summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2017-10-13Add some debug to the harden-rand tests, just in case™jvoisin
2017-10-13Fix the size of the output vector in our usage of pcrejvoisin
2017-10-12Minor refactoringjvoisin
- use the `is_regexp_matching` function when possible - check parameters before passing it to `pcre_exec` - improve error messages wrt. regexp
2017-10-12Add `curl_multi_exec` to the magic php scriptjvoisin
2017-10-12Add a missing function to the generator scriptjvoisin
2017-10-12Fix minor gcc warnings with experimental optionsjvoisin
`CFLAGS='-Wnull-dereference -Wlogical-op -Wshadow -Wjump-misses-init' make clean coverage`
2017-10-11Hopefully fix an unreproductible NULL-deref in regexp matchingjvoisin
Reported by @fr33tux
2017-10-11Add some more debug to the regexp thingyjvoisin
2017-10-11Cheat a bit with the coveragejvoisin
2017-10-11Cache checksum calculation for the current filejvoisin
Close #34
2017-10-11s/disable_functions/disable_function/gjvoisin
This should close #36 and #30
2017-10-11Add some info when a regexp failsjvoisin
2017-10-10Improve the layout of the related vulns in the documentationjvoisin
2017-10-10.allow() is now working for requirejvoisin
2017-10-10Bump coverage, and fix a segfault on trace matchingjvoisin
2017-10-10Increase a bit the coveragejvoisin
2017-10-10Remove a useless ile for nowjvoisin
This should close #31
2017-10-10Make the `simulation` mode logs more obviousjvoisin
2017-10-10Add a link to a new article, and fix a warn in the docjvoisin
2017-10-10Fix a few typos in the documentationjvoisin
Courtesy of @watw00t
2017-10-09Better hooking of language constructs (#26)jvoisin
* Vastly improve the support of language construct hooking
2017-10-09Implement matching on the calltrace (#17)jvoisin
* Implement matching on the calltrace
2017-10-08Improve a bit the script to generate rulesjvoisin
2017-10-08Add some missing stuff in the `thanks` sectionjvoisin
2017-10-08Grammar/Punctuation changes (#29)Connor Carr
2017-10-05Fix the engrish of the readmejvoisin
2017-10-05Use clang on travis-ci (#23)jvoisin
2017-10-05Use PHP's entropy generation primitive, instead of a ghetto one (#24)jvoisin
2017-10-04Fix some engrish, courtesy of @integrity_jvoisin
2017-10-03Add a test for functions used in UPPERCASEjvoisin
2017-10-02Add a favicon!jvoisin
2017-10-02Add a bla about compilation requirements (courtesy of @he2ss)jvoisin
2017-10-02Merge pull request #19 from nbs-system/9-cookies-encryption-env-varblotus
Allow to chose the environment variable to derive the cookie encryption key from.
2017-10-02Add a bla about HHVMjvoisin
2017-10-02Add a warning if the env var is NULLjvoisin
2017-10-02Update the documentation accordinglyjvoisin
2017-10-02First pass for #9jvoisin
2017-10-01Fix some typos (courtesy of @sabban) and mention tests in the ↵jvoisin
CONTRIBUTING.md file
2017-09-29Fix two cookie encryption issues found by @cfreal, and a bonus one (#18)jvoisin
* Fix a cookie encryption issue found by @cfreal - Use the base64-decoded payload length to allocate memory to decrypt it, instead of allocating the length of the undecoded one. This has no security impact, since the base64-encoded string is at least as large as the decoded one. Since we're using AEAD, there is no way to leak memory, since this would make the decryption fail.
2017-09-28Mention our beerbounty programjvoisin
2017-09-28Improve the documentation wrt. installationjvoisin
Thanks to @real for finding this.
2017-09-28Fix some typos in the documentation spotted by some people on reddit ♥jvoisin
2017-09-27Sort the helpjvoisin
2017-09-27Add some auto-documentation to the makefilejvoisin
2017-09-26Update a bit the configurationjvoisin
2017-09-26Implement, test and document namespace supportjvoisin
2017-09-26Simplify and improve the build systemjvoisin
- CFLAGS are now set in the config.m4 file (and not in the Makefile anymore) - `make release` is added - `make debug` and `make coverage` are now simpler - hardening flags are added
2017-09-26Fix a broken RsT linkjvoisin
2017-09-26Add a security contactjvoisin
2017-09-26Run the joomla testsuite as a simple benchmarkjvoisin
The joomla testsuite is now run on travis automatically, with and without snuffleupagus, to give us a rough overview of the performance impact of snuffleupagus on real™ code.