| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2026-03-28 | Fix the usage of strlen() which will return a wrong size when serialized ↵ | W0rty | |
| objects contains null bytes (for example in private fields) | |||
| 2025-10-24 | fix(unserialize): don't bail in simulation mode when there's no HMAC | jvoisin | |
| 2024-06-06 | Silence unused variable warning with php 8.3 | Christian Göttsche | |
| src/sp_unserialize.c: In function 'zif_sp_unserialize': src/sp_unserialize.c:131:15: warning: unused variable 'orig_handler' [-Wunused-variable] 131 | zif_handler orig_handler = zend_hash_str_find_ptr(SPG(sp_internal_functions_hook), ZEND_STRL("unserialize")); | ^~~~~~~~~~~~ | |||
| 2023-06-25 | Fix an unserialize-related warning | jvoisin | |
| This should fix `Warning: unserialize(): Extra data starting at offset 8 of 72 bytes in unserialize.php on line 4`. On the flip side, it's not longer possible in PHP8.3 and above, when using Snuffleupagus, to have other extensions hooking unserialize(). | |||
| 2022-12-08 | Add unserialize_noclass | jvoisin | |
| 2022-12-07 | Minor refactor | jvoisin | |
| 2022-05-03 | Help the compiler to optimize sp_do_hash_hmac_sha256 a more | jvoisin | |
| 2022-03-20 | Fix compilation on PHP<7.2 | jvoisin | |
| 2021-12-13 | fixed use after free + PHP 7 compatibility | Ben Fuhrmannek | |
| 2021-11-19 | replaced call_user_func with C level call | Ben Fuhrmannek | |
| 2021-10-21 | added some array initialization, just in case. | Ben Fuhrmannek | |
| 2021-09-23 | config is stack allocated now + some code improvements (see details) | Ben Fuhrmannek | |
| * for easier memory manegement, the entire sp_config struct was merged into snuffleupagus_globals and allocated on stack where possible * SNUFFLEUPAGUS_G() can be written as SPG(), which is faster to type and easier to read * execution_depth is re-initialized to 0 for each request * function calls with inline string and length parameters consistently use ZEND_STRL instead of sizeof()-1 * execution is actually hooked if recursion protection is enabled * some line breaks were removed to make the code more readable | |||
| 2021-08-16 | fincy new scanner/parser for config rules + fixed a few bugs along the way + ↵ | Ben Fuhrmannek | |
| fixed related unittests | |||
| 2021-08-03 | simplified string concat | Ben Fuhrmannek | |
| 2020-07-22 | refactoring sp_log_* (#340) | Giovanni | |
| Co-authored-by: Giovanni Dante Grazioli <giovanni.dantegrazioli@nbs-system.com> | |||
| 2020-07-04 | Run clang-format on the codebase | jvoisin | |
| 2019-06-20 | Fix snufflepagus_globals linking issues and one mac compatibility issue | bef | |
| 2019-06-19 | fix snufflepagus_globals linking issues and one mac compatibility issue | Ben Fuhrmannek | |
| 2018-10-06 | Bump coverage again | jvoisin | |
| 2018-10-06 | Bump a bit the coverage | jvoisin | |
| * `setcookie` doesn't always return `true` anymore * clang-format * Cookies with invalid decryption are dropped, but the request isn't anymore * faulty unserialize are now dumpable | |||
| 2018-10-06 | Remove sp_terminate and bump a bit the coverage | jvoisin | |
| 2018-09-03 | Fix #241 segfault on 32-bit related to bad protype (#242) | Remi Collet | |
| This should close #241 | |||
| 2018-08-30 | Minor code cleanup | xXx-caillou-xXx | |
| 2018-07-13 | Yet an other pass of clang-format | jvoisin | |
| 2018-07-13 | Fix various possible integer overflows | xXx-caillou-xXx | |
| 2018-07-13 | Massively optimize how rules are handled | xXx-caillou-xXx | |
| This commit does a lot of things: - Use hashtables instead of lists to store the rules - Rules that can be applied at launch time won't be tried at runtime - Improve feedback when writing nonsensical rules - Make intensive use of `zend_string` instead of `char*` | |||
| 2018-03-02 | Implement dump() for execution of writable PHP files | kkadosh | |
| 2018-02-27 | Implements .dump() for unserialize and fix some related tests | kkadosh | |
| 2018-02-05 | Massive simplification of functions hooking | jvoisin | |
| 2018-01-15 | Fix some memleaks | jvoisin | |
| 2018-01-04 | Eval blacklist | jvoisin | |
| Add support for eval filtering, only blacklist for now | |||
| 2018-01-03 | Remove some dead code | jvoisin | |
| 2017-12-28 | Clang-format pass | Thibault "bui" Koechlin | |
| - `clang-format --style="{BasedOnStyle: google, SortIncludes: false}" -i snuffleu*.c sp_*.c sp_*.h` - Update the documentation accordingly | |||
| 2017-10-30 | Fix a silly and useless off-by-one | jvoisin | |
| 2017-10-18 | .drop() is not a `nop` anymore | Thibault "bui" Koechlin | |
| `.drop()` is now baillout out, instead of nop'ing the call. This closes #13 | |||
| 2017-10-10 | Make the `simulation` mode logs more obvious | jvoisin | |
| 2017-09-21 | Add travis | jvoisin | |
 |
index : snuffleupagus | |
| Security module for php7 and php8 - Killing bugclasses and virtual-patching the rest! |
| summaryrefslogtreecommitdiff |