1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
|
Changelog
=========
0.9.0 - `Elephant seal <https://github.com/jvoisin/snuffleupagus/releases/tag/v0.9.0>`__ 2023/01/03
---------------------------------------------------------------------------------------------------
New features
^^^^^^^^^^^^
* Compatibility with PHP8.2
* Add the ability block object unserialization globally.
0.8.3 - `Elephant Gambit <https://github.com/jvoisin/snuffleupagus/releases/tag/v0.8.3>`__ 2022/08/27
-----------------------------------------------------------------------------------------------------
New features
^^^^^^^^^^^^
* Add the ability to dump the parameter passed to `eval`
* Add the ability to match on `eval`'s parameter
* Add optional extended checks for `readonly_exec`
* Add config error for ini rules with identical key
* Add disabled functions return type to config export
Breaking Changes
^^^^^^^^^^^^^^^^
* Mix the stacktrace in the sha256 for the filename of .dump()
Bug fixes
^^^^^^^^^
* Make it actually possible to configure sloppy comparison on latests PHP7
* Allow file:// prefix in include() wich readonly_exec mode
* Fix a possible crash when exporting function list
* Fix a minor memory leak when parsing cookie-related configuration
0.8.2 - `Surus <https://github.com/jvoisin/snuffleupagus/releases/tag/v0.8.2>`__ 2022/05/20
-------------------------------------------------------------------------------------------
Bug fixes
^^^^^^^^^
* Fix compilation when ZTS is used
* Fix a possible infinite loop
0.8.1 - `Batyr <https://github.com/jvoisin/snuffleupagus/releases/tag/v0.8.1>`__ 2022/05/16
-------------------------------------------------------------------------------------------
Bug fixes
^^^^^^^^^
* Fix the version number
* Fix a test on PHP7
Breaking Changes
^^^^^^^^^^^^^^^^
* `disable_xxe` is changed to `xxe_protection`
0.8.0 - `Woolly Mammoth <https://github.com/jvoisin/snuffleupagus/releases/tag/v0.8.0>`__ 2022/05/15
-----------------------------------------------------------------------------------------------------
New features
^^^^^^^^^^^^
* Compatibility with PHP8.1
* Check for unsupported PHP version
* Backport of Suhosin-ng patches:
* Maximum stack depth/recursion limit
* Maximum length for session id
* $_SERVER strip/encode
* Configuration dump
* Support for conditional rules
* INI settings protection
* Output SP logs to stderr
* Ported Suhosin rules to SP
Improvements
^^^^^^^^^^^^
* Massive simplification of the configuration parser
* Better memory management
* Removal of internal calls to `call_user_func`
* Increased portability of the default rules access different version of PHP
* Start SP as late as possible, to hook as many things as possible
Bug fixes
^^^^^^^^^
* XML and Session support are now checked at runtime instead of at compile time
0.7.1 - `Proboscidea <https://github.com/jvoisin/snuffleupagus/releases/tag/v0.7.0>`__ 2021/08/02
-------------------------------------------------------------------------------------------------
Improvements
^^^^^^^^^^^^
* Improve compatibility with various `libpcre` configurations/versions
* Modernise the code by removing usage of `strtok`
* Improve the default rules' compatibility with php8
* Prevent XXE in php8 as well
* Improve a bit the verbosity of the logs
* Add a rules file for php8
Bug fixes
^^^^^^^^^
* Prevent a possible crash during configuration reloading
* Fix the default rules to catch dangerous `chmod` calls
* Fixed possible memory-leaks when hooking via regular expressions
0.7.0 - `Los Elefantes <https://github.com/jvoisin/snuffleupagus/releases/tag/v0.7.0>`__ 2021/01/02
---------------------------------------------------------------------------------------------------
New features
^^^^^^^^^^^^
* PHP8 support
* Stacktraces in dumps
* The ``>`` operator now skips over functions
Improvements
^^^^^^^^^^^^
* Move the CI from travis to gitlab-ci
* Some code simplifications and constifications
* PCRE2 is now used when possible
* The ``generate_rules.php`` script is now more portable
Bug fixes
^^^^^^^^^
* The strict mode can now be disabled
0.6.0 - `Elephant in the room <https://github.com/jvoisin/snuffleupagus/releases/tag/v0.6.0>`__ 2020/11/06
----------------------------------------------------------------------------------------------------------
New features
^^^^^^^^^^^^
* Allow empty configurations
Improvements
^^^^^^^^^^^^
* More constification
* Snuffleupagus should now be able to get client's ip addresses in more cases
* Documented compatibility with Heroku
* Improved logging
* Added a couple of tests
0.5.1 - `Order of the Elephant <https://github.com/jvoisin/snuffleupagus/releases/tag/v0.5.1>`__ 2020/06/20
-----------------------------------------------------------------------------------------------------------
New features
^^^^^^^^^^^^
* Add support for syslog
Improvements
^^^^^^^^^^^^
* Improve OSX support
* Improve marginally of php8+ compatibility
* Improve php7.4 compatibility
* Improve the default ruleset
* Improve the documentation
* Improve the gitlab CI
0.5.0 - `Elephant Flats <https://github.com/jvoisin/snuffleupagus/releases/tag/v0.5.0>`__ 2019/06/12
----------------------------------------------------------------------------------------------------
Improvements
^^^^^^^^^^^^
- Tighten a bit a command-injection prevention rule in the default rules set
- Increased the portability of the testsuite
- Improved documentation
- Usual code cleanup
- Snuffleupagus will throw an informative error when compiled for PHP5
- Snuffleupagus will throw an informative error when compiled without PCRE support
- The testsuite is now run on Alpine, Fedora, Debian and Ubuntu.
- Some rules against now-known vulnerabilities/techniques were added
Bug fixes
^^^^^^^^^
- PHP7.4 is fully supported, without any compilation warning
- Snuffleupagus can now be used with PHP compiled without sessions support as a builtin (which is the case on Alpine).
- Fix a compilation warning on FreeBSD
- Cookies hardening is now supported on PHP7.3+
0.4.1 - `Loxodonta <https://github.com/jvoisin/snuffleupagus/releases/tag/v0.4.1>`__ 2018/12/21
-----------------------------------------------------------------------------------------------
Improvements
^^^^^^^^^^^^
- Improve and clarify the documentation
- Add support for PHP7.3
- Improve the coverage, we have reached 99% of coverage
- Improve `mb_string` hooking logic
- The script that check uploaded file is now available in PHP
Bug fixes
^^^^^^^^^
- Fix segfault on 32-bit for PHP7.3
- Fix segfault when using `sloppy_comparison` feature with array
0.4.0 - `Oliphant Chuckerbutty <https://github.com/jvoisin/snuffleupagus/releases/tag/v0.4.0>`__ 2018/08/31
-----------------------------------------------------------------------------------------------------------
New features
^^^^^^^^^^^^
- Add the possibility to whitelist `stream
wrappers <https://secure.php.net/manual/en/intro.stream.php>`__
- Snuffleupagus is now using php's logging mechanisms, instead of
outputting its log directly into the syslog.
- PHP is now prevented from ever disabling certificate verification
thanks to a few lines in our default configuration.
Improvements
^^^^^^^^^^^^
- Significant code simplification for cookies handling
thanks to `Remi Collet <http://famillecollet.com>`__
- Our ``sloppy comparison`` feature is now complete
- Snuffleupagus won't start with an invalid config anymore,
except if the ``sp.allow_broken_configuration`` is set.
- It's now possible to place virtual-patches on the return value
of user-defined functions.
- Since Snuffleupagus is used by more and more organisations,
we added a bunch of them in our propaganda page.
Bug fixes
^^^^^^^^^
- Add some missing pieces of documentation and fix some links
- Fix the ``make install`` command
- Fix various compilation warnings
- Snuffleupagus is now running on platforms that aren't using
the glibc, thanks to an external contributor `Antoine Tenart
<https://ack.tf>`__
0.3.1 - `Elephant Arch <https://github.com/jvoisin/snuffleupagus/releases/tag/v0.3.1>`__ 2018/08/20
---------------------------------------------------------------------------------------------------
Improvements
^^^^^^^^^^^^
- Disable XXE and harden PRNG by default
- Use ``SameSite`` on PHP's session cookie in the default rules
- Relax a bit what files can be included in the default rules
- Add the possibility to ignore files hashes when generating rules
- The ``filename`` filter is now accepting phar paths
Bug fixes
^^^^^^^^^
- The harden rand_feature is not ignoring parameters anymore in function calls
- Fix possible crashes/hangs when using php-fpm's pools
- Fix an infinite loop on ``echo`` hook
- Fix an issue with ``filename`` filter
- Fix some documentation issues
- Fix the Arch Linux's PKGBUILD
0.3.0 - `Dentalium elephantinum <https://github.com/jvoisin/snuffleupagus/releases/tag/v0.3.0>`__ 2018/07/17
------------------------------------------------------------------------------------------------------------
New features
^^^^^^^^^^^^
- Session cookies can now be `encrypted <https://github.com/jvoisin/snuffleupagus/pull/178>`__
- Some occurrences of `type juggling <https://github.com/jvoisin/snuffleupagus/pull/186>`__ can now be eradicated
- It's `now possible <https://github.com/jvoisin/snuffleupagus/pull/187>`__ to hook `echo` and `print`
Improvements
^^^^^^^^^^^^
- The `.filename()` filter is `now matching <https://github.com/jvoisin/snuffleupagus/pull/167>`__ on the file where the function is called instead on the one where it's defined.
- Vastly `optimize <https://github.com/jvoisin/snuffleupagus/issues/166>`__ the way we hook native functions
- The format of the logs has been streamlined to ease their processing
Bug fixes
^^^^^^^^^
- Better handling of filters for built-in functions
- Fix various possible integer overflows
- Fix an `annoying memory leak <https://github.com/jvoisin/snuffleupagus/issues/192#issuecomment-404538124>`__ impacting mostly `mod_php`
0.2.2 - `Elephant Moraine <https://github.com/jvoisin/snuffleupagus/releases/tag/v0.2.2>`__ 2018/04/12
------------------------------------------------------------------------------------------------------
New features
^^^^^^^^^^^^
- The `.dump()` filter is now supported for `unserialize`, `readonly_exec`, and `eval` black/whitelist
Improvements
^^^^^^^^^^^^
- Add some assertions
- Add more rules examples
- Provide a script to check for malicious file uploads
- Significant performances improvement (at least +20%)
- Significantly improve the performances of our default rules set
- Our readme file is now shinier
- Minor code simplification
Bug fixes
^^^^^^^^^
- Fix a crash related to variadic functions
0.2.1 - `Elephant Point <https://github.com/jvoisin/snuffleupagus/releases/tag/v0.2.1>`__ 2018/02/07
----------------------------------------------------------------------------------------------------
Bug fixes
^^^^^^^^^
- The testsuite can now be successfully run as root
- Fix a double execution when snuffleupagus is used with some other extensions
- Fix an execution-context related crash
Improvements
^^^^^^^^^^^^
- Support PCRE2, since it's `required for PHP7.3 <https://wiki.php.net/rfc/pcre2-migration>`__
- Improve a bit the portability of the code
- Minor code simplification
0.2.0 - `Elephant Rally <https://github.com/jvoisin/snuffleupagus/releases/tag/v0.2.0>`__ - 2018/01/18
------------------------------------------------------------------------------------------------------
New features
^^^^^^^^^^^^
- `Glob <https://en.wikipedia.org/wiki/Glob_%28programming%29>`__ support in ``sp.configuration_file``
- Whitelist/blacklist functions in ``eval``
- ``phpinfo`` shows if the configuration is valid or not
Bug fixes
^^^^^^^^^
- Off-by-one in configuration parsing fixed
- Minor cookie-encryption related memory leaks fixes
- Various crashes spotted by `fr33tux <https://fr33tux.org/>`__ fixes
- Configuration files with windows EOL are correctly handled
Improvements
^^^^^^^^^^^^
- General code clean-up
- Documentation overhaul
- Compilation on FreeBSD and CentOS
- Select which cookies to encrypt via regular expressions
- Match on return values from user-defined functions
External contributions
^^^^^^^^^^^^^^^^^^^^^^
- Simplification and clean up of our linked-list implementation by `smagnin <https://github.com/smagnin>`__
0.1.0 - `Mighty Mammoth <https://github.com/jvoisin/snuffleupagus/releases/tag/v0.1.0>`__ - 2017/12/21
------------------------------------------------------------------------------------------------------
- Initial release
|
