summaryrefslogtreecommitdiff
path: root/src/sp_cookie_encryption.c (follow)
AgeCommit message (Collapse)Author
2018-02-05Massive simplification of functions hookingjvoisin
2018-02-05Compatibility layer for pcre2jvoisin
This should close #129
2018-01-15Fix some memleaksjvoisin
2018-01-03Remove some dead codejvoisin
2017-12-28Clang-format passThibault "bui" Koechlin
- `clang-format --style="{BasedOnStyle: google, SortIncludes: false}" -i snuffleu*.c sp_*.c sp_*.h` - Update the documentation accordingly
2017-12-28Implement regexp support for cookies encryptionThibault "bui" Koechlin
It's now possible to encrypt cookies matching a specific regexp. This should close #106
2017-12-27Implement simulation mode for cookies (de/en)cryptionjvoisin
This should close #102 This commit can be useful for two use-cases: 1. When deploying Snuffleupagus on big CMS like Magento, and not knowing what cookies are modified via javascript. 2. When deploying Snuffleupagus on big websites: you don't want to disconnect every single user at once. When simulation is enabled, if the decryption fails, a log message is now issued, and the cookie value taken as it (since odds are that it's non-encrypted).
2017-12-20Better parsing of the rulesxXx-caillou-xXx
Thanks to this huge commit from @xXx-caillou-xXx, we can now write amazingly flexible rules.
2017-12-20Improve the previous commitxXx-caillou-xXx
We can simply use the return value of the original `setcookie` :>
2017-12-20Make `setcookie` return truexXx-caillou-xXx
We forgot to set a return value to the setcookie function, thus always returning false. Since very few frameworks/developers are checking the return value, it went unnoticed until we played with Magento, who effectively checks the return value.
2017-12-19Fix a segfault related to cookiesxXx-caillou-xXx
Apparently, PHP doesn't like when you're trying to save some memory when you're playing with strings.
2017-12-19Rework a bit the order of operationjvoisin
- There is no need to generate the key if the cookie has no value - There is no need to generate the key if the cookie length is invalid - Use yoda condition
2017-12-19remove useless varslefevre
2017-12-19fix double decodingslefevre
2017-12-18Fix cookie encryptionxXx-caillou-xXx
Previously, when a cookie was set with the `httpOnly` flag, it was automatically encrypted, due to a logic flaw. This is now fixed and tested.
2017-11-27Improve our nonce's randomnessjvoisin
2017-11-24Implement anti csrf measuresxXx-caillou-xXx
This is done by using the "samesite" cookie attribute.
2017-10-11Cheat a bit with the coveragejvoisin
2017-10-02Add a warning if the env var is NULLjvoisin
2017-10-02First pass for #9jvoisin
2017-09-29Fix two cookie encryption issues found by @cfreal, and a bonus one (#18)jvoisin
* Fix a cookie encryption issue found by @cfreal - Use the base64-decoded payload length to allocate memory to decrypt it, instead of allocating the length of the undecoded one. This has no security impact, since the base64-encoded string is at least as large as the decoded one. Since we're using AEAD, there is no way to leak memory, since this would make the decryption fail.
2017-09-21Add travisjvoisin
2017-09-20Initial importSebastien Blot