1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
|
snuffleupagus (0.8.3) UNRELEASED; urgency=low
[ jvoisin ]
* Mix the stacktrace in the sha256 for the filename of .dump()
* Add the ability to dump the parameter passed to `eval`
* Add the ability to match on `eval`'s parameter
* Add optional extended checks for `readonly_exec`
* Add config error for ini rules with identical key
* Add disabled functions return type to config export
* Make it actually possible to configure sloppy comparison on latests PHP7
* Allow file:// prefix in include() wich readonly_exec mode
* Fix a possible crash when exporting function list
* Fix a minor memory leak when parsing cookie-related configuration
-- jvoisin <julien.voisin+snuffleupagus@dustri.org> Sat, 27 Aug 2022 17:30:00 +0200
snuffleupagus (0.8.2) UNRELEASED; urgency=low
[ jvoisin ]
* Fix compilation when ZTS is used
* Fix a possible infinite loop
-- jvoisin <julien.voisin+snuffleupagus@dustri.org> Sun, 20 Apr 2022 22:00:00 +0200
snuffleupagus (0.8.1) UNRELEASED; urgency=low
[ jvoisin ]
* Fix the version number
* Fix a test on PHP7
-- jvoisin <julien.voisin+snuffleupagus@dustri.org> Sun, 16 Apr 2022 19:45:00 +0200
snuffleupagus (0.8.0) UNRELEASED; urgency=low
[ jvoisin ]
* Compatibility with PHP8.1
* Check for unsupported PHP version
* Backport of Suhosin-ng patches:
* Maximum stack depth/recursion limit
* Maximum length for session id
* $_SERVER strip/encode
* Configuration dump
* Support for conditional rules
* INI settings protection
* Output SP logs to stderr
* Ported Suhosin rules to SP
* Massive simplification of the configuration parser
* Better memory management
* Removal of internal calls to `call_user_func`
* Increased portability of the default rules access different version of PHP
* Start SP as late as possible, to hook as many things as possible
* XML and Session support are now checked at runtime instead of at compile time
-- jvoisin <julien.voisin+snuffleupagus@dustri.org> Sun, 15 Apr 2022 18:00:00 +0200
snuffleupagus (0.7.1) UNRELEASED; urgency=low
[ jvoisin ]
* Fixed possible memory-leaks when hooking via regular expressions
* Modernise the code by removing usage of `strtok`
* Prevent a possible crash during configuration reloading
* Fix the default rules to catch dangerous `chmod` calls
* Improve compatibility with various `libpcre` configurations/versions
* Improve the default rules' compatibility with php8
* Prevent XXE in php8 as well
* Improve a bit the verbosity of the logs
* Add a rules file for php8
snuffleupagus (0.7.0) UNRELEASED; urgency=medium
[ jvoisin ]
* PHP8 support
* Stacktraces in dumps
* The `>` operator skips over functions
* PCRE2 is used when possible
* The `generate_rules.php` script is now more portable
* The strict mode is now disableable
snuffleupagus (0.6.0) UNRELEASED; urgency=medium
[ jvoisin ]
* More constification
* Snuffleupagus should now be able to get client's ip addresses in more cases
* Documented compatibility with Heroku
* Improved logging
* Added a couple of tests
[ wargio ]
* allow empty configurations
-- jvoisin <julien.voisin+snuffleupagus@dustri.org> Fri, 06 Nov 2020 17:45:00 +0200
snuffleupagus (0.5.1) UNRELEASED; urgency=medium
[ jvoisin ]
* Add support for syslog
* Improve OSX support
* Improve marginally of php8+ compatibility
* Improve php7.4 compatibility
* Improve the default ruleset
* Improve the documentation
* Improve the gitlab CI
-- jvoisin <julien.voisin+snuffleupagus@dustri.org> Sat, 20 Jun 2020 12:30:00 +0200
snuffleupagus (0.5.0) UNRELEASED; urgency=medium
[ kkadosh ]
* Tighten a bit a command-injection prevention rule in the default rules set
* Increased the portability of the testsuite
* Improved documentation
* Usual code cleanup
* Snuffleupagus will throw an informative error when compiled for PHP5
* Snuffleupagus will throw an informative error when compiled for PHP5
* The testsuite is now run on Alpine, Fedora, Debian and Ubuntu
* Some rules against now-known vulnerabilities/techniques were added
* PHP7.4 is fully supported, without any compilation warning
* Snuffleupagus can now be used with PHP compiled without sessions support as a builtin (which is the case on Alpine)
* Fix a compilation warning on FreeBSD
* Cookies hardening is now supported on PHP7.3+
-- kkadosh <snuffleupagus@nbs-system.com> Wed, 12 Jun 2019 16:40:00 +0200
snuffleupagus (0.4.1) UNRELEASED; urgency=medium
[ kkadosh ]
* Improve and clarify the documentation
* Add support for PHP7.3
* Improve the coverage, we have now reached 99% of coverage
* Improve the `mb_string` hooking logic
* The script that check uploaded file is now available in PHP
* Fix segfault on 32-bit for PHP7.3
* Fix segfault when using `sloppy_comparison` feature with array
-- kkadosh <snuffleupagus@nbs-system.com> Fri, 21 Dec 2018 11:50:00 +0200
snuffleupagus (0.4.0) UNRELEASED; urgency=medium
[ jvoisin ]
* Add the possibility to whitelist `stream wrappers`
* Snuffleupagus is now using php's logging mechanisms, instead of outputting its log directly into the syslog.
* PHP is now prevented from ever disabling certificate verification thanks to a few lines in our default configuration.
* Significant code simplification for cookies handling
* Our `sloppy comparison` feature is now complete
* Snuffleupagus won't start with an invalid config anymore, except if the `sp.allow_broken_configuration` is set.
* It's now possible to place virtual-patches on the return value of user-defined functions.
* Since Snuffleupagus is used by more and more organisations, we added a bunch of them in our propaganda page.
* Add some missing pieces of documentation and fix some links
* Fix the `make install` command
* Fix various compilation warnings
* Snuffleupagus is now running on platforms that aren't using the glibc
-- jvoisin <snuffleupagus@nbs-system.com> Fri, 31 Aug 2018 16:50:00 +0200
snuffleupagus (0.3.1) UNRELEASED; urgency=medium
* Disable XXE and harden PRNG by default
* Use SameSite on PHP's session cookie in the default rules
* Relax a bit what files can be included in the default rules
* Add the possibility to ignore files hashes when generating rules
* The filename filter is now accepting phar paths
* The harden rand_feature is not ignoring parameters anymore in function calls
* Fix possible crashes/hangs when using php-fpm's pools
* Fix an infinite loop on echo hook
* Fix an issue with filename filter
* Fix some documentation issues
* Fix the Arch Linux's PKGBUILD
-- he2ss <snuffleupagus@nbs-system.com> Tue, 20 Aug 2018 15:00:00 +0200
snuffleupagus (0.3.0) UNRELEASED; urgency=medium
* Session cookies can now be encrypted
* Some occurrences of type juggling can now be eradicated
* It's now possible to hook echo and print
* The .filename() filter is now matching on the file where the function is called instead on the one where it's defined.
* Vastly optimize the way native functions are hooked
* The format of the logs has been streamlined to ease their processing
* Better handling of filters for built-in functions
* Fix various possible integer overflows
* Fix an annoying memory leak
-- kkadosh <snuffleupagus@nbs-system.com> Tue, 17 Jul 2018 15:00:00 +0200
snuffleupagus (0.2.2) UNRELEASED; urgency=medium
* Add some assertions in the code
* The `.dump()` filter is now supported for `unserialize`, `readonly_exec`, and `eval` black/whitelist
* Add more rules examples
* Provide a script to check for malicious file uploads
* Significant performances improvement (at least +20%)
* Significantly improve the performances of our default rules set
* Our readme file is now shinier
* Minor code simplification
* Fix a crash related to variadic functions
-- jvoisin <snuffleupagus@nbs-system.com> Tue, 12 Mar 2018 10:00:00 +0200
snuffleupagus (0.2.1) UNRELEASED; urgency=medium
* The testsuite can now be successfully run as root
* Fix a double execution when snuffleupagus is used with some other extensions
* Fix an execution-context related crash
* Support PCRE2, since it's required for PHP7.3
* Improve a bit the portability of the code
* Minor code simplification
-- jvoisin <snuffleupagus@nbs-system.com> Tue, 07 Feb 2018 11:00:00 +0200
snuffleupagus (0.2.0) UNRELEASED; urgency=medium
* Glob support in `sp.configuration_file`
* Whitelist/blacklist functions in `eval`
* `phpinfo` shows is the configuration is valid or not
* Off-by-one in configuration parsing fixed
* Minor cookie-encryption related memory leaks fixes
* Various crashes fixes
* Configuration files with windows EOL are correctly handled
* General code clean-up
* Documentation overhaul
* Compilation on FreeBSD and CentOS
* Select which cookies to encrypt via regular expressions
* Match on return values from user-defined functions
* Simplification and clean up of our linked-list implementation
-- jvoisin <snuffleupagus@nbs-system.com> Tue, 18 Jan 2018 13:00:00 +0200
snuffleupagus (0.1.0) UNRELEASED; urgency=medium
* Initial release.
-- jvoisin <snuffleupagus@nbs-system.com> Tue, 04 Jul 2017 17:51:31 +0200
|
