| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2017-12-21 | Add coverage | slefevre | |
| 2017-12-21 | Refactor a bit | slefevre | |
| 2017-12-21 | Add test | slefevre | |
| 2017-12-21 | Remove the now useless `validate_str` function | xXx-caillou-xXx | |
| 2017-12-21 | Add test | slefevre | |
| 2017-12-21 | Rename, again, some types | jvoisin | |
| 2017-12-21 | Rename sp_node_t to sp_list_node | jvoisin | |
| Since we now have sp_list and sp_tree, it makes sense to specify that nodes are only for lists. | |||
| 2017-12-21 | Add some tests (#96) | xXx-caillou-xXx | |
| 2017-12-21 | Re-indent a bit a function | jvoisin | |
| 2017-12-21 | Add a constant-related test | jvoisin | |
| 2017-12-21 | Minor code cleanup | xXx-caillou-xXx | |
| 2017-12-20 | Refactor a bit the sp_tree implementation | xXx-caillou-xXx | |
| 2017-12-20 | Better parsing of the rules | xXx-caillou-xXx | |
| Thanks to this huge commit from @xXx-caillou-xXx, we can now write amazingly flexible rules. | |||
| 2017-12-20 | Improve the previous commit | xXx-caillou-xXx | |
| We can simply use the return value of the original `setcookie` :> | |||
| 2017-12-20 | Make `setcookie` return true | xXx-caillou-xXx | |
| We forgot to set a return value to the setcookie function, thus always returning false. Since very few frameworks/developers are checking the return value, it went unnoticed until we played with Magento, who effectively checks the return value. | |||
| 2017-12-19 | Fix a segfault related to cookies | xXx-caillou-xXx | |
| Apparently, PHP doesn't like when you're trying to save some memory when you're playing with strings. | |||
| 2017-12-19 | Rework a bit the order of operation | jvoisin | |
| - There is no need to generate the key if the cookie has no value - There is no need to generate the key if the cookie length is invalid - Use yoda condition | |||
| 2017-12-19 | remove useless var | slefevre | |
| 2017-12-19 | fix double decoding | slefevre | |
| 2017-12-18 | Fix cookie encryption | xXx-caillou-xXx | |
| Previously, when a cookie was set with the `httpOnly` flag, it was automatically encrypted, due to a logic flaw. This is now fixed and tested. | |||
| 2017-12-06 | Vastly simplify the dumping of zval in `.dump` | jvoisin | |
| 2017-12-06 | Fix a format string, thanks to coverity | jvoisin | |
| 2017-12-05 | Dump environnement variables (#83) | jvoisin | |
| Apparently, PHP thinks that it's a great idea to type environnement variables, because why not. | |||
| 2017-12-05 | Add two failing tests | jvoisin | |
| 2017-12-04 | Improve the `.dump` filter | jvoisin | |
| 2017-12-04 | Fix the configuration parser wrt. non-matching brackets | jvoisin | |
| This validation step is a bit idiotic, but we'll replace it with a proper parser anyway. | |||
| 2017-12-01 | Add a test that used to segfault | jvoisin | |
| 2017-12-01 | Fail sooner when not able to create the folder to dump | jvoisin | |
| 2017-12-01 | Vastly simplify the dumping process | jvoisin | |
| 2017-11-30 | Minor refactoring and clarification | jvoisin | |
| 2017-11-29 | Code formatting pass on harden-rand | jvoisin | |
| 2017-11-29 | Add new tests | jvoisin | |
| 2017-11-29 | Hide an enum definition | jvoisin | |
| 2017-11-29 | Code-formatting pass | jvoisin | |
| 2017-11-29 | Add a comment, and improve a bit the performances wrt. vpatch | jvoisin | |
| Move the cheapest tests above the expensive ones | |||
| 2017-11-29 | Refactoring (#79) | jvoisin | |
| Refactoring of should_disable(). | |||
| 2017-11-29 | Add yet an other test | jvoisin | |
| 2017-11-29 | Add even MOAR tests | jvoisin | |
| 2017-11-29 | Add a test for `include` | jvoisin | |
| 2017-11-29 | Fix segfault in should_drop_on_ret | xXx-caillou-xXx | |
| This commit is almost the same than 8df77884f38e7a7334b56aafe2f441567f175af8 | |||
| 2017-11-29 | Implement eval hooking | jvoisin | |
| It's not possible to hook the `eval` builtin like other functions. | |||
| 2017-11-29 | Fix segfault in sp_disabled_functions.c | xXx-caillou-xXx | |
| There was an off-by-one in `should_disable`, effectively smashing the last byte of the stack canary. This was discovered while building the package for Alpine Linux. Kudos to their hardened toolchain! | |||
| 2017-11-27 | Improve our nonce's randomness | jvoisin | |
| 2017-11-27 | Initialize some possibly uninitialized variables | jvoisin | |
| Thanks to coverity | |||
| 2017-11-24 | Fix harden_rand (#72) | jvoisin | |
| This one was tricky. It was a great half-hour of joy, full of macros, ctags, gdb, radare2, tears, hardcoded `int3`, … to finally find that php calls `return` when it fails to parse some parameters for various reasons, even if everything goes fine. This must be a better way to do this, but this is good enough™ for now. This closes #66 | |||
| 2017-11-24 | Implement anti csrf measures | xXx-caillou-xXx | |
| This is done by using the "samesite" cookie attribute. | |||
| 2017-11-13 | Fix a silly warning | jvoisin | |
| 2017-11-06 | Add a failing test | jvoisin | |
| 2017-11-06 | 53 absolute path (#62) | jvoisin | |
| * Add error for relative path | |||
| 2017-10-31 | Add a test to match on array | jvoisin | |
 |
index : snuffleupagus | |
| Security module for php7 and php8 - Killing bugclasses and virtual-patching the rest! |
| summaryrefslogtreecommitdiff |