snuffleupagus - Security module for php7 and php8 - Killing bugclasses and virtual-patching the rest!

Age	Commit message (Collapse)	Author
2021-08-07	prevent STDERR debug output based on SP_NODEBUG environment variable	Ben Fuhrmannek

2021-08-06	implemented ini settings protection	Ben Fuhrmannek

2021-08-06	debug log to dup'd stderr / php is closing stderr during shutdown	Ben Fuhrmannek

2021-08-02	properly free memory on shutdown	Ben Fuhrmannek

2021-07-28	Sprinkle even more `const`	jvoisin

2021-05-09	strtok/strtok_r is a thing from the past, don't use it.	jvoisin

2021-05-09	Add some checks to prevent recursion upon config reloading	jvoisin

2021-05-08	Remove some memory-leaks	jvoisin

2021-04-28	A pass of clang-format	jvoisin

2020-11-18	Make the strict mode disableable	jvoisin
	The global strict mode was enabled by default without any means to disable it, in certain cases. Bug reported by wedi.
2020-08-12	Allow empty configuration (#342)	jvoisin
	This commit allows php to run (with a warning) if there is no specified snuffleupagus configuration, instead of refusing to start.
2020-08-07	Move an include	jvoisin

2019-02-23	Try to unify the includes	jvoisin

2018-10-06	Remove sp_terminate and bump a bit the coverage	jvoisin

2018-08-30	Minor code cleanup	xXx-caillou-xXx

2018-08-30	Change how we're handling invalid configurations	xXx-caillou-xXx
	Since our configuration format is a bit more complex than php's one, we have a `sp.allow_broken_configuration` parameter (`false` by default), that you can set to `true` if you want PHP to carry on if your Snuffleupagus' configuration contains syntax errors. You'll still get a big scary message in your logs of course. We do not recommend to use it of course, but sometimes it might be useful to be able to "debug in production" without breaking your website.
2018-08-29	Change how we're validating certificates	xXx-caillou-xXx

2018-08-29	Remove the GLOB_BRACE flag	Antoine Tenart
	When calling glob() to get the configuration file location, the GLOB_BRACE flag is used. This flag enables the parsing of '{a,b}', so that '/path/{a,b}' represents '/path/a' and '/path/b'. Looking at Snuffleupagus' documentation I saw nowhere this kind of path was supported. Instead the documentation shows that glob() is used for paths with wildcards. The use of GLOB_BRACE is problematic as it is glibc specific and is not supported by some other C libraries, such as Musl. Snuffleupagus cannot be used in Apline for this reason. Since the documentation does not give a valid usage of GLOB_BRACE this patch removes it, which fixes the non-glibc support. Signed-off-by: Antoine Tenart <antoine.tenart@ack.tf>
2018-08-29	Verify certs (#223)	jvoisin
	Ensure that certificates are verified in curl should close #47
2018-08-27	Add whitelist support for php's wrappers	xXx-caillou-xXx

2018-08-20	Fix two minor issues	xXx-caillou-xXx
	- Fix an infinite loop on `echo` hook - Use the correct function to compare filenames internally
2018-07-16	Yet an other clang-format pass	jvoisin

2018-07-13	Allow rules matching on echo and print	xXx-caillou-xXx

2018-07-13	Massively optimize how rules are handled	xXx-caillou-xXx
	This commit does a lot of things: - Use hashtables instead of lists to store the rules - Rules that can be applied at launch time won't be tried at runtime - Improve feedback when writing nonsensical rules - Make intensive use of `zend_string` instead of `char*`
2018-07-09	Trying to fix sloppy comparison (#186)	jvoisin
	* Trying to fix sloppy comparison https://github.com/nbs-system/snuffleupagus/issues/10 by modifying php's opcode
2018-05-29	Support session encryption	kkadosh
	Implement session encryption.
2018-01-18	Improve a bit our portability wrt. windows	jvoisin
	Thanks to @remicollet for the tip
2018-01-18	Simplify the previous commit	jvoisin

2018-01-18	Clean up a bit the glob code	jvoisin

2018-01-18	add missing globfree()	Sebastien Blot

2018-01-18	Add globbing support for configuration file path (closes #125)	Sebastien Blot

2018-01-17	Remove useless "head" member in our linked lists implementation	simon MAGNIN-FEYSOT
	This should close #85
2018-01-10	Eval whitelist	jvoisin
	Implement whitelist in eval
2018-01-05	Fix a bypass in our eval blacklist	jvoisin

2018-01-04	Eval blacklist	jvoisin
	Add support for eval filtering, only blacklist for now
2017-12-28	Clang-format pass	Thibault "bui" Koechlin
	- `clang-format --style="{BasedOnStyle: google, SortIncludes: false}" -i snuffleu.c sp_.c sp_*.h` - Update the documentation accordingly
2017-12-28	Show in the phpinfo() is the config is valid	jvoisin
	This should close #39
2017-12-28	Implement regexp support for cookies encryption	Thibault "bui" Koechlin
	It's now possible to encrypt cookies matching a specific regexp. This should close #106
2017-12-21	Rename sp_node_t to sp_list_node	jvoisin
	Since we now have sp_list and sp_tree, it makes sense to specify that nodes are only for lists.
2017-11-29	Implement eval hooking	jvoisin
	It's not possible to hook the `eval` builtin like other functions.
2017-11-24	Implement anti csrf measures	xXx-caillou-xXx
	This is done by using the "samesite" cookie attribute.
2017-10-31	Minor factorization	jvoisin

2017-10-26	Free additionally allocated `sp_list` instances	Ben Foster
	References #43.
2017-10-26	Renames `sp_new_list` -> `sp_list_new`	Ben Foster
	To be consistent with the rest of the `sp_list` functions.
2017-10-26	Free `config_disabled_constructs`	Ben Foster
	In reference to #43.
2017-10-20	Add support for multiple files in sp.configuration_file directive	blotus
	This should close (#45
2017-10-13	Add more data to `phpinfo()`	jvoisin
	- The version - The git commit
2017-10-13	Show some data in the phpinfo();	jvoisin

2017-10-10	Remove a useless ile for now	jvoisin
	This should close #31
2017-10-09	Better hooking of language constructs (#26)	jvoisin
	* Vastly improve the support of language construct hooking