snuffleupagus/src, branch master

snuffleupagus/src, branch master Security module for php7 and php8 - Killing bugclasses and virtual-patching the rest! http://git.dustri.org/snuffleupagus/atom?h=master 2026-05-10T18:52:21Z Fix phpinfo() reporting "enabled" when no config is loaded 2026-05-10T18:52:21Z jvoisin 2026-05-10T18:49:59Z urn:sha1:0c8621011f19c4108bece995ab60f675a60990c4 SP_CONFIG_NONE is -1, which is truthy in C. The ternary `SPG(is_config_valid) ? "enabled" : "disabled"` incorrectly reported "enabled" for the no-config case. Use an explicit comparison against SP_CONFIG_VALID instead. Fix a memory leak 2026-05-10T10:56:19Z jvoisin 2026-05-10T10:56:19Z urn:sha1:996c461460b331557bc47a310a09a2337469745a Don't free things in a fork failure 2026-05-10T10:24:20Z jvoisin 2026-05-10T10:24:20Z urn:sha1:ffd6b991ce35cd03571dabd5efbc97f5e0b891ff Wait on a pid instead of on all children in upload_validation 2026-05-10T10:04:35Z jvoisin 2026-05-10T10:04:35Z urn:sha1:0028420125e3a149bc2099c52f31d0345619e580 Fix a wrong use of strtok_r 2026-05-10T09:55:55Z jvoisin 2026-05-10T09:55:55Z urn:sha1:6bd0bafd0d2a28666be39511143b7928123da09c Prevent opcache from inlining functions with return-value rules on PHP 8.5+ 2026-05-09T23:06:20Z jvoisin 2026-05-09T22:09:44Z urn:sha1:7d8180a29b2ac45ef1814a7a2cad8e4da937ac76 PHP 8.5's opcache optimizer can inline trivial user functions (constant return values), completely eliminating the DO_UCALL opcode. When this happens, zend_execute_ex is never invoked and snuffleupagus's return-value monitoring hooks never fire. Fix this by setting ZEND_ACC_HAS_TYPE_HINTS on monitored functions' op_arrays during compilation (via sp_op_array_handler). This flag is checked by opcache's zend_try_inline_call() and prevents inlining. For 0-arg functions — the only ones eligible for inlining — there are no RECV opcodes, so the runtime impact is zero. To enable sp_op_array_handler when return-value rules are configured, the extension now registers itself as a zend extension and sets ZEND_COMPILE_HANDLE_OP_ARRAY (previously only done for global_strict). The disabled_function_echo_2 test is updated to use separate echo statements and opcache.optimization_level=0, since opcache's echo merging is a compile-time string concatenation that cannot be prevented per-function. This is a bit ugly, but it's the less awful solution to be able to hook return values. Reduce the lifetime of cryptographic material 2026-04-24T10:17:05Z jvoisin 2026-04-24T10:17:05Z urn:sha1:5f53903197021fcc8332a7f44c29fbea8d2c2060 Fix a possible null-deref in sp_stream_wrapper_register 2026-04-24T10:15:45Z jvoisin 2026-04-24T10:15:45Z urn:sha1:138e97baf135fb0ae765d8899f564d6b10211830 `protocol_name` can be NULL if `zend_parse_parameters_ex` fails (it uses `ZEND_PARSE_PARAMS_QUIET`), but it was then unconditionally passed to `strcasecmp`. Fix an spprintf undefined behaviour 2026-04-24T10:14:01Z jvoisin 2026-04-24T10:14:01Z urn:sha1:314b10154495b91eca684124275407b8186bb762 `getenv("REMOTE_ADDR")` can return NULL, and it is passed directly to `spprintf`. While `spprintf` might handle `NULL` gracefully, it's not always the case. Fix a memory leak in sp_log_disable/sp_log_disable_ret 2026-04-24T09:50:40Z jvoisin 2026-04-24T09:50:40Z urn:sha1:36179282f5f52a7e54be34964b4afd4fd0194e4f php_raw_url_encode returned a new zend_string, but the old arg_value_dup is never released. Also arg_value_dup was reassigned, leaking the initial zend_string_init allocation.