| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2026-02-22 | Harden against snprintf(3) truncation | Christian Göttsche | |
| 2026-02-22 | Define PATH_MAX and update its usage | cgzones | |
| 2025-10-24 | feat(log): add the possibility to log to a filelog2file | jvoisin | |
| 2025-10-02 | fix(log): systematically drop when .drop() is used | jvoisin | |
| When the `php` logging facility is used, the error could have been caught by using `set_error_handler` and whatnot. This commit ensures that if the `.drop()` option is set, we're calling `zend_bailout()` that can't be caught. An attacker could have used this issue to silently perform some recon of the running environment. This isn't considered a vulnerability as an attacker with arbitrary php code execution can simply use the use-after-free of the day to gain arbitrary (native) code execution anyway, after detecting that Snuffleupagus is in use, to take little risks of detection. | |||
| 2025-10-02 | Rename a handful of global constants | jvoisin | |
| 2024-06-14 | Fix a portability issue | jvoisin | |
| This should fix the following compilation issue: ``` /wrkdirs/usr/ports/security/snuffleupagus/work-php83/snuffleupagus-0.10.0/src/sp_utils.c:438:37: error: too few arguments provided to function-like macro invocation 438 | memcpy(mb_name, ZEND_STRL("mb_")); | ^ /usr/include/ssp/string.h:117:9: note: macro 'memcpy' defined here 117 | #define memcpy(dst, src, len) __ssp_bos_check3(memcpy, dst, src, len) ``` | |||
| 2024-06-06 | Declare file local variables and functions static | Christian Göttsche | |
| Avoid missing prototype warnings by declaring variables and functions that are only used in a single file static. | |||
| 2023-02-02 | Url encode functions arguments when logging them | jvoisin | |
| 2023-02-01 | Fix a possible NULL-byte truncation when outputting parameters in the logs | jvoisin | |
| 2023-01-31 | Add sp.log_max_len | jvoisin | |
| 2022-12-09 | Portability improvements for PHP8.2 | jvoisin | |
| 2022-07-13 | Even more const! | jvoisin | |
| 2022-07-13 | More micro-optimizations | jvoisin | |
| 2022-07-13 | Minor micro-optimization | jvoisin | |
| 2022-07-13 | Remove some dead code | jvoisin | |
| 2022-07-13 | Mix the stacktrace in the sha256 for the filename of .dump() | jvoisin | |
| This should make it easier to fuzz using Snuffleupagus. | |||
| 2022-06-27 | Minor code simplification | jvoisin | |
| 2022-06-27 | Dump the eval'ed code | jvoisin | |
| 2022-05-06 | Silence a compiler warning | jvoisin | |
| 2022-02-05 | introduced sp_regexp / store original regex | Ben Fuhrmannek | |
| 2021-12-14 | fix: include class name in eval whitelist matching | Ben Fuhrmannek | |
| 2021-11-30 | clarify control flow | Ben Fuhrmannek | |
| 2021-10-21 | added some array initialization, just in case. | Ben Fuhrmannek | |
| 2021-09-23 | config is stack allocated now + some code improvements (see details) | Ben Fuhrmannek | |
| * for easier memory manegement, the entire sp_config struct was merged into snuffleupagus_globals and allocated on stack where possible * SNUFFLEUPAGUS_G() can be written as SPG(), which is faster to type and easier to read * execution_depth is re-initialized to 0 for each request * function calls with inline string and length parameters consistently use ZEND_STRL instead of sizeof()-1 * execution is actually hooked if recursion protection is enabled * some line breaks were removed to make the code more readable | |||
| 2021-08-17 | removed unused variables | Ben Fuhrmannek | |
| 2021-08-16 | fincy new scanner/parser for config rules + fixed a few bugs along the way + ↵ | Ben Fuhrmannek | |
| fixed related unittests | |||
| 2021-08-14 | missing efree in sp_log_msgf | Ben Fuhrmannek | |
| 2021-08-12 | missing efree in sp_log_msgf | Ben Fuhrmannek | |
| 2021-08-07 | fixed doulbe hook | Ben Fuhrmannek | |
| 2021-08-06 | restructured function hooks, implemented unhook | Ben Fuhrmannek | |
| 2021-08-03 | fixed incorrect use of free()/efree() | Ben Fuhrmannek | |
| 2021-04-28 | A pass of clang-format | jvoisin | |
| 2021-04-28 | Simplify a bit get_ip() | jvoisin | |
| 2021-02-18 | log forging protection | Ben Fuhrmannek | |
| 2021-01-30 | Improve a bit type diversity | jvoisin | |
| 2021-01-02 | Do a clang-format pass | jvoisin | |
| 2021-01-02 | Add stacktraces to dumps | jvoisin | |
| 2021-01-01 | Simplify a loop condition | jvoisin | |
| 2021-01-01 | Simplify sp_match_array_value | jvoisin | |
| 2021-01-01 | Constify a function | jvoisin | |
| 2020-12-19 | docs: fix simple typo, migitate -> mitigate | Tim Gates | |
| There is a small typo in src/sp_utils.c. Should read `mitigate` rather than `migitate`. | |||
| 2020-08-12 | Allow empty configuration (#342) | jvoisin | |
| This commit allows php to run (with a warning) if there is no specified snuffleupagus configuration, instead of refusing to start. | |||
| 2020-07-22 | refactoring sp_log_* (#340) | Giovanni | |
| Co-authored-by: Giovanni Dante Grazioli <giovanni.dantegrazioli@nbs-system.com> | |||
| 2020-07-21 | Fixed issue on impossible bailout. | Giovanni Dante Grazioli | |
| 2020-07-21 | Fix #338 - added log type if type is simulation, drop or log. (#339) | Giovanni | |
| Co-authored-by: Giovanni Dante Grazioli <giovanni.dantegrazioli@nbs-system.com> | |||
| 2020-07-12 | More constification | jvoisin | |
| 2020-07-12 | Use $_SERVER['REMOTE_ADDR'] in last resort to get the client's ip addr | jvoisin | |
| 2020-07-08 | Add a couple of `restrict` | jvoisin | |
| 2020-07-04 | Fix a small typo | jvoisin | |
| 2020-07-04 | Reorder some declaration | jvoisin | |
| So that the syslog part is tight as possible | |||
 |
index : snuffleupagus | |
| Security module for php7 and php8 - Killing bugclasses and virtual-patching the rest! |
| summaryrefslogtreecommitdiff |