| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2017-12-28 | Implement regexp support for cookies encryption | Thibault "bui" Koechlin | |
| It's now possible to encrypt cookies matching a specific regexp. This should close #106 | |||
| 2017-12-28 | Add two tests to verify that we can hook indirect calls | jvoisin | |
| This should close #104 | |||
| 2017-12-28 | Implement hooking on user-defined functions return values | jvoisin | |
| This should close #99, thanks to @blotus for the implementation idea! | |||
| 2017-12-27 | Implement simulation mode for cookies (de/en)cryption | jvoisin | |
| This should close #102 This commit can be useful for two use-cases: 1. When deploying Snuffleupagus on big CMS like Magento, and not knowing what cookies are modified via javascript. 2. When deploying Snuffleupagus on big websites: you don't want to disconnect every single user at once. When simulation is enabled, if the decryption fails, a log message is now issued, and the cookie value taken as it (since odds are that it's non-encrypted). | |||
| 2017-12-21 | Add coverage | slefevre | |
| 2017-12-21 | Add test | slefevre | |
| 2017-12-21 | Remove the now useless `validate_str` function | xXx-caillou-xXx | |
| 2017-12-21 | Add test | slefevre | |
| 2017-12-21 | Add some tests (#96) | xXx-caillou-xXx | |
| 2017-12-21 | Add a constant-related test | jvoisin | |
| 2017-12-20 | Better parsing of the rules | xXx-caillou-xXx | |
| Thanks to this huge commit from @xXx-caillou-xXx, we can now write amazingly flexible rules. | |||
| 2017-12-20 | Make `setcookie` return true | xXx-caillou-xXx | |
| We forgot to set a return value to the setcookie function, thus always returning false. Since very few frameworks/developers are checking the return value, it went unnoticed until we played with Magento, who effectively checks the return value. | |||
| 2017-12-18 | Fix cookie encryption | xXx-caillou-xXx | |
| Previously, when a cookie was set with the `httpOnly` flag, it was automatically encrypted, due to a logic flaw. This is now fixed and tested. | |||
| 2017-12-05 | Dump environnement variables (#83) | jvoisin | |
| Apparently, PHP thinks that it's a great idea to type environnement variables, because why not. | |||
| 2017-12-05 | Add two failing tests | jvoisin | |
| 2017-12-04 | Fix the configuration parser wrt. non-matching brackets | jvoisin | |
| This validation step is a bit idiotic, but we'll replace it with a proper parser anyway. | |||
| 2017-12-01 | Add a test that used to segfault | jvoisin | |
| 2017-12-01 | Fail sooner when not able to create the folder to dump | jvoisin | |
| 2017-11-29 | Add new tests | jvoisin | |
| 2017-11-29 | Add yet an other test | jvoisin | |
| 2017-11-29 | Add even MOAR tests | jvoisin | |
| 2017-11-29 | Add a test for `include` | jvoisin | |
| 2017-11-29 | Implement eval hooking | jvoisin | |
| It's not possible to hook the `eval` builtin like other functions. | |||
| 2017-11-24 | Implement anti csrf measures | xXx-caillou-xXx | |
| This is done by using the "samesite" cookie attribute. | |||
| 2017-11-06 | Add a failing test | jvoisin | |
| 2017-11-06 | 53 absolute path (#62) | jvoisin | |
| * Add error for relative path | |||
| 2017-10-31 | Add a test to match on array | jvoisin | |
| 2017-10-31 | Minor factorization of the keyword parsing code | jvoisin | |
| 2017-10-31 | Unify two struct members related to virtual-patching | xXx-caillou-xXx | |
| This should close #65 | |||
| 2017-10-30 | Minor code cleanup | jvoisin | |
| 2017-10-30 | Bump coverage and simplify some code | jvoisin | |
| 2017-10-27 | Bump the coverage | jvoisin | |
| 2017-10-27 | Improve a bit the coverage wrt. broken configurations | jvoisin | |
| 2017-10-25 | .drop() is now bailout | jvoisin | |
| Courtesy of @buixor | |||
| 2017-10-25 | Make the testsuite a bit more robust | jvoisin | |
| 2017-10-24 | Bump coverage ♥ | jvoisin | |
| 2017-10-24 | Remove the `enable` member from the disable function structure | jvoisin | |
| Also add some more tests | |||
| 2017-10-23 | Add a test for unmatched brackets | jvoisin | |
| 2017-10-23 | Add some tests for upload validation and fix a related typo | jvoisin | |
| 2017-10-23 | Add a test for non-existent configuration file | jvoisin | |
| 2017-10-23 | Implement the .line filter | jvoisin | |
| Close #48 | |||
| 2017-10-22 | Add a testcase, bumping the coverage | jvoisin | |
| 2017-10-22 | Improve an error message | jvoisin | |
| 2017-10-20 | Add a test to demonstrate the behaviour wrt. call_user_func | jvoisin | |
| 2017-10-20 | Add support for multiple files in sp.configuration_file directive | blotus | |
| This should close (#45 | |||
| 2017-10-18 | `.pos` is mutuaally exclusive with .param and .paran_r | jvoisin | |
| 2017-10-18 | Fix the tests | jvoisin | |
| 2017-10-18 | extra tests | bui | |
| 2017-10-18 | Implement match on arguments position | jvoisin | |
| 2017-10-18 | .drop() is not a `nop` anymore | Thibault "bui" Koechlin | |
| `.drop()` is now baillout out, instead of nop'ing the call. This closes #13 | |||
 |
index : snuffleupagus | |
| Security module for php7 and php8 - Killing bugclasses and virtual-patching the rest! |
| summaryrefslogtreecommitdiff |