7 files changed, 620 insertions, 29 deletions

diff --git a/config/default.rules b/config/default.rules
index 74e1edb..232197a 100644
--- a/config/default.rules
+++ b/config/default.rules
@@ -6,14 +6,16 @@
 # Harden the PRNG
 sp.harden_random.enable();
 
-# Disabled XXE
-sp.disable_xxe.enable();
+# Enable XXE protection
+@condition extension_loaded("xml");
+sp.xxe_protection.enable();
+@end_condition;
 
 # Global configuration variables
 # sp.global.secret_key("YOU _DO_ NEED TO CHANGE THIS WITH SOME RANDOM CHARACTERS.");
 
 # Globally activate strict mode
-# https://secure.php.net/manual/en/functions.arguments.php#functions.arguments.type-declaration.strict
+# https://www.php.net/manual/en/language.types.declarations.php#language.types.declarations.strict
 # sp.global_strict.enable();
 
 # Prevent unserialize-related exploits
@@ -22,19 +24,20 @@ sp.disable_xxe.enable();
 # Only allow execution of read-only files. This is a low-hanging fruit that you should enable.
 # sp.readonly_exec.enable();
 
-# Php has a lot of wrappers, most of them aren't usually useful, you should 
+# PHP has a lot of wrappers, most of them aren't usually useful, you should
 # only enable the ones you're using.
 # sp.wrappers_whitelist.list("file,php,phar");
 
 # Prevent sloppy comparisons.
 # sp.sloppy_comparison.enable();
 
-# use SameSite on session cookie
+# Use SameSite on session cookie
 # https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery
 sp.cookie.name("PHPSESSID").samesite("lax");
 
-# Harden the `chmod` function
-sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop();
+# Harden the `chmod` function (0777 (oct = 511, 0666 = 438)
+sp.disable_function.function("chmod").param("mode").value("438").drop();
+sp.disable_function.function("chmod").param("mode").value("511").drop();
 
 # Prevent various `mail`-related vulnerabilities
 sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
@@ -46,8 +49,8 @@ sp.disable_function.function("putenv").param("setting").value_r("LD_").drop()
 sp.disable_function.function("putenv").param("setting").value_r("GCONV_").drop()
 
 # Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector
-sp.disable_function.function("extract").param("var_array").value_r("^_").drop()
-sp.disable_function.function("extract").param("extract_type").value("0").drop()
+sp.disable_function.function("extract").pos("0").value_r("^_").drop()
+sp.disable_function.function("extract").pos("1").value("0").drop()
 
 # This is also burned:
 # ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd'));
@@ -56,7 +59,7 @@ sp.disable_function.function("extract").param("extract_type").value("0").drop()
 # Moreover, there are non-public bypasses that are also using this vector ;)
 sp.disable_function.function("ini_set").param("varname").value_r("open_basedir").drop()
 
-##Prevent various `include`-related vulnerabilities
+# Prevent various `include`-related vulnerabilities
 sp.disable_function.function("require_once").value_r("\.(inc|phtml|php)$").allow();
 sp.disable_function.function("include_once").value_r("\.(inc|phtml|php)$").allow();
 sp.disable_function.function("require").value_r("\.(inc|phtml|php)$").allow();
@@ -68,7 +71,7 @@ sp.disable_function.function("include").drop()
 
 # Prevent `system`-related injections
 sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
-sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
+sp.disable_function.function("shell_exec").pos("0").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
 sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
 sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
 
@@ -79,7 +82,7 @@ sp.disable_function.function("ini_set").param("varname").value("memory_limit").d
 sp.disable_function.function("ini_set").param("varname").value("include_path").drop();
 sp.disable_function.function("ini_set").param("varname").value("open_basedir").drop();
 
-# Detect some backdoors via environnement recon
+# Detect some backdoors via environment recon
 sp.disable_function.function("ini_get").param("varname").value("allow_url_fopen").drop();
 sp.disable_function.function("ini_get").param("varname").value("open_basedir").drop();
 sp.disable_function.function("ini_get").param("varname").value_r("suhosin").drop();
@@ -108,9 +111,13 @@ sp.disable_function.function("curl_setopt").param("value").value("2").allow();
 sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYCLIENT off.");
 sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off.");
 
-#File upload
-sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
-sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
+# File upload
+# On old PHP7 versions
+#sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
+#sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
+# On PHP7.4+
+sp.disable_function.function("move_uploaded_file").param("new_path").value_r("\\.ph").drop();
+sp.disable_function.function("move_uploaded_file").param("new_path").value_r("\\.ht").drop();
 
 # Logging lockdown
 sp.disable_function.function("ini_set").param("varname").value_r("error_log").drop()
diff --git a/config/default_php8.rules b/config/default_php8.rules
index 427dcaf..6d6b88e 100644
--- a/config/default_php8.rules
+++ b/config/default_php8.rules
@@ -8,13 +8,13 @@
 sp.harden_random.enable();
 
 # Disabled XXE
-sp.disable_xxe.enable();
+sp.xxe_protection.enable();
 
 # Global configuration variables
 # sp.global.secret_key("YOU _DO_ NEED TO CHANGE THIS WITH SOME RANDOM CHARACTERS.");
 
 # Globally activate strict mode
-# https://secure.php.net/manual/en/functions.arguments.php#functions.arguments.type-declaration.strict
+# https://www.php.net/manual/en/language.types.declarations.php#language.types.declarations.strict
 # sp.global_strict.enable();
 
 # Prevent unserialize-related exploits
@@ -23,19 +23,20 @@ sp.disable_xxe.enable();
 # Only allow execution of read-only files. This is a low-hanging fruit that you should enable.
 # sp.readonly_exec.enable();
 
-# Php has a lot of wrappers, most of them aren't usually useful, you should
+# PHP has a lot of wrappers, most of them aren't usually useful, you should
 # only enable the ones you're using.
 # sp.wrappers_whitelist.list("file,php,phar");
 
 # Prevent sloppy comparisons.
 # sp.sloppy_comparison.enable();
 
-# use SameSite on session cookie
+# Use SameSite on session cookie
 # https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery
 sp.cookie.name("PHPSESSID").samesite("lax");
 
-# Harden the `chmod` function
-sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop();
+# Harden the `chmod` function (0777 (oct = 511, 0666 = 438)
+sp.disable_function.function("chmod").param("permissions").value("438").drop();
+sp.disable_function.function("chmod").param("permissions").value("511").drop();
 
 # Prevent various `mail`-related vulnerabilities
 sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
@@ -57,7 +58,7 @@ sp.disable_function.function("extract").param("flags").value("0").drop()
 # Moreover, there are non-public bypasses that are also using this vector ;)
 sp.disable_function.function("ini_set").param("option").value_r("open_basedir").drop()
 
-##Prevent various `include`-related vulnerabilities
+# Prevent various `include`-related vulnerabilities
 sp.disable_function.function("require_once").value_r("\.(inc|phtml|php)$").allow();
 sp.disable_function.function("include_once").value_r("\.(inc|phtml|php)$").allow();
 sp.disable_function.function("require").value_r("\.(inc|phtml|php)$").allow();
@@ -110,8 +111,8 @@ sp.disable_function.function("curl_setopt").param("option").value("64").drop().a
 sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off.");
 
 # File upload
-sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
-sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
+sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ph").drop();
+sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ht").drop();
 
 # Logging lockdown
 sp.disable_function.function("ini_set").param("option").value_r("error_log").drop()
diff --git a/config/detect_dangerous_extensions.rules b/config/detect_dangerous_extensions.rules
new file mode 100644
index 0000000..8f10532
--- /dev/null
+++ b/config/detect_dangerous_extensions.rules
@@ -0,0 +1,12 @@
+## This example rules file shows how to detect and disable certain potentially
+## dangerous or unwanted extensions.
+
+@condition extension_loaded("runkit7");
+@error "The runkit7 extension can be used to rename classes and functions, thereby circumventing any filters set by Snuffleupagus. Please disable runkit7.";
+
+@condition extension_loaded("FFI");
+@warning "FFI extension is loaded. Disabling via 'ffi.enable=false'";
+sp.ini_protection.enable();
+sp.ini.key("ffi.enable").set("false").ro();
+@end_condition;
+
diff --git a/config/ini_protection.rules b/config/ini_protection.rules
new file mode 100644
index 0000000..9b42a18
--- /dev/null
+++ b/config/ini_protection.rules
@@ -0,0 +1,291 @@
+## INI protection - prevent unwanted runtime ini changes made by ini_set() or other functions or by .htaccess
+sp.ini_protection.enable();
+
+## simulation mode: only log violations
+#sp.ini_protection.simulation();
+
+## drop policy: drop request on rule violation
+#sp.ini_protection.policy_drop();
+
+## do not log violations.
+## this setting has no effect in simulation or drop mode
+#sp.ini_protection.policy_silent_fail();
+
+## do not log read-only violations
+## this setting has no effect in simulation or drop mode
+sp.ini_protection.policy_silent_ro();
+
+## access policy can be one of
+## .policy_readonly(): All entries are read-only by default.
+##    Individual entries can be set read-write using .readwrite() or .rw()
+## .policy_readwrite(): This is the default and can be omitted.
+##    Individual entries can be set read-only using .readonly() or .ro()
+#sp.ini_protection.policy_readonly();
+
+## sp.ini entries can have the following attributes
+## .key("..."): mandatory ini name.
+## .set("..."): set the initial value. This overrides php.ini.
+##    checks are not performed for this initial value.
+## .min("...") / .max("..."): value must be an integer between .min and .max.
+##    shorthand notation (e.g. 1k = 1024) is allowed
+## .regexp("..."): value must match the regular expression
+## .allow_null(): allow setting a NULL-value
+## .msg("..."): message is shown in logs on rule violation instead of default message
+## .readonly() / .ro() / .readwrite() / .rw(): set entry to read-only or read-write respectively
+##    If no access keyword is provided, the entry inherits the default policy set by sp.ini_protection.policy_*-rules.
+## .drop(): drop request on rule violation for this entry
+## .simulation(): only log rule violation for this entry
+
+## FOR PRODUCTION SYSTEMS: disable error messages and version numbers
+sp.ini.key("display_errors").set("0").ro();
+sp.ini.key("display_startup_errors").set("0").ro();
+sp.ini.key("expose_php").set("0").ro();
+## FOR DEVELOPMENT/TESTING: allow enabling error messages and version numbers
+#sp.ini.key("display_errors").rw();
+#sp.ini.key("display_startup_errors").rw();
+#sp.ini.key("expose_php").rw();
+
+## error logging options should not be set during runtime -> read-only.
+sp.ini.key("error_log").ro();
+sp.ini.key("error_reporting").ro();
+sp.ini.key("log_errors").ro();
+@condition PHP_VERSION_ID < 80000;
+sp.ini.key("log_errors_max_len").set("2048").ro();
+@end_condition;
+sp.ini.key("ignore_repeated_errors").ro();
+sp.ini.key("ignore_repeated_source").ro();
+sp.ini.key("syslog.filter").ro();
+
+## disable assert. assert() in PHP can evaluate arbitrary code just like eval()
+sp.ini.key("assert.active").set("0").ro();
+sp.ini.key("assert.bail").ro();
+sp.ini.key("assert.callback").ro();
+sp.ini.key("assert.exception").ro();
+sp.ini.key("assert.warning").ro();
+
+## enforce color codes. prevents potential XSS
+sp.ini.key("highlight.comment").regexp("^#[0-9a-fA-F]{6}$");
+sp.ini.key("highlight.default").regexp("^#[0-9a-fA-F]{6}$");
+sp.ini.key("highlight.html").regexp("^#[0-9a-fA-F]{6}$");
+sp.ini.key("highlight.keyword").regexp("^#[0-9a-fA-F]{6}$");
+sp.ini.key("highlight.string").regexp("^#[0-9a-fA-F]{6}$");
+
+## prevent remote access via fopen/include
+sp.ini.key("allow_url_fopen").set("0").ro();
+sp.ini.key("allow_url_include").set("0").ro();
+
+## prevent code execution from auto-included files
+sp.ini.key("auto_append_file").ro();
+sp.ini.key("auto_prepend_file").ro();
+
+## make rarely used features read-only. you can always set the value in php.ini
+sp.ini.key("arg_separator.input").ro();
+sp.ini.key("arg_separator.output").ro();
+sp.ini.key("auto_detect_line_endings").ro();
+sp.ini.key("auto_globals_jit").ro();
+sp.ini.key("browscap").ro();
+sp.ini.key("default_charset").ro();
+sp.ini.key("register_argc_argv").ro();
+sp.ini.key("report_memleaks").ro();
+sp.ini.key("report_zend_debug").ro();
+sp.ini.key("request_order").ro();
+sp.ini.key("url_rewriter.hosts").ro();
+sp.ini.key("url_rewriter.tags").ro();
+sp.ini.key("variables_order").ro();
+sp.ini.key("from").ro();
+sp.ini.key("short_open_tag").ro();
+sp.ini.key("unserialize_callback_func").ro();
+sp.ini.key("zend.detect_unicode").ro();
+sp.ini.key("zend.enable_gc").ro();
+sp.ini.key("zend.exception_ignore_args").ro();
+sp.ini.key("zend.exception_string_param_max_len").ro();
+sp.ini.key("zend.multibyte").ro();
+sp.ini.key("zend.script_encoding").ro();
+
+## date and timezone settings
+#sp.ini.key("date.default_latitude").set("31.7667").ro();
+#sp.ini.key("date.default_longitude").set("35.2333").ro();
+#sp.ini.key("date.sunrise_zenith").set("90.833333").ro();
+#sp.ini.key("date.sunset_zenith").set("90.833333").ro();
+#sp.ini.key("date.timezone").set("").ro();
+
+## setting a default mime type other than text/html can be a way to prevent XSS, so this will be set to read-write by default
+sp.ini.key("default_mimetype").rw();
+
+## allow reasonable socket timeouts
+sp.ini.key("default_socket_timeout").min("1").max("300").rw();
+
+## disable dynamic loading of PHP extensions in an apache/mod_php environment as it is a security risk.
+sp.ini.key("enable_dl").set("0").ro();
+
+## links to manual pages in error pages should not be set during runtime.
+sp.ini.key("docref_ext").ro();
+sp.ini.key("docref_root").ro();
+sp.ini.key("html_errors").set("0").ro();
+
+## preventing $_POST and $_FILES to be populated can be a security feature, so read-write is ok.
+sp.ini.key("enable_post_data_reading").rw();
+
+## disable error append/prepend which may lead to log forging.
+sp.ini.key("error_append_string").ro();
+sp.ini.key("error_prepend_string").set("").ro();
+
+## restrict limit settings to prevent Denial-of-Service
+sp.ini.key("max_execution_time").min("30").max("600").rw();
+sp.ini.key("max_file_uploads").min("0").max("25").rw();
+sp.ini.key("max_input_nesting_level").min("16").max("64").rw();
+sp.ini.key("max_input_time").set("-1").ro();
+sp.ini.key("max_input_vars").min("0").max("1024").rw();
+sp.ini.key("memory_limit").min("4M").max("256M").rw();
+sp.ini.key("post_max_size").max("256M").rw();
+sp.ini.key("upload_max_filesize").max("256M").rw();
+sp.ini.key("precision").max("14").rw();
+sp.ini.key("unserialize_max_depth").min("128").max("4096").rw();
+sp.ini.key("serialize_precision").ro();
+
+## some applications rely on these filters for security
+## even though they should implement proper input validation for each input field separately.
+@condition extension_loaded("filter");
+sp.ini.key("filter.default").rw();
+sp.ini.key("filter.default_flags").rw();
+@end_condition;
+
+## scripts will not be terminated after a client has aborted their connection.
+## this feature may be needed for some time consuming server-side calculation
+sp.ini.key("ignore_user_abort").rw();
+
+## flushing may be needed
+sp.ini.key("implicit_flush").rw();
+
+## this feature may be required for some frameworks to work properly,
+## but setting the include path to a fixed value is always more secure.
+sp.ini.key("include_path").ro();
+
+## input/output and encoding options
+sp.ini.key("input_encoding").ro();
+sp.ini.key("internal_encoding").ro();
+sp.ini.key("output_encoding").ro();
+sp.ini.key("output_buffering").min("0").max("4096").rw();
+sp.ini.key("output_handler").ro();
+
+## mail options
+#sp.ini.key("mail.add_x_header").set("0").ro();
+#sp.ini.key("mail.force_extra_parameters").set("").ro();
+#sp.ini.key("mail.log").set("").ro();
+## windows smtp options
+#sp.ini.key("SMTP").set("localhost").ro();
+#sp.ini.key("smtp_port").set("25").ro();
+#sp.ini.key("sendmail_from").ro();
+
+## mysqli/mysqlnd options
+@condition extension_loaded("mysqli");
+sp.ini.key("mysqli.allow_local_infile").ro();
+sp.ini.key("mysqli.allow_persistent").ro();
+sp.ini.key("mysqli.default_host").ro();
+sp.ini.key("mysqli.default_port").ro();
+sp.ini.key("mysqli.default_pw").ro();
+sp.ini.key("mysqli.default_socket").ro();
+sp.ini.key("mysqli.default_user").ro();
+sp.ini.key("mysqli.max_links").set("-1").ro();
+sp.ini.key("mysqli.max_persistent").set("-1").ro();
+sp.ini.key("mysqli.reconnect").set("0").ro();
+sp.ini.key("mysqli.rollback_on_cached_plink").set("0").ro();
+@condition extension_loaded("mysqlnd");
+sp.ini.key("mysqlnd.collect_memory_statistics").set("0").ro();
+sp.ini.key("mysqlnd.collect_statistics").set("1").ro();
+sp.ini.key("mysqlnd.debug").set("").ro();
+sp.ini.key("mysqlnd.log_mask").set("0").ro();
+sp.ini.key("mysqlnd.mempool_default_size").set("16000").ro();
+sp.ini.key("mysqlnd.net_cmd_buffer_size").set("4096").ro();
+sp.ini.key("mysqlnd.net_read_buffer_size").set("32768").ro();
+sp.ini.key("mysqlnd.net_read_timeout").set("86400").ro();
+sp.ini.key("mysqlnd.sha256_server_public_key").set("").ro();
+sp.ini.key("mysqlnd.trace_alloc").set("").ro();
+@condition extension_loaded("mysqlnd") && PHP_VERSION_ID < 80100;
+sp.ini.key("mysqlnd.fetch_data_copy").set("0").ro();
+@end_condition;
+
+## open basedir is a security feature similar to chroot.
+## why should it be allowed to disable this feature during runtime?
+sp.ini.key("open_basedir").ro();
+
+## pcre options
+@condition extension_loaded("pcre");
+sp.ini.key("pcre.backtrack_limit").min("1000").max("1000000").rw();
+sp.ini.key("pcre.jit").rw();
+sp.ini.key("pcre.recursion_limit").min("1000").max("100000").ro();
+@end_condition;
+
+## phar options
+@condition extension_loaded("phar");
+sp.ini.key("phar.cache_list").ro();
+sp.ini.key("phar.readonly").ro();
+sp.ini.key("phar.require_hash").ro();
+@end_condition;
+
+## session options
+@condition extension_loaded("session");
+#sp.ini.key("session.auto_start").set("0").ro();
+#sp.ini.key("session.cache_expire").set("180").ro();
+#sp.ini.key("session.cache_limiter").set("nocache").ro();
+#sp.ini.key("session.cookie_domain").set("").ro();
+#sp.ini.key("session.cookie_httponly").set("0").ro();
+#sp.ini.key("session.cookie_lifetime").set("0").ro();
+#sp.ini.key("session.cookie_path").set("/").ro();
+#sp.ini.key("session.cookie_samesite").set("").ro();
+#sp.ini.key("session.cookie_secure").set("0").ro();
+#sp.ini.key("session.gc_divisor").set("100").ro();
+#sp.ini.key("session.gc_maxlifetime").set("1440").ro();
+#sp.ini.key("session.gc_probability").set("1").ro();
+#sp.ini.key("session.lazy_write").set("1").ro();
+#sp.ini.key("session.name").set("PHPSESSID").ro();
+#sp.ini.key("session.referer_check").set("").ro();
+#sp.ini.key("session.save_handler").set("files").ro();
+#sp.ini.key("session.save_path").set("").ro();
+#sp.ini.key("session.serialize_handler").set("php").ro();
+#sp.ini.key("session.sid_bits_per_character").set("4").ro();
+sp.ini.key("session.sid_length").min("32").max("128").rw();
+#sp.ini.key("session.trans_sid_hosts").set("").ro();
+#sp.ini.key("session.trans_sid_tags").set("a=href,area=href,frame=src,form=").ro();
+#sp.ini.key("session.upload_progress.cleanup").set("1").ro();
+#sp.ini.key("session.upload_progress.enabled").set("1").ro();
+#sp.ini.key("session.upload_progress.freq").set("1%").ro();
+#sp.ini.key("session.upload_progress.min_freq").set("1").ro();
+#sp.ini.key("session.upload_progress.name").set("PHP_SESSION_UPLOAD_PROGRESS").ro();
+#sp.ini.key("session.upload_progress.prefix").set("upload_progress_").ro();
+#sp.ini.key("session.use_cookies").set("1").ro();
+#sp.ini.key("session.use_only_cookies").set("1").ro();
+sp.ini.key("session.use_strict_mode").set("1").ro();
+#sp.ini.key("session.use_trans_sid").set("0").ro();
+@end_condition;
+
+## allow setting the user agent
+sp.ini.key("user_agent").rw();
+
+## allow setting the xmlrpc fault code
+sp.ini.key("xmlrpc_error_number").rw();
+
+## these ini entries can only be set by php.ini anyway,
+## but better set them to read-only anyway, just to be sure.
+sp.ini.key("disable_classes").ro();
+sp.ini.key("disable_functions").ro();
+sp.ini.key("doc_root").ro();
+sp.ini.key("extension_dir").ro();
+sp.ini.key("file_uploads").ro();
+sp.ini.key("hard_timeout").ro();
+sp.ini.key("realpath_cache_size").ro();
+sp.ini.key("realpath_cache_ttl").ro();
+sp.ini.key("sendmail_path").ro();
+@condition extension_loaded("sqlite3");
+sp.ini.key("sqlite3.defensive").ro();
+sp.ini.key("sqlite3.extension_dir").ro();
+@end_condition;
+sp.ini.key("sys_temp_dir").ro();
+sp.ini.key("syslog.facility").ro();
+sp.ini.key("syslog.ident").ro();
+sp.ini.key("upload_tmp_dir").ro();
+sp.ini.key("user_dir").ro();
+sp.ini.key("user_ini.cache_ttl").ro();
+sp.ini.key("user_ini.filename").ro();
+sp.ini.key("zend.assertions").ro();
+sp.ini.key("zend.signal_check").set("0").ro();
diff --git a/config/rips.rules b/config/rips.rules
index 52e3f27..dcb08c1 100644
--- a/config/rips.rules
+++ b/config/rips.rules
@@ -30,4 +30,3 @@ sp.disable_function.filename("/forgot_passwd.php").function("cpg_db_query").var(
 # CVE-2017-1001000 - https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
 sp.disable_function.filename("/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php").function("register_routes").var("_GET[id]").value_r("[^0-9]").drop();
 sp.disable_function.filename("/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php").function("register_routes").var("_POST[id]").value_r("[^0-9]").drop();
-
diff --git a/config/suhosin.rules b/config/suhosin.rules
new file mode 100644
index 0000000..0bdc453
--- /dev/null
+++ b/config/suhosin.rules
@@ -0,0 +1,281 @@
+## This file is part of the Suhosin-NG (SNG) PHP Hardening project
+## - see https://suhosin.org/ for more information.
+##
+## Snuffleupagus compatibility: Version 0.7.0 with SNG patches and above
+##   https://github.com/sektioneins/snuffleupagus
+##
+############################# ### # ---------
+##
+## This file documents the effort to port as many Suhosin features as possible to Snuffleupagus rules.
+## It is meant as a proof of concept and it will serve multiple purposes:
+## * Create a reasonably secure configuration for Snuffleupagus.
+## * Make it apparent which Suhosin features cannot be easily implemented in SP by just using configuration
+##   rules. These will be collected and some features will be implemented as part of the Suhosin-NG project.
+## * Create a base set of Snuffleupagus rules to make the expert task of configuring a PHP hardening
+##   extension accessible to a broader audience. This base set of rules will be integrated into a Tool -
+##   see Milestone 6 (MS6) here: https://github.com/sektioneins/suhosin-ng/projects/1
+## * Provide more configuration examples.
+##
+############################# ### # ---------
+
+## Let's enable relevant features first.
+sp.ini_protection.enable();
+
+## =====================
+## Logging Configuration
+## =====================
+
+## suhosin.log.syslog
+## suhosin.log.syslog.facility
+## suhosin.log.syslog.priority
+## suhosin.log.sapi
+## suhosin.log.stdout
+## suhosin.log.file
+## suhosin.log.file.name
+## suhosin.log.file.time
+## suhosin.log.script
+## suhosin.log.script.name
+## suhosin.log.phpscript
+## suhosin.log.phpscript.name
+## suhosin.log.phpscript.is_safe
+## suhosin.log.use-x-forwarded-for
+
+## SP will always use either REMOTE_ADDR or HTTP_X_FORWARDED_FOR.
+
+## Logging output can be one of
+sp.log_media("php");
+#sp.log_media("syslog");
+
+## More logging options are not implemented in SP.
+
+## ================
+## Executor Options
+## ================
+
+## suhosin.executor.max_depth
+## Not implemented in SP.
+
+## suhosin.executor.include.max_traversal
+## SP example for max_traversal = 3
+sp.disable_function.function_r("^(require|include)(_once)?$").value_r("\\.\\./+\\.\\./+\\.\\./+").drop();
+
+## suhosin.executor.include.whitelist
+## suhosin.executor.include.blacklist
+## SP version with wrapper whitelist and regex matching include/require:
+sp.wrappers_whitelist.list("file,php,phar");
+sp.disable_function.function_r("^(require|include)(_once)?$").value_r("^php://(stdin|stdout|stderr|input|output|memory|temp)").drop();
+
+## suhosin.executor.include.allow_writable_files
+## SP can enable readonly protection
+#sp.readonly_exec.enable();
+
+## suhosin.executor.func.whitelist
+## suhosin.executor.func.blacklist
+#sp.disable_function.function("...").drop();
+
+## suhosin.executor.eval.whitelist
+## suhosin.executor.eval.blacklist
+#sp.eval_blacklist.list("system,exec,shell_exec");
+
+## suhosin.executor.disable_eval
+#sp.disable_function.function("eval").drop();
+
+
+## suhosin.executor.disable_emodifier
+## This is actually not needed anymore in PHP 7 and above
+
+## suhosin.executor.allow_symlink
+## SP can simply disable the symlink function.
+## Other ways to create symlinks should be disabled as well, e.g. system("ln -s ...")
+#sp.disable_function.function("symlink").drop();
+#sp.disable_function.function("system").drop();
+#sp.disable_function.function("shell_exec").drop();
+#sp.disable_function.function("exec").drop();
+#sp.disable_function.function("proc_open").drop();
+
+
+## 
+## ============
+## Misc Options
+## ============
+## 
+
+## suhosin.simulation
+## SP provides individual .simulation() switches for most features.
+
+## suhosin.perdir
+## Not implemented in SP.
+
+
+## suhosin.protectkey
+## SP does not actually need to protect its secret key this way, as it is not a native PHP ini directive shown in phpinfo()
+
+## suhosin.coredump
+## SP can be started in gdb/lldb, so this feature may not be needed.
+
+## suhosin.stealth
+## Not implemented in SP.
+## If ionCube support or similar extensions should ever be requested to run with SP, this feature may be implemented some day.
+
+## suhosin.apc_bug_workaround
+## This is not a thing anymore with PHP7+
+
+## suhosin.disable.display_errors
+#sp.ini.key("display_errors").set("0").ro();
+#sp.ini.key("display_startup_errors").set("0").ro();
+#sp.ini.key("expose_php").set("0").ro();
+
+## suhosin.multiheader
+## There is a PHP filter in place to prevent multiple headers in one header() call - let's hope it works.
+
+## suhosin.mail.protect
+sp.disable_function.function("mail").param("to").value_r("\\n").alias("newline in mail() To:").drop();
+sp.disable_function.function("mail").param("subject").value_r("\\n").alias("newline in mail() Subject:").drop();
+sp.disable_function.function("mail").param("additional_headers").param_type("STRING").drop();
+sp.disable_function.function("mail").param("additional_headers").param_type("NULL").allow();
+sp.disable_function.function("mail").param("additional_headers").key_r("^(to|b?cc)$").drop();
+
+
+## suhosin.memory_limit
+## SP can either disable or limit the memory_limit setting
+#sp.ini.key("memory_limit").ro();
+sp.ini.key("memory_limit").min("4M").max("256M").rw();
+
+
+## ========================
+## SQL Injection Protection
+## ========================
+
+## suhosin.sql.bailout_on_error
+## SP example for mysqli and PDO
+#sp.disable_function.function("mysqli_query").ret("FALSE").drop();
+#sp.disable_function.function("mysqli::query").ret("FALSE").drop();
+#sp.disable_function.function("mysqli_real_query").ret("FALSE").drop();
+#sp.disable_function.function("mysqli::real_query").ret("FALSE").drop();
+#sp.disable_function.function("mysqli_prepare").ret("FALSE").drop();
+#sp.disable_function.function("mysqli::prepare").ret("FALSE").drop();
+#sp.disable_function.function("mysqli_stmt_execute").ret("FALSE").drop();
+#sp.disable_function.function("mysqli_stmt::execute").ret("FALSE").drop();
+#sp.disable_function.function("mysqli_execute").ret("FALSE").drop();
+#sp.disable_function.function("PDO::query").ret("FALSE").drop();
+#sp.disable_function.function("PDO::prepare").ret("FALSE").drop();
+#sp.disable_function.function("PDO::exec").ret("FALSE").drop();
+#sp.disable_function.function("PDOStatement::execute").ret("FALSE").drop();
+
+
+## suhosin.sql.user_match
+## suhosin.sql.user_prefix
+## suhosin.sql.user_postfix
+## SP example for mysqli
+set SQL_USER "^public_";
+sp.disable_function.function("mysqli::__construct").param("username").value_r(SQL_USER).allow();
+sp.disable_function.function("mysqli::__construct").drop();
+sp.disable_function.function("mysqli_connect").param("username").value_r(SQL_USER).allow();
+sp.disable_function.function("mysqli_connect").drop();
+sp.disable_function.function("mysqli::change_user").param("username").value_r(SQL_USER).allow();
+sp.disable_function.function("mysqli::change_user").drop();
+sp.disable_function.function("mysqli_change_user").param("username").value_r(SQL_USER).allow();
+sp.disable_function.function("mysqli_change_user").drop();
+
+## suhosin.sql.comment
+## suhosin.sql.opencomment
+## Not implemented in SP.
+## It is possible to try and find common injection patterns such as ' or 1=1 -- via regex,
+## but that would likely trigger valid SQL strings containing these patterns as well. The same argument
+## applies to multiselect and union:
+
+## suhosin.sql.multiselect
+## suhosin.sql.union
+## Not implemented in SP.
+
+
+## ==============================
+## Transparent Encryption Options
+## ==============================
+
+## suhosin.session.cryptkey
+## suhosin.session.cryptua
+## suhosin.cookie.cryptkey
+## suhosin.cookie.cryptua
+
+## SP's session encryption and cookie encryption features rely on a secret key that is derived from
+## * the user agent string from the environment variable HTTP_USER_AGENT
+## * the value of the environment variable specified using sp.global.cookie_env_var(),
+##   usually either REMOTE_ADDR or SSL_SESSION_ID
+## * a very secret key as specified using sp.global.secret_key()
+sp.global.secret_key("c6a0e02b3b818f7559d5f85303d8fe44"); ## this key should be unique to your installation.
+sp.global.cookie_env_var("REMOTE_ADDR");
+#sp.global.cookie_env_var("SSL_SESSION_ID");
+
+## suhosin.session.encrypt
+sp.session.encrypt();
+
+## suhosin.cookie.encrypt
+## suhosin.cookie.cryptlist
+## suhosin.cookie.plainlist
+#sp.cookie.name("my_cookie_name").encrypt();
+#sp.cookie.name_r("^enc_[a-z]+$").encrypt();
+
+## suhosin.session.cryptdocroot
+## suhosin.session.cryptraddr
+## suhosin.session.checkraddr
+## suhosin.cookie.cryptdocroot
+## suhosin.cookie.cryptraddr
+## suhosin.cookie.checkraddr
+## For SP to include the document root or part of the IP address in the encryption key, the .cookie_env_var()
+## can be constructed by the web server to include these values.
+
+
+## =================
+## Filtering Options
+## =================
+
+## suhosin.filter.action
+## suhosin.cookie|get|post|request.max_array_depth
+## suhosin.cookie|get|post|request.max_array_index_length
+## suhosin.cookie|get|post.max_name_length
+## suhosin.request.max_varname_length
+## suhosin.cookie|get|post|request.max_totalname_length
+## suhosin.cookie|get|post|request.max_value_length
+## suhosin.cookie|get|post|request.max_vars
+## suhosin.cookie|get|post|request.disallow_nul
+## suhosin.cookie|get|post|request.disallow_ws
+## suhosin.request.array_index_blacklist
+## suhosin.request.array_index_whitelist
+## suhosin.upload.max_uploads
+## suhosin.upload.max_newlines
+## suhosin.upload.disallow_elf
+## suhosin.upload.disallow_binary
+## suhosin.upload.remove_binary
+## suhosin.upload.allow_utf8
+## Not implemented in SP.
+
+## suhosin.upload.verification_script
+#sp.upload_validation.script("/var/www/is_valid_php.py").enable();
+
+
+## suhosin.session.max_id_length
+## suhosin.server.encode
+## suhosin.server.strip
+## Not implemented in SP.
+
+## suhosin.rand.seedingkey
+## suhosin.rand.reseed_every_request
+## suhosin.srand.ignore
+## suhosin.mt_srand.ignore
+## Instead of removing srand()/mt_srand(), SP basically replaces rand()/mt_rand() with the more secure random_int()
+sp.harden_random.enable();
+
+############################# ### # ---------
+##
+## features included in SP that are not covered by Suhosin rule equivalents
+## - see https://snuffleupagus.readthedocs.io/ for more information
+
+# sp.unserialize_hmac.enable();
+# sp.global_strict.enable();
+sp.auto_cookie_secure.enable();
+#sp.cookie.name("cookie1").samesite("lax");
+#sp.cookie.name("cookie2").samesite("strict");;
+sp.xxe_protection.enable();
+#sp.sloppy_comparison.enable();
+
diff --git a/config/typo3.rules b/config/typo3.rules
index c76cf91..0838b89 100644
--- a/config/typo3.rules
+++ b/config/typo3.rules
@@ -2,7 +2,7 @@
 sp.disable_function.function("chmod").param("mode").filename_r("typo3/sysext/core/Classes/Utility/GeneralUtility.php$").value_r("^[0-9]{2}6$").allow();
 sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop();
 
-##Prevent various `include`-related vulnerabilities
+# Prevent various `include`-related vulnerabilities
 sp.disable_function.function("require_once").value_r("\.php$").allow();
 sp.disable_function.function("include_once").value_r("\.php$").allow();
 sp.disable_function.function("require").value_r("\.php$").allow();
@@ -27,14 +27,14 @@ sp.disable_function.function("ini_set").param("var_name").value("memory_limit").
 sp.disable_function.function("ini_set").param("var_name").value("include_path").drop();
 sp.disable_function.function("ini_set").param("var_name").value("open_basedir").drop();
 
-# Detect some backdoors via environnement recon
+# Detect some backdoors via environment recon
 sp.disable_function.function("ini_get").param("var_name").filename_r("typo3/sysext/core/Classes/Cache/Backend/SimpleFileBackend.php$").value("open_basedir").allow();
 sp.disable_function.function("ini_get").param("var_name").filename_r("typo3/sysext/install/Classes/SystemEnvironment/Check.php$").value("open_basedir").allow();
 sp.disable_function.function("ini_get").param("var_name").filename_r("typo3/sysext/install/Classes/SystemEnvironment/SetupCheck.php$").value("allow_url_fopen").allow();
 sp.disable_function.function("ini_get").param("var_name").filename_r("vendor/guzzlehttp/guzzle/src/functions.php$").value("allow_url_fopen").allow();
 sp.disable_function.function("ini_get").param("var_name").value_r("^(?:allow_url_fopen|open_basedir|suhosin)$").drop();
 
-#need to be allow for example to execute Scheduled tasks
+# Need to be allow for example to execute Scheduled tasks
 sp.disable_function.function("function_exists").param("function_name").filename_r("vendor/guzzlehttp/guzzle/src/functions.php$").value_r("^(?:curl_multi_exec|curl_exec)$").allow();
 sp.disable_function.function("function_exists").param("function_name").value_r("(?:eval|exec|system)").drop();
 sp.disable_function.function("is_callable").param("var").value_r("(?:eval|exec|system)").drop();
@@ -48,6 +48,6 @@ sp.disable_function.function("QueryBuilder::setParameter").param("value").value_
 sp.disable_function.function("QueryBuilder::setParameter").param("value").value_r("sleep").drop();
 sp.disable_function.function("QueryBuilder::setParameter").param("value").value_r("information_schema").drop();
 
-#File upload
+# File upload
 sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
 sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();