snuffleupagus (0.4.0) UNRELEASED; urgency=medium * Add the possibility to whitelist `stream wrappers` * Snuffleupagus is now using php's logging mechanisms, instead of outputting its log directly into the syslog. * PHP is now prevented from ever disabling certificate verification thanks to a few lines in our default configuration. * Significant code simplification for cookies handling * Our `sloppy comparison` feature is now complete * Snuffleupagus won't start with an invalid config anymore, except if the `sp.allow_broken_configuration` is set. * It's now possible to place virtual-patches on the return value of user-defined functions. * Since Snuffleupagus is used by more and more organisations, we added a bunch of them in our propaganda page. * Add some missing pieces of documentation and fix some links * Fix the `make install` command * Fix various compilation warnings * Snuffleupagus is now running on platforms that aren't using the glibc -- jvoisin Fri, 31 Aug 2018 16:50:00 +0200 snuffleupagus (0.3.1) UNRELEASED; urgency=medium * Disable XXE and harden PRNG by default * Use SameSite on PHP's session cookie in the default rules * Relax a bit what files can be included in the default rules * Add the possibility to ignore files hashes when generating rules * The filename filter is now accepting phar paths * The harden rand_feature is not ignoring parameters anymore in function calls * Fix possible crashes/hangs when using php-fpm's pools * Fix an infinite loop on echo hook * Fix an issue with filename filter * Fix some documentation issues * Fix the Arch Linux's PKGBUILD -- he2ss Tue, 20 Aug 2018 15:00:00 +0200 snuffleupagus (0.3.0) UNRELEASED; urgency=medium * Session cookies can now be encrypted * Some occurrences of type juggling can now be eradicated * It's now possible to hook echo and print * The .filename() filter is now matching on the file where the function is called instead on the one where it's defined. * Vastly optimize the way native functions are hooked * The format of the logs has been streamlined to ease their processing * Better handling of filters for built-in functions * Fix various possible integer overflows * Fix an annoying memory leak -- kkadosh Tue, 17 Jul 2018 15:00:00 +0200 snuffleupagus (0.2.2) UNRELEASED; urgency=medium * Add some assertions in the code * The `.dump()` filter is now supported for `unserialize`, `readonly_exec`, and `eval` black/whitelist * Add more rules examples * Provide a script to check for malicious file uploads * Significant performances improvement (at least +20%) * Significantly improve the performances of our default rules set * Our readme file is now shinier * Minor code simplification * Fix a crash related to variadic functions -- jvoisin Tue, 12 Mar 2018 10:00:00 +0200 snuffleupagus (0.2.1) UNRELEASED; urgency=medium * The testsuite can now be successfully run as root * Fix a double execution when snuffleupagus is used with some other extensions * Fix an execution-context related crash * Support PCRE2, since it's required for PHP7.3 * Improve a bit the portability of the code * Minor code simplification -- jvoisin Tue, 07 Feb 2018 11:00:00 +0200 snuffleupagus (0.2.0) UNRELEASED; urgency=medium * Glob support in `sp.configuration_file` * Whitelist/blacklist functions in `eval` * `phpinfo` shows is the configuration is valid or not * Off-by-one in configuration parsing fixed * Minor cookie-encryption related memory leaks fixes * Various crashes fixes * Configuration files with windows EOL are correctly handled * General code clean-up * Documentation overhaul * Compilation on FreeBSD and CentOS * Select which cookies to encrypt via regular expressions * Match on return values from user-defined functions * Simplification and clean up of our linked-list implementation -- jvoisin Tue, 18 Jan 2018 13:00:00 +0200 snuffleupagus (0.1.0) UNRELEASED; urgency=medium * Initial release. -- jvoisin Tue, 04 Jul 2017 17:51:31 +0200