From 504f02992ace82a5520bc0ca43d9562c077a06e4 Mon Sep 17 00:00:00 2001 From: Thibault "bui" Koechlin Date: Sat, 31 Aug 2019 15:32:36 +0200 Subject: Support direct syslog logging Add the possibility to log directly into the syslog, instead of using php's log system.--- doc/source/config.rst | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'doc/source') diff --git a/doc/source/config.rst b/doc/source/config.rst index 89e063f..4be8db7 100644 --- a/doc/source/config.rst +++ b/doc/source/config.rst @@ -81,6 +81,24 @@ This configuration variable contains parameters that are used by multiple featur - ``cookie_env_var``: A environment variable used as part of cookies encryption. See the :ref:`relevant documentation ` +log_media +^^^^^^^^^ + +This configuration variable allows to specify how logs should be written, +either via ``php`` or ``syslog``. + +:: + + sp.log_media("php"); + sp.log_media("syslog"); + +The default value for ``sp.log_media`` is ``php``, to respect the `principle of +least astonishment +`__. But since +it's `possible to modify php's logging system via php +`__, it's +heavily recommended to use the ``syslog`` option instead. + Bugclass-killer features ------------------------ -- cgit v1.3 From 484eb1b1039df425db46e16569aa68d74b5898b8 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Tue, 22 Oct 2019 22:51:59 +0200 Subject: Revamp a bit the FAQ --- doc/source/faq.rst | 43 +++++++++++++++++++++++++++++++++---------- 1 file changed, 33 insertions(+), 10 deletions(-) (limited to 'doc/source') diff --git a/doc/source/faq.rst b/doc/source/faq.rst index d8ca973..4974c70 100644 --- a/doc/source/faq.rst +++ b/doc/source/faq.rst @@ -41,20 +41,18 @@ Who are you and why did you write Snuffleupagus? We're working for `NBS System `__, a web hosting company (meaning that we're dealing with PHP code all day long), -with a strong focus on security. We do have hardening +with a strong focus on security. We do have several layers of hardening (`kernel `_, `WAF `_, -`IDS `_, etc) -below the web stack, but most of the time, when a website is compromised, -it can be to send ads, spam, deface it, steal data etc. -This is why we need to harden the website itself too, but we can't touch its -source code. +`IDS `_, etc), +but we had nothing for PHP7. + Why not Suhosin? """""""""""""""" We're huge fans of `Suhosin `_, unfortunately: -- it doesn't work very well on PHP 7 +- it doesn't work very well on PHP7 - it has some oudated features and misses new ones - it doesn't cope very well with our various industrialization needs - it has some shortcomings by design @@ -65,10 +63,11 @@ the `system `_ and is developed by the fine people from `NBS System `__. @@ -77,6 +76,18 @@ We chose the LGPL because we don't care that much how you're using Snuffleupagus but we'd like to force people to make their improvements/contributions available to everyone. + +What is the different between SNuffleupaugs and a (WAF) like ModSecurity? +""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" + +`ModSecurity `__ and the other `Web Application +Firewall (WAF) `__ are +working by inspecting the http traffic. Snuffleupagus being a PHP module, is +operating directly inside your website's code, with a lesser overhead, as well +as a better understanding of what is currently happening inside your +application. + + Should I use Snuffleupagus? """"""""""""""""""""""""""" @@ -113,6 +124,18 @@ is still a security issue, and should be treated as such. We don't have the pretension to state that Snuffleupagus will magically solve all your security issues, but we believe that it might definitely help. + +Sounds great, but is it working? +"""""""""""""""""""""""""""""""" + +We've been using it in production since a couple of years, and it thwarted +numerous known and unknown attacks. If you want some evidences, one of the +developer published in June 2019 a `blogpost +`__ +showcasing how efficient Snuffleupagus was versus *major* web +vulnerabilities from 2018/2019. + + Why should I send you bugs, security issues and patches? """"""""""""""""""""""""""""""""""""""""""""""""""""""""" Snuffleupagus is an open-source security software, by reporting (or fixing) -- cgit v1.3 From cb0f3890af39babaed06ca89a0a754e78babe341 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Thu, 24 Oct 2019 20:42:29 +0200 Subject: Update the "papers" section of the documentation --- doc/source/papers.rst | 64 ++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 51 insertions(+), 13 deletions(-) (limited to 'doc/source') diff --git a/doc/source/papers.rst b/doc/source/papers.rst index 5382012..be99ddb 100644 --- a/doc/source/papers.rst +++ b/doc/source/papers.rst @@ -6,30 +6,68 @@ This pages lists various mentions, articles, usages and presentations about Snuf Talks ----- -- `BerlinSide0x08 `_ - `slides `__ - 2017-05-28 -- `Hack.lu 2017 `_ - `slides `__ - `video `__ - 2017-10-18 -- `BlackAlps `_ - `slides `__ - `video `__ - 2017-11-16 -- `Pass the Salt `_ - `slides `__ - `video `__ - 2018-07-03 -- `44con `__ - `slides `__ - 2018-09-12 +2017 +"""" + +- `BerlinSide0x08 `_ - `slides `__ +- `Hack.lu 2017 `_ - `slides `__ - `video `__ +- `BlackAlps `_ - `slides `__ - `video `__ + +2018 +"""" + +- `Pass the Salt `_ - `slides `__ - `video `__ +- `44con `__ - `slides `__ Mentions -------- -- `Intrinsec's blog - Hack.lu 2017 `__ (fr) - 2017-10-20 +2017 +"""" + +- `Habr - PHP-Дайджест № 118 – свежие новости, материалы и инструменты `__ (ru) - Habr +- `Intrinsec's blog - Hack.lu 2017 `__ (fr) - Intrinsec's blog - `Paragon Initiative Enterprises Blog - The 2018 Guide to Building Secure PHP Software `__ - 2017-12-12 -- `PhpStorm's blog - PHP Annotated Monthly `__ - 2018-08-31 + +2018 +"""" + +- `Habr - PHP-Дайджест № 138 `__ (ru) - Habr +- `PhpStorm's blog - PHP Annotated Monthly `__ - PhpStorm's blog + +2019 +"""" + +- `PhpStorm's blog - PHP Annotated `__ - PhpStorm's blog +- `Habr - PHP-Дайджест № 160 `__ (ru) - Habr Articles -------- -- `Killing php bug classes at berlinsides `_ - 2017-06-05 -- `Snuffleu…what? `_ - 2017-10-07 -- `How to harden AdwCleaner’s web backend using PHP `__ - 2017-12-06 -- `First release of Snuffleupagus `__ - 2017-12-21 -- `Snuffleupagus 0.3.0 - Dentalium elephantinum `__ - 2018-07-18 -- `Snuffleupagus version 0.3.0 - Dentalium elephantinum `__ (fr) - 2018-07-18 + +2017 +"""" + +- `Killing php bug classes at berlinsides `__ - dustri.org +- `Snuffleu…what? `__ - fr33tux.org +- `Behold the Snuffleupagus `__ - memze.ro +- `How to harden AdwCleaner’s web backend using PHP `__ - Malwarebyte's blog +- `First release of Snuffleupagus `__ - dustri.org + +2018 +"""" + +- `Snuffleupagus 0.3.0 - Dentalium elephantinum `__ - dustri.org +- `Snuffleupagus version 0.3.0 - Dentalium elephantinum `__ (fr) - LinuxFr + +2019 +"""" + +- `Проект Snuffleupagus развивает PHP-модуль для блокирования уязвимостей `__ (ru) - opennet.ru +- `What the f*ck is a Snuffleupagus? `__ - Living The Dream +- `Snuffleupagus: Open source security tool hardens PHP sites against cyber-attacks `__ - The Daily Swig Papers -- cgit v1.3 From d7b7a0d4e10d7b87b124889821b14e9858ed0a9c Mon Sep 17 00:00:00 2001 From: jvoisin Date: Wed, 4 Mar 2020 19:30:42 +0100 Subject: %s/nbs-system/jvoisin Since I'm the only one to maintain Snuffleupagus, let's adjust the links and contact addresses of my fork, to point to well… my fork. --- APKBUILD | 4 +- CONTRIBUTING.md | 20 ++++---- PKGBUILD | 4 +- debian/control | 6 +-- debian/copyright | 4 +- debian/watch | 2 +- doc/source/config.rst | 8 ++-- doc/source/debug.rst | 4 +- doc/source/download.rst | 8 ++-- doc/source/faq.rst | 55 +++++----------------- doc/source/installation.rst | 4 +- src/php_snuffleupagus.h | 2 +- src/sp_config_keywords.c | 2 +- src/sp_disabled_functions.c | 2 +- src/sp_upload_validation.c | 2 +- .../disabled_functions_drop_include.phpt | 2 +- ...disabled_functions_drop_include_simulation.phpt | 2 +- .../disabled_functions_variadic.phpt | 2 +- 18 files changed, 49 insertions(+), 84 deletions(-) (limited to 'doc/source') diff --git a/APKBUILD b/APKBUILD index b784e38..b3345f6 100644 --- a/APKBUILD +++ b/APKBUILD @@ -1,4 +1,4 @@ -# Maintainer: +# Maintained by Julien (jvoisin) Voisin pkgname="php7-snuffleupagus" _pkgname="snuffleupagus" pkgver=0.1 @@ -10,7 +10,7 @@ license="LGPL3" depends="php7-dev php7-fpm" source="" -_giturl="https://github.com/nbs-system/snuffleupagus.git" +_giturl="https://github.com/jvoisin/snuffleupagus.git" prepare() { default_prepare diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 88a3297..40ad357 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -6,9 +6,9 @@ First off, thank you for considering contributing to snuffleupagus. If you've noticed a bug or have a question, look at the [faq](https://snuffleupagus.readthedocs.io/faq.html) and -[search the issue tracker](https://github.com/nbs-system/snuffleupagus/issues) +[search the issue tracker](https://github.com/jvoisin/snuffleupagus/issues) to see if someone else has already created a ticket. If not, go ahead and -[make one](https://github.com/nbs-system/snuffleupagus/issues/new)! +[make one](https://github.com/jvoisin/snuffleupagus/issues/new)! ### 2. Fork & create a branch @@ -28,7 +28,7 @@ Just type `make coverage` or `make debug`, the testsuite should be run automatically. Please add tests if you're fixing a bug or adding a new feature: we do have a -[high coverage](https://coveralls.io/github/nbs-system/snuffleupagus?branch=master) +[high coverage](https://coveralls.io/github/jvoisin/snuffleupagus?branch=master) (functions, lines and branches), and intend to keep it that way. #### 3.3 Debugging failures in the test suite @@ -45,9 +45,9 @@ launching it, in order to run the failing test inside GDB. ### 4. Did you find a bug? * **Ensure the bug was not already reported** by - [searching all issues](https://github.com/nbs-system/snuffleupagus/issues?q=). + [searching all issues](https://github.com/jvoisin/snuffleupagus/issues?q=). * If you're unable to find an open issue addressing the problem, - [open a new one](https://github.com/nbs-system/snuffleupagus/issues/new). + [open a new one](https://github.com/jvoisin/snuffleupagus/issues/new). Be sure to include a **title and clear description**, as much relevant information as possible, and a **code sample** or an **executable test case** demonstrating the expected behavior that is not @@ -67,7 +67,7 @@ At this point, you should switch back to your master branch and make sure it's up to date with our upstream master branch: ```sh -git remote add upstream git@github.com:nbs-system/snuffleupagus.git +git remote add upstream git@github.com:jvoisin/snuffleupagus.git git checkout master git pull upstream master ``` @@ -82,7 +82,7 @@ git push --set-upstream origin 325-kill-sql-injections Finally, go to GitHub and [make a Pull Request](https://help.github.com/articles/creating-a-pull-request) :D -Travis CI will [run our test suite](https://travis-ci.org/nbs-system/snuffleupagus) +Travis CI will [run our test suite](https://travis-ci.org/jvoisin/snuffleupagus) against all supported PHP versions. We care about quality, so your PR won't be merged until all tests pass. It's unlikely, but it's possible that your changes pass tests in one PHP version but fail in another. In that case, you'll have to @@ -121,7 +121,7 @@ Maintainers need to do the following to push out a release: 1. Make sure that all pending and mergeable pull requests are in 2. Close the corresponding - [milestone](https://github.com/nbs-system/snuffleupagus/milestones) + [milestone](https://github.com/jvoisin/snuffleupagus/milestones) 2. Run `valgrind` (by adding a `-m` after the `-q` in the Makefile) and check that everything is ok. Don't mind the python-related issues. 3. Update the `src/php_snuffleupagus.h` according to [semantic versioning](https://semver.org/) @@ -132,15 +132,13 @@ Maintainers need to do the following to push out a release: 8. Create a tag for the release: ```sh - git config user.signingkey 498C46FF087EDC36E7EAF9D445414A82A9B22D78 - git config user.email security@nbs-system.com git tag -s v$MAJOR.$MINOR.$PATCH -m "v$MAJOR.$MINOR.$PATCH" git push --tags git push origin master ``` 9. Build the debian package with `make debian` -10. Create the [release on github](https://github.com/nbs-system/snuffleupagus/releases) +10. Create the [release on github](https://github.com/jvoisin/snuffleupagus/releases) 11. Add the freshly built Debian package to the release 12. Publish a [tweet](https://twitter.com/sp_php) 13. Do the *secret release dance* diff --git a/PKGBUILD b/PKGBUILD index 9c7239e..8ef050d 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -1,4 +1,4 @@ -# Maintainer NBS System Security Team +# Maintained by Julien (jvoisin) Voisin pkgname="snuffleupagus" pkgver=r169.424845a pkgrel=1 @@ -8,7 +8,7 @@ arch=('i686' 'x86_64') license=('LGPL3') depends=('php' 'php-fpm') checkdepends=() -source=("${pkgname}::git+https://github.com/nbs-system/${pkgname}.git") +source=("${pkgname}::git+https://github.com/jvoisin/${pkgname}.git") md5sums=('SKIP') pkgver() { diff --git a/debian/control b/debian/control index 5ec0480..bd9c361 100644 --- a/debian/control +++ b/debian/control @@ -1,11 +1,11 @@ Source: snuffleupagus Priority: optional -Maintainer: NBS System +Maintainer: Julien (jvoisin) Voisin Build-Depends: debhelper (>= 9), php7.0-dev | php7.1-dev | php7.2-dev Standards-Version: 4.1.3 -Homepage: https://snuffleupagus.fr +Homepage: https://github.com/jvoisin/snuffleupagus Section: php -Vcs-Git: https://github.com/nbs-system/snuffleupagus +Vcs-Git: https://github.com/jvoisin/snuffleupagus Package: snuffleupagus Architecture: any diff --git a/debian/copyright b/debian/copyright index a792452..af8f542 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,7 +1,7 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: Snuffleupagus -Upstream-Contact: NBS System -Source: https://github.com/nbs-system/snuffleupagus +Upstream-Contact: Julien (jvoisin) Voisin +Source: https://github.com/jvoisin/snuffleupagus Files: * Copyright: 2017 NBS System diff --git a/debian/watch b/debian/watch index 86028c7..2f88601 100644 --- a/debian/watch +++ b/debian/watch @@ -1,2 +1,2 @@ version=3 -https://github.com/nbs-system/snuffleupagus/tags /nbs-system/snuffleupagus/archive/snuffleupagus-([0-9.]+)\.tar\.(gz|xz|bz2) +https://github.com/jvoisin/snuffleupagus/tags /jvoisin/snuffleupagus/archive/snuffleupagus-([0-9.]+)\.tar\.(gz|xz|bz2) diff --git a/doc/source/config.rst b/doc/source/config.rst index 4be8db7..7691f89 100644 --- a/doc/source/config.rst +++ b/doc/source/config.rst @@ -199,8 +199,8 @@ argument and various information about it in the environment: This feature can be used, for example, to check if an uploaded file contains php code, using `vld `_, -via `a python script `__, -or `a php one `__. +via `a python script `__, +or `a php one `__. The upload will be **allowed** if the script returns the value ``0``. Every other value will prevent the file from being uploaded. @@ -342,7 +342,7 @@ For clarity, the presence of the ``allow`` or ``drop`` action is **mandatory**. because it'll match the deny first. If you're paranoid, we're providing a `php script -`__ +`__ to automatically generate hash of files containing dangerous functions, and blacklisting them everywhere else. @@ -358,7 +358,7 @@ It's currently not possible to: things like this, odds are that you're doing something wrong anyway. - Hooks on ``echo`` and on ``print`` are equivalent: there is no way to hook one without hooking the other, at least - `for now `__). + `for now `__). This is why hooked ``print`` will be displayed as ``echo`` in the logs. - Hook `strlen`, since in latest PHP versions, this function is usually optimized away by the compiled. diff --git a/doc/source/debug.rst b/doc/source/debug.rst index b339366..b2a1f28 100644 --- a/doc/source/debug.rst +++ b/doc/source/debug.rst @@ -18,7 +18,7 @@ We're using `php qa `__ tests format for our testsuite, it is automatically run when you're building snuffleupagus. If it happens to have unexpected failures (Since we're using `TDD `__ as much -as we can, we do have some expected failures), please do `open an issue `__ +as we can, we do have some expected failures), please do `open an issue `__ on our bugtracker, and attach the generated ``.diff`` and ``.out`` files to it, so we can see what's happening. @@ -27,7 +27,7 @@ Snuffleupagus is crashing While we do our very best to make snuffleupagus solid as possible, we're humans, and computers are hard, so crashes can happen. If you're encountering one in production, -please try to launch the `testsuite `__ +please try to launch the `testsuite `__ to see if it's failing. If it does, please :ref:`tell us `. If the testsuite is passing, odds are that you're encountering an issue tied to your php code, diff --git a/doc/source/download.rst b/doc/source/download.rst index dfe4768..fd61099 100644 --- a/doc/source/download.rst +++ b/doc/source/download.rst @@ -4,20 +4,20 @@ Download Arch Linux ---------- -We're providing a `PKGBUILD `__, +We're providing a `PKGBUILD `__, so you can build a package yourself. Alpine Linux ------------ -We're providing a `APKBUILD `__, +We're providing a `APKBUILD `__, so you can build a package yourself. Debian and Ubuntu ----------------- We're currently not providing a Debian/Ubuntu repository, -but you can grab the latest release on `github `__, +but you can grab the latest release on `github `__, or build your own package by cloning the source code and typing ``make debian``. Fedora @@ -39,4 +39,4 @@ We're currently using *github* as public code repository. :: - git clone https://github.com/nbs-system/snuffleupagus + git clone https://github.com/jvoisin/snuffleupagus diff --git a/doc/source/faq.rst b/doc/source/faq.rst index 4974c70..285f0c8 100644 --- a/doc/source/faq.rst +++ b/doc/source/faq.rst @@ -46,6 +46,8 @@ with a strong focus on security. We do have several layers of hardening `IDS `_, etc), but we had nothing for PHP7. +Nowadays, Snuffleupagus is maintained by Julien (jvoisin) Voisin. + Why not Suhosin? """""""""""""""" @@ -70,7 +72,8 @@ What license is Snuffleupagus released under and why? """"""""""""""""""""""""""""""""""""""""""""""""""""" Snuffleupagus is licensed under the `LGPL `_ -and is developed by the fine people from `NBS System `__. +was developed by the fine people from `NBS System `__, +and is maintained by Julien (jvoisin) Voisin. We chose the LGPL because we don't care that much how you're using Snuffleupagus, but we'd like to force people to make their improvements/contributions @@ -171,7 +174,7 @@ By checking the logs; Snuffleupagus systematically prefix them with ``[snuffleup Does Snuffleupagus run on Windows? """""""""""""""""""""""""""""""""" -No idea, feel free to `try `_. +No idea, feel free to `try `_. Does Snuggleupagus run on `HHVM `_? @@ -204,46 +207,13 @@ discuss potential impact of the vulnerability, reference applicable patches or workarounds, and credit the discoverer. -Please send it us a mail to the ``security`` user, -on ``nbs-system.com``, using the gpg key -``498C46FF087EDC36E7EAF9D445414A82A9B22D78``: - -:: - - -----BEGIN PGP PUBLIC KEY BLOCK----- - - mQENBFnKHhoBCADaOa0MKEqRy0h2ohIzczblzkMQCbU9oD1HwJ1VkYnn7TGW2iKi - NISxisExIXpy2Bn/pA27GiV0V/Do3NL6D9r0oOCrGR27muGM0N/dk9UMv7MWw8zv - K8cO+Sa28s0cAv7r2ogUJj5YOo8D4wHEpE8424TE89V9+Qg/SaFCxKoELFP0c7wu - mtsm0PnL65piZ1EB7lQo2gxg+8AV45MD1Y2rREMKUoZE23X+nXKsmEh9BFEPaU5M - 7WQp0NasqeMNoGhwfw9ttVAeLhkEkaTjW1PkNRIb7vrtV9KVb5uKucflfbOnDlzu - tQ9U3tYto0mcSCRchAClfEmoSi/0mKyb5N6ZABEBAAG0NVNlY3VyaXR5IHRlYW0g - b2YgTkJTIFN5c3RlbSA8c2VjdXJpdHlAbmJzLXN5c3RlbS5jb20+iQE3BBMBCAAh - BQJZyh4aAhsDBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEEVBSoKpsi14jy0H - /1/XB9THhvmG0ow81sld2Zx8qhnNed8VvYDS6mEjpDWNVPxENwDbnakEjisq1Hrb - 2UQPYCyQ5dekPNFVwQHIGXkX0eb1Ank+4esBJuEpQ2985tgNhJy5ZX+Imb5C8nZC - 90uYSN1UUg559nUsFeElOXSEH6tIXK/TvjsvMYoi2Ukl6lb7PbIU2fjLY9Iqv3QY - 32p8/Bl1fVKWbXOk0HDgJ6zA3Kr56QhZOLBkxjOa2XAnnIE76jZxUJ9qPCwWd1vW - GFxtx1Y+eZriqHiC9CPe6aBWcIHaTXSu1WBbXrFu8/eCWw243Rxm8l9wgA/a7VWq - WBfO45IhJUwh95naRpw8/4a5AQ0EWcoeGgEIAJtzSyyzfn2RX+BsyoRFANUpIgrV - /9eohYQVNqK3AFthmq7Kjmt4+hszF5+0wCFmWwYqGnqk1/dsWmqpkXsJldEn6oPJ - Bng+Dc67Yki2dR3TroAf95UmI08fhyM7TMXp8m46BPRRMzPNwalEeEm49Oclmfxb - JsWWCChWVLWGz2xgPEAv3fPHqus7Rwz/WIl53l/qy1Wf0ewmjRpVEfnEMKBExtBK - 4kRxQ40LzUZ1SfpyGc3nMbswhevT7/klqrdJdCnlu67Y/IfRGxGZuNj1n1Dib3Hx - zTBHo3Y2R3BB93Ix8dkbLaxLqFbOYVdijCgJklqUWhx7btpQ2xnZyzyCMuUAEQEA - AYkBHwQYAQgACQUCWcoeGgIbDAAKCRBFQUqCqbIteFRvB/9u3Mae8n8ELrJKOn+P - PEbWjutObIuTplvY4QcbnNb9dsgsKryamp4CFJsA5XuitPpC31GDMXBZO5/LLOuH - HoMaXFJdic0NToL/3REhu+aZkNIU6S/iaPRNVhkSV4lwQsvncz+nBaiDUJjyfJm2 - kEjVcRTM8yqzcNo/9Gn0ts+XCUqRj7+S1M4Bj3NySoO/w2n+7OLbIAj+wQZcj3Gf - 5QhBYaY4YaFxrJE0IZxyXGHw8xhKR6AN+u4TO7LRCW+cWV/sHWir1MXieJoEG8+R - W/BhrB0Rz5uxOXMoGCCD2TUiHq7zpuHGnYFVmAnHQZaaQxXve4VrcmznxgpV8lpW - mZug - =+eIv - -----END PGP PUBLIC KEY BLOCK----- +Please do send a mail to [Julien (jvoisin) Voisin](https://dustri.org) should +you find a security issue. + I found a bug. How can I report it? """"""""""""""""""""""""""""""""""" -We do have an issue tracker on `Github `_. +We do have an issue tracker on `Github `_. Please make sure to include as much information as possible when reporting your issue, such as your operating system, your version of PHP 7, your version of Snuffleupagus, your logs, the problematic php code, the request, a brief description, … long story short, @@ -255,12 +225,9 @@ it's not that hard. Where can I find even more help? """""""""""""""""""""""""""""""" The :doc:`configuration page ` might be what you're looking for. -If you're adventurous, you can also check the `issue tracker `_ -(make sure to check the `closed issues `_ too). +If you're adventurous, you can also check the `issue tracker `_ +(make sure to check the `closed issues `_ too). -I need professional support for my company. -""""""""""""""""""""""""""""""""""""""""""" -Contact `NBS System `_. Unimplemented mitigations and abandoned ideas --------------------------------------------- diff --git a/doc/source/installation.rst b/doc/source/installation.rst index 74d5d4f..a6b0ff8 100644 --- a/doc/source/installation.rst +++ b/doc/source/installation.rst @@ -1,7 +1,7 @@ Installation ============ -Snuffleupagus is tested against `various PHP 7+ versions `_. +Snuffleupagus is tested against `various PHP 7+ versions `_. Manual installation ------------------- @@ -21,7 +21,7 @@ Quickstart :: - git clone https://github.com/nbs-system/snuffleupagus + git clone https://github.com/jvoisin/snuffleupagus cd snuffleupagus/src phpize ./configure --enable-snuffleupagus diff --git a/src/php_snuffleupagus.h b/src/php_snuffleupagus.h index 0141a87..5a02e93 100644 --- a/src/php_snuffleupagus.h +++ b/src/php_snuffleupagus.h @@ -4,7 +4,7 @@ #define PHP_SNUFFLEUPAGUS_VERSION "0.5.0" #define PHP_SNUFFLEUPAGUS_EXTNAME "snuffleupagus" #define PHP_SNUFFLEUPAGUS_AUTHOR "NBS System" -#define PHP_SNUFFLEUPAGUS_URL "https://github.com/nbs-system/snuffleupagus" +#define PHP_SNUFFLEUPAGUS_URL "https://github.com/jvoisin/snuffleupagus" #define PHP_SNUFFLEUPAGUS_COPYRIGHT "LGPLv2" #include diff --git a/src/sp_config_keywords.c b/src/sp_config_keywords.c index aebe45c..c3a9c19 100644 --- a/src/sp_config_keywords.c +++ b/src/sp_config_keywords.c @@ -44,7 +44,7 @@ int parse_session(char *line) { "You're trying to use the session cookie encryption feature " "on line %zu without having session support statically built into PHP. " "This isn't supported, see " - "https://github.com/nbs-system/snuffleupagus/issues/278 for details.", + "https://github.com/jvoisin/snuffleupagus/issues/278 for details.", sp_line_no); pefree(session, 0); return -1; diff --git a/src/sp_disabled_functions.c b/src/sp_disabled_functions.c index 9e64993..4807955 100644 --- a/src/sp_disabled_functions.c +++ b/src/sp_disabled_functions.c @@ -361,7 +361,7 @@ static void should_disable(zend_execute_data* execute_data, sp_log_warn( "disable_function", "Snuffleupagus doesn't support variadic functions yet, sorry. " - "Check https://github.com/nbs-system/snuffleupagus/issues/164 for " + "Check https://github.com/jvoisin/snuffleupagus/issues/164 for " "details."); } else if (false == is_param_matching( execute_data, config_node, builtin_param, diff --git a/src/sp_upload_validation.c b/src/sp_upload_validation.c index ee19df9..54b0481 100644 --- a/src/sp_upload_validation.c +++ b/src/sp_upload_validation.c @@ -15,7 +15,7 @@ int sp_rfc1867_callback_win(unsigned int event, void *event_data, void **extra) { sp_log_msg("upload_validation", SP_LOG_SIMULATION, "The upload validation doesn't work for now on Windows yet, " - "see https://github.com/nbs-system/snuffleupagus/issues/248 for " + "see https://github.com/jvoisin/snuffleupagus/issues/248 for " "details."); return SUCCESS; } diff --git a/src/tests/disable_function/disabled_functions_drop_include.phpt b/src/tests/disable_function/disabled_functions_drop_include.phpt index e18dd73..ba1c955 100644 --- a/src/tests/disable_function/disabled_functions_drop_include.phpt +++ b/src/tests/disable_function/disabled_functions_drop_include.phpt @@ -1,5 +1,5 @@ --TEST-- -Disable function, bug : https://github.com/nbs-system/snuffleupagus/issues/181 +Disable function, bug : https://github.com/jvoisin/snuffleupagus/issues/181 --SKIPIF-- --INI-- diff --git a/src/tests/disable_function/disabled_functions_drop_include_simulation.phpt b/src/tests/disable_function/disabled_functions_drop_include_simulation.phpt index 07c3e98..1b13915 100644 --- a/src/tests/disable_function/disabled_functions_drop_include_simulation.phpt +++ b/src/tests/disable_function/disabled_functions_drop_include_simulation.phpt @@ -1,5 +1,5 @@ --TEST-- -Disable function, bug : https://github.com/nbs-system/snuffleupagus/issues/181 +Disable function, bug : https://github.com/jvoisin/snuffleupagus/issues/181 --SKIPIF-- --INI-- diff --git a/src/tests/disable_function/disabled_functions_variadic.phpt b/src/tests/disable_function/disabled_functions_variadic.phpt index 5bace63..32b6b0e 100644 --- a/src/tests/disable_function/disabled_functions_variadic.phpt +++ b/src/tests/disable_function/disabled_functions_variadic.phpt @@ -13,6 +13,6 @@ function foo(...$b) { echo foo(5, 4, 3, 2, 1); ?> --EXPECTF-- -Warning: [snuffleupagus][0.0.0.0][disable_function] Snuffleupagus doesn't support variadic functions yet, sorry. Check https://github.com/nbs-system/snuffleupagus/issues/164 for details. in %a/disabled_functions_variadic.php on line %d +Warning: [snuffleupagus][0.0.0.0][disable_function] Snuffleupagus doesn't support variadic functions yet, sorry. Check https://github.com/jvoisin/snuffleupagus/issues/164 for details. in %a/disabled_functions_variadic.php on line %d Fatal error: [snuffleupagus][0.0.0.0][disabled_function] Aborted execution on call of the function 'foo' in %a/disabled_functions_variadic.php on line %d -- cgit v1.3 From ced22b18a43bd33e65aca84b721b09136e5bb385 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Mon, 9 Mar 2020 15:13:06 +0100 Subject: Mention Synacktiv's latest talk --- doc/source/papers.rst | 3 +++ 1 file changed, 3 insertions(+) (limited to 'doc/source') diff --git a/doc/source/papers.rst b/doc/source/papers.rst index be99ddb..1007eaf 100644 --- a/doc/source/papers.rst +++ b/doc/source/papers.rst @@ -19,6 +19,9 @@ Talks - `Pass the Salt `_ - `slides `__ - `video `__ - `44con `__ - `slides `__ +2020 +"""" +- `Modern PHP security - sec4dev 2020, Vienna - Synacktiv `__ - `sec4dev 2020 `__ Mentions -------- -- cgit v1.3 From 94620108d3dbdb8c2fd11fbf8dbe12bba321ee72 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Wed, 1 Apr 2020 17:09:36 +0200 Subject: Document why SP doesn't provide a `.nop` action --- doc/source/faq.rst | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'doc/source') diff --git a/doc/source/faq.rst b/doc/source/faq.rst index 285f0c8..3c09409 100644 --- a/doc/source/faq.rst +++ b/doc/source/faq.rst @@ -245,3 +245,19 @@ if someone can manage to get better results than us. The possibility of having this natively in PHP has `been discussed `_, but as 2017, nothing has been merged yet. + +Nop'ing function execution +"""""""""""""""""""""""""" + +Snuffleupagus can be configured to either *allow* or *drop* the execution of +particular functions and optionally *log* and *dump* them, but it doesn't +provide any mechanism to *nop* their execution. + +We thought about adding this, but didn't for several reasons: + +- What should the return value of a *nop'ed* function be? +- It would add confusion between ``drop``, ``nop`` and ``log``. +- Usually, when a specific function is called, either it's a dangerous one + and you want to stop the execution immediately, or you want to let it + continue and log it. There isn't really any middle-ground, or at least we + failed to find any. -- cgit v1.3 From bcc28c55c36fefc9daa03837f86fdf72b496ac5c Mon Sep 17 00:00:00 2001 From: jvoisin Date: Fri, 3 Apr 2020 11:21:34 +0200 Subject: Add cPanel to the list of users --- doc/source/papers.rst | 1 + 1 file changed, 1 insertion(+) (limited to 'doc/source') diff --git a/doc/source/papers.rst b/doc/source/papers.rst index 1007eaf..91be4d4 100644 --- a/doc/source/papers.rst +++ b/doc/source/papers.rst @@ -88,3 +88,4 @@ Notable users - `Oceanet Technology `__ - a French hosting company - `SwissCenter `__ - a Swiss datacenter & web hosting company - `Toolslib `__ - an `Alexa top 10k `__ website +- `cPanel `__ - one of the most popular web hosting control panel -- cgit v1.3 From 8deedf62c8486bd2987e5fe144830785224ba4ca Mon Sep 17 00:00:00 2001 From: jvoisin Date: Fri, 3 Apr 2020 15:23:12 +0200 Subject: Add an other article mentioning Snuffleupagus --- doc/source/papers.rst | 1 + 1 file changed, 1 insertion(+) (limited to 'doc/source') diff --git a/doc/source/papers.rst b/doc/source/papers.rst index 91be4d4..3d5e42a 100644 --- a/doc/source/papers.rst +++ b/doc/source/papers.rst @@ -58,6 +58,7 @@ Articles - `Behold the Snuffleupagus `__ - memze.ro - `How to harden AdwCleaner’s web backend using PHP `__ - Malwarebyte's blog - `First release of Snuffleupagus `__ - dustri.org +- `PHP Magazine `__ - phpmagazine.net 2018 """" -- cgit v1.3 From a205f438dbc9a498d4cad31a54e50b63007d4ef2 Mon Sep 17 00:00:00 2001 From: Travis Paul Date: Tue, 14 Apr 2020 17:27:15 +0800 Subject: Typofix s/than/that/ --- doc/source/features.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc/source') diff --git a/doc/source/features.rst b/doc/source/features.rst index 407b9c7..3f40120 100644 --- a/doc/source/features.rst +++ b/doc/source/features.rst @@ -444,7 +444,7 @@ or ``is_callable`` with *suspicious* parameters. Some PHP applications are using broad rights when using the ``chmod`` function, like the infamous ``chmod(777)`` command, effectively making the file writable by everyone. Snuffleupagus is preventing this kind of behaviour by restricting the parameters -than can be passed to ``chmod``. +that can be passed to ``chmod``. Arbitrary file inclusion hardening """""""""""""""""""""""""""""""""" -- cgit v1.3 From 47d25cea2b34f8dc214a8aa5f748c5efe6455b96 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Sun, 7 Jun 2020 21:20:57 +0200 Subject: Fix a link in the documentation Instead of linking to an intermediary page, link directly to the cookie's one. --- doc/source/features.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc/source') diff --git a/doc/source/features.rst b/doc/source/features.rst index 3f40120..0c23dc1 100644 --- a/doc/source/features.rst +++ b/doc/source/features.rst @@ -73,7 +73,7 @@ Like *Suhosin*, we are encrypting the cookies with a secret key, an environment variable (usually the IP of the user) and the user's user-agent. This means that an attacker with an XSS won't be able to use the stolen cookie, since he can't spoof the content of the value of the environment -variable for the user. Please do read the :ref:`documentation about this feature ` +variable for the user. Please do read the :ref:`documentation about this feature ` if you're planning to use it. This feature is roughly the same than the `Suhosin one `_. -- cgit v1.3 From 7f9602ebc23582195d63eb35f1de1961297f2e00 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Tue, 9 Jun 2020 19:38:26 +0200 Subject: Improve the documentation wrt. "modifiers" --- doc/source/config.rst | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) (limited to 'doc/source') diff --git a/doc/source/config.rst b/doc/source/config.rst index 7691f89..91e085c 100644 --- a/doc/source/config.rst +++ b/doc/source/config.rst @@ -254,8 +254,11 @@ blacklisted, it'll be allowed. Virtual-patching ---------------- -Snuffleupagus provides virtual-patching via the ``disable_function`` directive, allowing you to stop or control dangerous behaviours. -In the situation where you have a call to ``system()`` that lacks proper user-input validation, this could cause issues as it would lead to an **RCE**. The virtual-patching would allow this to be prevented. +Snuffleupagus provides virtual-patching via the ``disable_function`` directive, +allowing you to stop or control dangerous behaviours. In the situation where +you have a call to ``system()`` that lacks proper user-input validation, this +could cause issues as it would lead to an **RCE**. The virtual-patching would +allow this to be prevented. :: @@ -305,8 +308,14 @@ The ``type`` must be one of the following values: Actions ^^^^^^^ +Every rule *must* have one action. + - ``allow()``: **allow** the request if the rule matches - ``drop()``: **drop** the request if the rule matches + +Modifications +^^^^^^^^^^^^^ + - ``dump(directory)``: dump the request in the ``directory`` if it matches the rule - ``simulation()``: enabled the simulation mode -- cgit v1.3