize2026-03-29T19:16:47Zjvoisin2026-03-29T19:16:47Zurn:sha1:75446f7bf62d3390fc8e9c6b578431a8991fc60bAdd a test for Dateinterval::__construct2026-03-25T20:27:52Zjvoisin2026-03-25T20:27:09Zurn:sha1:0b79579c25a43be7e5918841f1d2ad8c297235ac
As it has been privately reported that the rule might not be working, so better
safe than sorry. Moreover, we didn't have tests for `__construct`
Log session ID lengths on failure2026-02-22T22:58:33ZChristian Göttsche2026-02-22T21:11:05Zurn:sha1:31d70da1ff61480f51b8ca747bc8c8d8a37c5061Generalize disabled_functions_regexp_multiple.phpt expected output2026-02-22T21:30:14ZChristian Göttsche2026-02-22T21:11:23Zurn:sha1:4985b0f75a3593d1e7777ba6c1b59da4bcf2ea41
On uncommon architectures, like s390x, `-2` instead of `-1` might be printed.
tests: add several skip reasons2026-02-15T19:49:09ZChristian Göttsche2026-02-15T19:00:01Zurn:sha1:9e94280c0b6356be37b8f9a0a4d2303146863a5b
Co-authored-by: Julien "jvoisin" Voisin <julien.voisin@dustri.org>
feat(log): add the possibility to log to a file2025-10-24T21:55:13Zjvoisin2025-10-24T21:50:18Zurn:sha1:6ea4278a512bc9f1f816844222e65a4ea670db8eAdd a test2025-10-14T18:51:37Zjvoisin2025-10-14T18:51:37Zurn:sha1:f06cafcfbced1af4978fbaf7f74f9c4f8045e0c5Add support for PHP8.52025-09-01T11:49:08Zjvoisin2025-08-31T14:05:44Zurn:sha1:ee5e383c6bbca94d5f93134510468b3fe87a470c