| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2026-01-21 | Update default.rules | santii-git | |
| Set the correct PHP versions for each rule and add the mb_send_mail function. | |||
| 2025-09-30 | Make the default rules compatible via PHP8 | santii-git | |
| 2025-09-30 | Make the default rules compatible via PHP8 | jvoisin | |
| As suggested by @santii-git in https://github.com/jvoisin/snuffleupagus/issues/522 | |||
| 2025-05-25 | Unify/fix the default.rules file across PHP versions, and add some new ones | jvoisin | |
| 2024-06-09 | Forbid file:// protocol in Curl | bohwaz | |
| 2024-06-09 | Wording updates | Christian Göttsche | |
| 2024-06-09 | Add option to specify the allowed "php" wrapper types | Christian Göttsche | |
| In addition of the current possibility to filter wrappers by their protocol name, also add the option to filter the "php" wrapper by the requested kind. Especially the 'filter' backend can be disabled that way. | |||
| 2024-06-06 | Fix misc typos | Christian Göttsche | |
| 2024-03-24 | Fix yet another php surprised-rename of functions parameters | jvoisin | |
| 2023-11-27 | Update config/ini_protection.rules | Julien Voisin | |
| 2023-11-27 | Add condition for mysqli.reconnect | Christian Göttsche | |
| mysqli.reconnect has been removed in PHP 8.2, see https://www.php.net/manual/de/mysqli.configuration.php#ini.mysqli.reconnect. | |||
| 2023-11-03 | Add some documentation in the default rules. | jvoisin | |
| 2023-02-16 | Add another burned vuln to the php8 rules | Julien Voisin | |
| 2023-02-16 | Add another burned vuln to the php7 rules | Julien Voisin | |
| 2023-01-03 | Add example configuration for Xenforo 2.2.12 | Tristan | |
| 2022-08-18 | Fix the default configuration on php7.4+ | jvoisin | |
| 2022-04-17 | Improve the portability of the php7 rules | jvoisin | |
| 2022-01-11 | make xxe protection conditional in default rules | Ben Fuhrmannek | |
| 2022-01-11 | enable strict_mode in example config | Ben Fuhrmannek | |
| 2022-01-10 | renamed ini protection example rules | Ben Fuhrmannek | |
| 2022-01-10 | added conditions to ini protection example | Ben Fuhrmannek | |
| 2022-01-07 | added dangerous extension check | Ben Fuhrmannek | |
| 2021-11-26 | PHP8 update parameters name in "move_uploaded_file" (#406) | pfdutot | |
| In the 8.0.8 and 8.1 version of PHP, the parameters name for move_uploaded_file are "from" and "to". This config file fail to apply the relevant rules unless the parameter names are updated using "to" instead of "destination". | |||
| 2021-11-11 | inverted logic. set xxe_protection.enable() instead of disable_xxe.disable() | Ben Fuhrmannek | |
| 2021-08-30 | fixed typo | Ben Fuhrmannek | |
| 2021-08-29 | updated documentation URL | Ben Fuhrmannek | |
| 2021-08-18 | ported Suhosin rules to Snuffleupagus rules | Ben Fuhrmannek | |
| 2021-08-18 | updated documentation URL | Ben Fuhrmannek | |
| 2021-08-16 | Fix a few typos and inconsistencies in config files | Gasper Vozel | |
| 2021-08-07 | more ini protection features | Ben Fuhrmannek | |
| 2021-08-06 | default ruleset for ini protection feature | Ben Fuhrmannek | |
| 2021-05-09 | Fix disable function chmod | WhiteWinterWolf | |
| 2021-05-01 | Additional PHP 8 sample config argument name changes | Tristan Deloche | |
| 2021-05-01 | Improve our SQLI-related documentation and remove some useless rules | jvoisin | |
| 2021-04-27 | Update some parameter names which changed for PHP 8.0 | Tristan Deloche | |
| 2021-04-26 | Add a configuration file for php8 | jvoisin | |
| 2020-06-07 | Lockdown of the logging directives | jvoisin | |
| This is done to prevent an attacker who obtained arbitrary code execution to mess with the logging configuration. | |||
| 2020-04-25 | Fix and improve the previous commit | jvoisin | |
| 2020-04-25 | Add yet an other stupid things to the default set of rules | jvoisin | |
| 2020-04-24 | Add yet another disabled_functions bypass | jvoisin | |
| 2019-10-16 | Fix the default configuration | jvoisin | |
| ini_[sg]et first parameter is actually varname, and not var_name. Thanks to @gergo314 for flagging this! | |||
| 2019-04-07 | Protect against a now-public open_basedir bypass | jvoisin | |
| 2019-01-16 | Improve a bit the default rules | jvoisin | |
| 2018-12-25 | Tighten a bit the command-injection prevention rule | jvoisin | |
| 2018-08-29 | Change how we're validating certificates | xXx-caillou-xXx | |
| 2018-08-29 | Verify certs (#223) | jvoisin | |
| Ensure that certificates are verified in curl should close #47 | |||
| 2018-07-23 | Improve a bit the default rules | jvoisin | |
| - Use plain values instead of regexp where possible - Reduce the number of false positives (*cough* `curl_exec` *cough*) | |||
| 2018-07-23 | Whitelist the inclusion of `.phtml` files | jvoisin | |
| This is the extension used by PhpMyAdmin | |||
| 2018-07-23 | Allow the inclusion of `.inc` files | jvoisin | |
| 2018-07-23 | Use SameSite on PHP's session cookie in the default rules | jvoisin | |
 |
index : snuffleupagus | |
| Security module for php7 and php8 - Killing bugclasses and virtual-patching the rest! |
| summaryrefslogtreecommitdiff |