| Age | Commit message (Collapse) | Author |
|---|
|
|
|
PHP 7.3+ added a new prototype for the cookie
setting mechanism, breaking our ghetto samesite-injection,
this commit takes care of it.
|
|
|
|
* `setcookie` doesn't always return `true` anymore
* clang-format
* Cookies with invalid decryption are dropped, but the request isn't anymore
* faulty unserialize are now dumpable
|
|
|
|
This commit vastly simplifies the code of cookies-fiddling mechanisms.
|
|
This commit does a lot of things:
- Use hashtables instead of lists to store the rules
- Rules that can be applied at launch time won't be tried at runtime
- Improve feedback when writing nonsensical rules
- Make intensive use of `zend_string` instead of `char*`
|
|
* relax test to pass with 7.3
* skip test with 7.3 as samesite is broken + add TODO
|
|
Implement session encryption.
|
|
Refactor the encryption process to extract encrypt/decrypt functions
|
|
|
|
This should close #129
|
|
|
|
|
|
- `clang-format --style="{BasedOnStyle: google, SortIncludes: false}" -i snuffleu*.c sp_*.c sp_*.h`
- Update the documentation accordingly
|
|
It's now possible to encrypt cookies matching a specific regexp.
This should close #106
|
|
This should close #102
This commit can be useful for two use-cases:
1. When deploying Snuffleupagus on big CMS like Magento, and not knowing
what cookies are modified via javascript.
2. When deploying Snuffleupagus on big websites: you don't want to disconnect
every single user at once.
When simulation is enabled, if the decryption fails, a log message is
now issued, and the cookie value taken as it (since odds are that it's
non-encrypted).
|
|
Thanks to this huge commit from @xXx-caillou-xXx, we can now write amazingly flexible rules.
|
|
We can simply use the return value of the original `setcookie` :>
|
|
We forgot to set a return value to the setcookie function, thus always returning false. Since very few frameworks/developers are checking the return value, it went unnoticed until we played with Magento, who effectively checks the return value.
|
|
Apparently, PHP doesn't like when you're trying to save some memory when you're playing with strings.
|
|
- There is no need to generate the key if the cookie has no value
- There is no need to generate the key if the cookie length is invalid
- Use yoda condition
|
|
|
|
|
|
Previously, when a cookie was set with the `httpOnly` flag, it was automatically encrypted, due to a logic flaw. This is now fixed and tested.
|
|
|
|
This is done by using the "samesite" cookie attribute.
|
|
|
|
|
|
|
|
* Fix a cookie encryption issue found by @cfreal
- Use the base64-decoded payload length to allocate memory to decrypt
it, instead of allocating the length of the undecoded one. This has
no security impact, since the base64-encoded string is at least as large
as the decoded one. Since we're using AEAD, there is no way to leak
memory, since this would make the decryption fail.
|
|
|
|
|
