snuffleupagus - Security module for php7 and php8 - Killing bugclasses and virtual-patching the rest!

Age	Commit message (Collapse)	Author
2017-12-28	Add two tests to verify that we can hook indirect calls	jvoisin
	This should close #104
2017-12-28	Implement hooking on user-defined functions return values	jvoisin
	This should close #99, thanks to @blotus for the implementation idea!
2017-12-27	Implement simulation mode for cookies (de/en)cryption	jvoisin
	This should close #102 This commit can be useful for two use-cases: 1. When deploying Snuffleupagus on big CMS like Magento, and not knowing what cookies are modified via javascript. 2. When deploying Snuffleupagus on big websites: you don't want to disconnect every single user at once. When simulation is enabled, if the decryption fails, a log message is now issued, and the cookie value taken as it (since odds are that it's non-encrypted).
2017-12-26	Improve the portability of our ipv6 support	jvoisin
	Apparently, the in6_addr can have different fields in its union, making it a bit non-portable. We're solving this via macros. This should close #100, thanks to @fichtner for the report ♥
2017-12-21	Add coverage	slefevre

2017-12-21	Refactor a bit	slefevre

2017-12-21	Add test	slefevre

2017-12-21	Remove the now useless `validate_str` function	xXx-caillou-xXx

2017-12-21	Add test	slefevre

2017-12-21	Rename, again, some types	jvoisin

2017-12-21	Rename sp_node_t to sp_list_node	jvoisin
	Since we now have sp_list and sp_tree, it makes sense to specify that nodes are only for lists.
2017-12-21	Add some tests (#96)	xXx-caillou-xXx

2017-12-21	Re-indent a bit a function	jvoisin

2017-12-21	Add a constant-related test	jvoisin

2017-12-21	Minor code cleanup	xXx-caillou-xXx

2017-12-20	Refactor a bit the sp_tree implementation	xXx-caillou-xXx

2017-12-20	Better parsing of the rules	xXx-caillou-xXx
	Thanks to this huge commit from @xXx-caillou-xXx, we can now write amazingly flexible rules.
2017-12-20	Improve the previous commit	xXx-caillou-xXx
	We can simply use the return value of the original `setcookie` :>
2017-12-20	Make `setcookie` return true	xXx-caillou-xXx
	We forgot to set a return value to the setcookie function, thus always returning false. Since very few frameworks/developers are checking the return value, it went unnoticed until we played with Magento, who effectively checks the return value.
2017-12-19	Fix a segfault related to cookies	xXx-caillou-xXx
	Apparently, PHP doesn't like when you're trying to save some memory when you're playing with strings.
2017-12-19	Rework a bit the order of operation	jvoisin
	- There is no need to generate the key if the cookie has no value - There is no need to generate the key if the cookie length is invalid - Use yoda condition
2017-12-19	remove useless var	slefevre

2017-12-19	fix double decoding	slefevre

2017-12-18	Fix cookie encryption	xXx-caillou-xXx
	Previously, when a cookie was set with the `httpOnly` flag, it was automatically encrypted, due to a logic flaw. This is now fixed and tested.
2017-12-06	Vastly simplify the dumping of zval in `.dump`	jvoisin

2017-12-06	Fix a format string, thanks to coverity	jvoisin

2017-12-05	Dump environnement variables (#83)	jvoisin
	Apparently, PHP thinks that it's a great idea to type environnement variables, because why not.
2017-12-05	Add two failing tests	jvoisin

2017-12-04	Improve the `.dump` filter	jvoisin

2017-12-04	Fix the configuration parser wrt. non-matching brackets	jvoisin
	This validation step is a bit idiotic, but we'll replace it with a proper parser anyway.
2017-12-01	Add a test that used to segfault	jvoisin

2017-12-01	Fail sooner when not able to create the folder to dump	jvoisin

2017-12-01	Vastly simplify the dumping process	jvoisin

2017-11-30	Minor refactoring and clarification	jvoisin

2017-11-29	Code formatting pass on harden-rand	jvoisin

2017-11-29	Add new tests	jvoisin

2017-11-29	Hide an enum definition	jvoisin

2017-11-29	Code-formatting pass	jvoisin

2017-11-29	Add a comment, and improve a bit the performances wrt. vpatch	jvoisin
	Move the cheapest tests above the expensive ones
2017-11-29	Refactoring (#79)	jvoisin
	Refactoring of should_disable().
2017-11-29	Add yet an other test	jvoisin

2017-11-29	Add even MOAR tests	jvoisin

2017-11-29	Add a test for `include`	jvoisin

2017-11-29	Fix segfault in should_drop_on_ret	xXx-caillou-xXx
	This commit is almost the same than 8df77884f38e7a7334b56aafe2f441567f175af8
2017-11-29	Implement eval hooking	jvoisin
	It's not possible to hook the `eval` builtin like other functions.
2017-11-29	Fix segfault in sp_disabled_functions.c	xXx-caillou-xXx
	There was an off-by-one in `should_disable`, effectively smashing the last byte of the stack canary. This was discovered while building the package for Alpine Linux. Kudos to their hardened toolchain!
2017-11-27	Improve our nonce's randomness	jvoisin

2017-11-27	Initialize some possibly uninitialized variables	jvoisin
	Thanks to coverity
2017-11-24	Fix harden_rand (#72)	jvoisin
	This one was tricky. It was a great half-hour of joy, full of macros, ctags, gdb, radare2, tears, hardcoded `int3`, … to finally find that php calls `return` when it fails to parse some parameters for various reasons, even if everything goes fine. This must be a better way to do this, but this is good enough™ for now. This closes #66
2017-11-24	Implement anti csrf measures	xXx-caillou-xXx
	This is done by using the "samesite" cookie attribute.