4 files changed, 14 insertions, 2 deletions

diff --git a/config/default.rules b/config/default.rules
index 3e82ae3..0fa4878 100644
--- a/config/default.rules
+++ b/config/default.rules
@@ -35,6 +35,10 @@ sp.xxe_protection.enable();
 # https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery
 sp.cookie.name("PHPSESSID").samesite("lax");
 
+# Note that an attacker with arbitrary PHP code execution
+# can bypass some virtual-patching, by (as)using PHP feature.
+# A clever example would be to declare a class with a __toString method.
+
 # Harden the `chmod` function (0777 (oct = 511, 0666 = 438)
 @condition PHP_VERSION_ID < 80000;
     sp.disable_function.function("chmod").param("mode").value("438").drop();
diff --git a/doc/source/config.rst b/doc/source/config.rst
index 2053c2f..a84bb60 100644
--- a/doc/source/config.rst
+++ b/doc/source/config.rst
@@ -152,7 +152,7 @@ least astonishment
 <https://en.wikipedia.org/wiki/Principle_of_least_astonishment>`__. But since
 it's `possible to modify php's logging system via php
 <https://www.php.net/manual/en/errorfunc.configuration.php>`__, it's
-heavily recommended to use the ``syslog`` option instead. The ``file:` option
+heavily recommended to use the ``syslog`` option instead. The ``file:`` option
 might be useful if you're using Snuffleupagus to fuzz or audit a codebase.
 
 log_max_len
diff --git a/doc/source/features.rst b/doc/source/features.rst
index adb8779..517bbec 100644
--- a/doc/source/features.rst
+++ b/doc/source/features.rst
@@ -309,7 +309,11 @@ of dangerous functions, dropping them everywhere else:
    :language: php
 
 
-The intent is to make post-exploitation process (such as backdooring of legitimate code, or RAT usage) a lot harder for the attacker.
+The intent is to make post-exploitation process (such as backdooring of
+legitimate code, or RAT usage) a lot harder for the attacker.
+
+Note that an attacker able to run arbitrary PHP code can likely bypass some virtual-patching
+by (ab)using some PHP features.
 
 
 .. _global-strict-feature:
diff --git a/src/sp_crypt.c b/src/sp_crypt.c
index 9d4e6bb..3b65616 100644
--- a/src/sp_crypt.c
+++ b/src/sp_crypt.c
@@ -32,6 +32,7 @@ void generate_key(unsigned char *key) {
   }
 
   PHP_SHA256Final((unsigned char *)key, &ctx);
+  ZEND_SECURE_ZERO(&ctx, sizeof(ctx));
 }
 
 // This function return 0 upon success , non-zero otherwise
@@ -120,6 +121,7 @@ int decrypt_zval(zval *pDest, bool simulation, zend_hash_key *hash_key) {
   ret = ZEND_HASH_APPLY_KEEP;
 
 out:
+  ZEND_SECURE_ZERO(key, sizeof(key));
   zend_string_efree(debase64);
   efree(decrypted);
   efree(backup);
@@ -169,6 +171,8 @@ zend_string *encrypt_zval(zend_string *data) {
     z = php_base64_encode(encrypted_data, emsg_and_nonce_len);
   }
 
+  ZEND_SECURE_ZERO(key, sizeof(key));
+  ZEND_SECURE_ZERO(nonce, sizeof(nonce));
   efree(data_to_encrypt);
   efree(encrypted_data);