| Age | Commit message (Collapse) | Author |
|---|
|
|
|
objects contains null bytes (for example in private fields)
|
|
As it has been privately reported that the rule might not be working, so better
safe than sorry. Moreover, we didn't have tests for `__construct`
|
|
The members sid_min_length and sid_max_length are of type unsigned long,
thus use %lu instead of %zu and a cast.
|
|
|
|
|
|
|
|
Dead since almost 5 years with commit ae4ac9f ("properly free memory on
shutdown")
|
|
On uncommon architectures, like s390x, `-2` instead of `-1` might be printed.
|
|
Can causes issues on uncommon architectures, like s390x.
|
|
|
|
Co-authored-by: Julien "jvoisin" Voisin <julien.voisin@dustri.org>
|
|
|
|
Set the correct PHP versions for each rule and add the mb_send_mail function.
|
|
|
|
When `upload_validation` is enabled, and when VLD isn't installed, an attacker
sending a multipart POST is able to get arbitrary PHP content executed.
Reported-By: thomas-chauchefoin-tob
|
|
setcookie() is always URL encoded, urlencode is only turned off for setrawcookie().
Turning it off breaks cookies that have a value containing certain characters (namely spaces)
https://github.com/php/php-src/blob/685e99655ae97c667950f7f7d176985958718f56/ext/standard/head.c#L97
|
|
|
|
|
|
|
|
|
|
|
|
|
|
When the `php` logging facility is used, the error could have been caught by
using `set_error_handler` and whatnot. This commit ensures that if the
`.drop()` option is set, we're calling `zend_bailout()` that can't be caught.
An attacker could have used this issue to silently perform some recon of the
running environment. This isn't considered a vulnerability as an attacker
with arbitrary php code execution can simply use the use-after-free of the day
to gain arbitrary (native) code execution anyway, after detecting that
Snuffleupagus is in use, to take little risks of detection.
|
|
|
|
```
========DIFF========
001- OK
001+ Fatal error: Uncaught ValueError: setcookie(): "partitioned" option cannot be used without "secure" option in /builddir/build/BUILD/snuffleupagus-1c7598c432551d0c49c2c57f249ccd5ccabce638/src/tests/samesite_cookies.php:2
002+ Stack trace:
003+ #0 /builddir/build/BUILD/snuffleupagus-1c7598c432551d0c49c2c57f249ccd5ccabce638/src/tests/samesite_cookies.php(2): setcookie('super_cookie', 'super_value')
004+ #1 {main}
005+ thrown in /builddir/build/BUILD/snuffleupagus-1c7598c432551d0c49c2c57f249ccd5ccabce638/src/tests/samesite_cookies.php on line 2
========DONE========
FAIL Cookie samesite [tests/samesite_cookies.phpt]
```
Even though the warning might be spurious, let's fix this properly, by
initialising `partitioned` to false, and by setting it only if `secure` is set
as well.
|
|
|
|
|
|
As suggested by @santii-git in https://github.com/jvoisin/snuffleupagus/issues/522
|
|
|
|
|
|
```
Program terminated with signal SIGSEGV, Segmentation fault.
20 if (!(func->common.function_name)) {
(gdb) info locals
func = 0x0
function_name = 0xffb25f6d0190 "SearchByCallback"
complete_path_function = 0xffb26c8a0570 "\240\005\212l\262\377"
```
It seems that in some callback shenanigans, there is currently no non-NULL
`func` member in execute_data. PHP truly is marvelous.
This should close #515
|
|
|
|
|
|
|
|
|
|
sp_log_debug() does not take a feature as first argument:
src/sp_wrapper.c: In function 'sp_reregister_php_wrapper':
src/sp_utils.h:61:53: warning: too many arguments for format [-Wformat-extra-args]
61 | if (sp_debug_stderr > 0) dprintf(sp_debug_stderr, "[snuffleupagus][DEBUG] %s(): " fmt "\n", __FUNCTION__, ##__VA_ARGS__);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/sp_wrapper.c:144:3: note: in expansion of macro 'sp_log_debug'
144 | sp_log_debug(LOG_FEATURE, "Stream \"php\" successfully re-registered");
| ^~~~~~~~~~~~
|
|
Please GCC conversion warning:
src/sp_upload_validation.c: In function 'sp_rfc1867_callback':
src/sp_utils.h:61:53: warning: format '%lld' expects argument of type 'long long int', but argument 7 has type 'zend_long' {aka 'long int'} [-Wformat=]
61 | if (sp_debug_stderr > 0) dprintf(sp_debug_stderr, "[snuffleupagus][DEBUG] %s(): " fmt "\n", __FUNCTION__, ##__VA_ARGS__);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/sp_upload_validation.c:48:7: note: in expansion of macro 'sp_log_debug'
48 | sp_log_debug("Filename: %s\nTmpname: %s\nSize: %zd\nError: %lld\nScript: %s",
| ^~~~~~~~~~~~
|
|
Do not dereference the hash key for cookie encryption if it's NULL:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 zend_string_equal_content (s1=0x79bdb92170f0, s2=0x0) at /usr/include/php/20240924/Zend/zend_string.h:386
No locals.
#1 zend_string_equals (s1=0x79bdb92170f0, s2=0x0) at /usr/include/php/20240924/Zend/zend_string.h:391
No locals.
#2 sp_match_value (value=0x0, to_match=0x79bdb92170f0, rx=0x0) at ./src/sp_utils.c:273
No locals.
#3 0x00007989377b0709 in sp_lookup_cookie_config (key=0x0) at ./src/sp_cookie_encryption.c:8
config = 0x79bdb92158d0
it = 0x79ae80dabd00
it = <optimized out>
config = <optimized out>
#4 decrypt_cookie (pDest=0x79893b6787c0, num_args=<optimized out>, args=<optimized out>, hash_key=0x7ffe657c3880) at ./src/sp_cookie_encryption.c:19
cookie = <optimized out>
#5 0x000061875aac52df in zend_hash_apply_with_arguments ()
No symbol table info available.
#6 0x00007989377ae74b in zm_activate_snuffleupagus (type=<optimized out>, module_number=<optimized out>) at ./src/snuffleupagus.c:228
config_wrapper = 0x7989377c3490 <snuffleupagus_globals+144>
#7 0x000061875aa21710 in zend_activate_modules ()
No symbol table info available.
#8 0x000061875a9a7f18 in php_request_startup ()
No symbol table info available.
|
|
|
|
|
|
|
|
People are usually well-aware of the outdatedness of the PHP version they're
running, which is likely why they're running Snuffleupagus in the first place.
This feature shouldn't have been enabled by default, and I fail to see any case
where anyone would want to enable it. Moreover, it doesn't take LTS versions
from vendors/distributions into account, thus breaking on RHEL/Debian (old)stable.
|
|
> configure: error: Could not find awk; Install GNU awk
|
|
|
|
|
|
|
|
|
|
|
|
|
