snuffleupagus/src, branch masterSecurity module for php7 and php8 - Killing bugclasses and virtual-patching the rest!
http://git.dustri.org/snuffleupagus/atom?h=master2026-04-24T10:17:05ZReduce the lifetime of cryptographic material2026-04-24T10:17:05Zjvoisin2026-04-24T10:17:05Zurn:sha1:5f53903197021fcc8332a7f44c29fbea8d2c2060Fix a possible null-deref in sp_stream_wrapper_register2026-04-24T10:15:45Zjvoisin2026-04-24T10:15:45Zurn:sha1:138e97baf135fb0ae765d8899f564d6b10211830
`protocol_name` can be NULL if `zend_parse_parameters_ex` fails (it uses
`ZEND_PARSE_PARAMS_QUIET`), but it was then unconditionally passed to
`strcasecmp`.
Fix an spprintf undefined behaviour2026-04-24T10:14:01Zjvoisin2026-04-24T10:14:01Zurn:sha1:314b10154495b91eca684124275407b8186bb762
`getenv("REMOTE_ADDR")` can return NULL, and it is passed directly to
`spprintf`. While `spprintf` might handle `NULL` gracefully, it's not always
the case.
Fix a memory leak in sp_log_disable/sp_log_disable_ret2026-04-24T09:50:40Zjvoisin2026-04-24T09:50:40Zurn:sha1:36179282f5f52a7e54be34964b4afd4fd0194e4f
php_raw_url_encode returned a new zend_string, but the old arg_value_dup is
never released. Also arg_value_dup was reassigned, leaking the initial
zend_string_init allocation.
Address multiple sign issues in ifilter2026-04-24T09:32:35Zjvoisin2026-04-24T09:32:35Zurn:sha1:56447f425f0fa241e0005df0e620bda97eb06340
`sp_is_dangerous_char[(int)*p]` is indexed by `(int)*p`. If char is signed
(default on x86), values 0x80–0xFF produce negative indices into the array,
causing an out-of-bounds read. The `sp_server_encode` function has the same
issue.
Fix a possible null-pointer dereference in cookies encryption2026-04-24T09:29:18Zjvoisin2026-04-24T09:29:18Zurn:sha1:237131c6f02ce1bca8c5a41b25c274ff2c34e751Fix a type confusion on cookie encryption2026-04-24T09:09:54Zjvoisin2026-04-24T09:09:54Zurn:sha1:c0ea33d05dfb503f60a842372c336d12b23259ba
Cookies can be arrays (session_id[]=x), and
we called `Z_STRLEN_P(pDest)` without checking if `Z_TYPE_P(pDest) == IS_STRING`,
leading to a type confusion, leaking at least `HashTable->arData`, and the rest
of the code is going to corrupt some stuff, leading to a crash.
While exploitation can't be ruled out, it looks stupidly harder. The array will
be decoded as base64 into another variable, decrypted, and have this value
written back to the array. To obtain a controlled read, an attacker would have
to bruteforce decryption to find an encrypted value that could be properly
decrypted, as we're using authenticated encryption. The next steps are
depending on the heap's layout, which should be pretty deterministic/simple as
cookie decryption happens at RINIT. But since the heap overflow is happening in
the cookies, odds are that they're stored somewhere with other data like
POST/GET/… and thus nothing super-duper juicy. While remote heap exploitation
in PHP have been done in the past, this primitive looks a tad too limited to
yield something powerful enough to pop a shell.
Reported-by: Vozec
Add a test for validate idempotence of (un)serialize2026-03-29T19:16:47Zjvoisin2026-03-29T19:16:47Zurn:sha1:75446f7bf62d3390fc8e9c6b578431a8991fc60bFix the usage of strlen() which will return a wrong size when serialized objects contains null bytes (for example in private fields)2026-03-28T20:00:13ZW0rty2026-03-27T21:15:59Zurn:sha1:6d7addeb44744dcf0f36d2aac34be5e12de23c5dAdd a test for Dateinterval::__construct2026-03-25T20:27:52Zjvoisin2026-03-25T20:27:09Zurn:sha1:0b79579c25a43be7e5918841f1d2ad8c297235ac
As it has been privately reported that the rule might not be working, so better
safe than sorry. Moreover, we didn't have tests for `__construct`