| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2017-12-18 | Fix cookie encryption | xXx-caillou-xXx | |
| Previously, when a cookie was set with the `httpOnly` flag, it was automatically encrypted, due to a logic flaw. This is now fixed and tested. | |||
| 2017-11-27 | Improve our nonce's randomness | jvoisin | |
| 2017-11-24 | Implement anti csrf measures | xXx-caillou-xXx | |
| This is done by using the "samesite" cookie attribute. | |||
| 2017-10-11 | Cheat a bit with the coverage | jvoisin | |
| 2017-10-02 | Add a warning if the env var is NULL | jvoisin | |
| 2017-10-02 | First pass for #9 | jvoisin | |
| 2017-09-29 | Fix two cookie encryption issues found by @cfreal, and a bonus one (#18) | jvoisin | |
| * Fix a cookie encryption issue found by @cfreal - Use the base64-decoded payload length to allocate memory to decrypt it, instead of allocating the length of the undecoded one. This has no security impact, since the base64-encoded string is at least as large as the decoded one. Since we're using AEAD, there is no way to leak memory, since this would make the decryption fail. | |||
| 2017-09-21 | Add travis | jvoisin | |
| 2017-09-20 | Initial import | Sebastien Blot | |
 |
index : snuffleupagus | |
| Security module for php7 and php8 - Killing bugclasses and virtual-patching the rest! |
| summaryrefslogtreecommitdiff |