| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2022-04-17 | Improve the portability of the php7 rules | jvoisin | |
| 2022-03-20 | Merge remote-tracking branch 'sektioneins/master' | jvoisin | |
| 2022-01-11 | make xxe protection conditional in default rules | Ben Fuhrmannek | |
| 2022-01-11 | enable strict_mode in example config | Ben Fuhrmannek | |
| 2022-01-10 | renamed ini protection example rules | Ben Fuhrmannek | |
| 2022-01-10 | added conditions to ini protection example | Ben Fuhrmannek | |
| 2022-01-07 | added dangerous extension check | Ben Fuhrmannek | |
| 2021-11-26 | PHP8 update parameters name in "move_uploaded_file" (#406) | pfdutot | |
| In the 8.0.8 and 8.1 version of PHP, the parameters name for move_uploaded_file are "from" and "to". This config file fail to apply the relevant rules unless the parameter names are updated using "to" instead of "destination". | |||
| 2021-11-11 | inverted logic. set xxe_protection.enable() instead of disable_xxe.disable() | Ben Fuhrmannek | |
| 2021-08-30 | fixed typo | Ben Fuhrmannek | |
| 2021-08-29 | updated documentation URL | Ben Fuhrmannek | |
| 2021-08-18 | ported Suhosin rules to Snuffleupagus rules | Ben Fuhrmannek | |
| 2021-08-18 | updated documentation URL | Ben Fuhrmannek | |
| 2021-08-16 | Fix a few typos and inconsistencies in config files | Gasper Vozel | |
| 2021-08-07 | more ini protection features | Ben Fuhrmannek | |
| 2021-08-06 | default ruleset for ini protection feature | Ben Fuhrmannek | |
| 2021-05-09 | Fix disable function chmod | WhiteWinterWolf | |
| 2021-05-01 | Additional PHP 8 sample config argument name changes | Tristan Deloche | |
| 2021-05-01 | Improve our SQLI-related documentation and remove some useless rules | jvoisin | |
| 2021-04-27 | Update some parameter names which changed for PHP 8.0 | Tristan Deloche | |
| 2021-04-26 | Add a configuration file for php8 | jvoisin | |
| 2020-06-07 | Lockdown of the logging directives | jvoisin | |
| This is done to prevent an attacker who obtained arbitrary code execution to mess with the logging configuration. | |||
| 2020-04-25 | Fix and improve the previous commit | jvoisin | |
| 2020-04-25 | Add yet an other stupid things to the default set of rules | jvoisin | |
| 2020-04-24 | Add yet another disabled_functions bypass | jvoisin | |
| 2019-10-16 | Fix the default configuration | jvoisin | |
| ini_[sg]et first parameter is actually varname, and not var_name. Thanks to @gergo314 for flagging this! | |||
| 2019-04-07 | Protect against a now-public open_basedir bypass | jvoisin | |
| 2019-01-16 | Improve a bit the default rules | jvoisin | |
| 2018-12-25 | Tighten a bit the command-injection prevention rule | jvoisin | |
| 2018-08-29 | Change how we're validating certificates | xXx-caillou-xXx | |
| 2018-08-29 | Verify certs (#223) | jvoisin | |
| Ensure that certificates are verified in curl should close #47 | |||
| 2018-07-23 | Improve a bit the default rules | jvoisin | |
| - Use plain values instead of regexp where possible - Reduce the number of false positives (*cough* `curl_exec` *cough*) | |||
| 2018-07-23 | Whitelist the inclusion of `.phtml` files | jvoisin | |
| This is the extension used by PhpMyAdmin | |||
| 2018-07-23 | Allow the inclusion of `.inc` files | jvoisin | |
| 2018-07-23 | Use SameSite on PHP's session cookie in the default rules | jvoisin | |
| 2018-07-23 | Activate more features in the default rules | jvoisin | |
| 2018-07-13 | Massively optimize how rules are handled | xXx-caillou-xXx | |
| This commit does a lot of things: - Use hashtables instead of lists to store the rules - Rules that can be applied at launch time won't be tried at runtime - Improve feedback when writing nonsensical rules - Make intensive use of `zend_string` instead of `char*` | |||
| 2018-03-09 | Improve the performances of our default rules | jvoisin | |
| 2018-03-09 | Vastly improve our typo3 rules | jvoisin | |
| 2018-03-05 | Improve a bit the performances (+10%) | jvoisin | |
| 2018-03-02 | Add some rules for Typo3, courtesy of @kjojo | jvoisin | |
| 2018-02-26 | Improve the previous commit | jvoisin | |
| 2018-02-26 | Add a rule to prevent various sandbox escapes | jvoisin | |
| This used to be private, but since it apparently isn't anymore, we should forbid it ;) | |||
| 2018-02-22 | Refactor a bit our rules | jvoisin | |
| 2018-02-07 | Tested two more rules for Abantecart 1.2.8 from the RIPS calendar | kjojo | |
| 2018-02-07 | Add an example rule from the rips calendar for abantecart's XSS | kjojo | |
| 2018-01-17 | Our configuration files are ending in .rules, not .ini | jvoisin | |
| This commit fixes the documentation, our shipped configuration files, and the related tests. Thanks to @remicollet for the tip | |||
| 2017-12-27 | Fix the debian package | blotus | |
| Add a default ini file to enable snuffleupagus to the debian package | |||
| 2017-12-04 | Fix the configuration parser wrt. non-matching brackets | jvoisin | |
| This validation step is a bit idiotic, but we'll replace it with a proper parser anyway. | |||
| 2017-11-27 | Archlinux pkg | xXx-caillou-xXx | |
| Add a PKGBUILD for Archlinux | |||
 |
index : snuffleupagus | |
| Security module for php7 and php8 - Killing bugclasses and virtual-patching the rest! |
| summaryrefslogtreecommitdiff |