blob: 18f643321c46be0917a4d80edf7b473055554bf4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
Changelog
=========
0.3.1 - `Elephant Arch <https://github.com/nbs-system/snuffleupagus/releases/tag/v0.3.1>`__ 2018/08/20
------------------------------------------------------------------------------------------------------
Improvements
^^^^^^^^^^^^
- Disable XXE and harden PRNG by default
- Use ``SameSite`` on PHP's session cookie in the default rules
- Relax a bit what files can be included in the default rules
- Add the possibility to ignore files hashes when generating rules
- The ``filename`` filter is now accepting phar paths
Bug fixes
^^^^^^^^^
- The harden rand_feature is not ignoring parameters anymore in function calls
- Fix possible crashes/hangs when using php-fpm's pools
- Fix an infinite loop on ``echo`` hook
- Fix an issue with ``filename`` filter
- Fix some documentation issues
- Fix the Arch Linux's PKGBUILD
0.3.0 - `Dentalium elephantinum <https://github.com/nbs-system/snuffleupagus/releases/tag/v0.3.0>`__ 2018/07/17
---------------------------------------------------------------------------------------------------------------
New features
^^^^^^^^^^^^
- Session cookies can now be `encrypted <https://github.com/nbs-system/snuffleupagus/pull/178>`__
- Some occurrences of `type juggling <https://github.com/nbs-system/snuffleupagus/pull/186>`__ can now be eradicated
- It's `now possible <https://github.com/nbs-system/snuffleupagus/pull/187>`__ to hook `echo` and `print`
Improvements
^^^^^^^^^^^^
- The `.filename()` filter is `now matching <https://github.com/nbs-system/snuffleupagus/pull/167>`__ on the file where the function is called instead on the one where it's defined.
- Vastly `optimize <https://github.com/nbs-system/snuffleupagus/issues/166>`__ the way we hook native functions
- The format of the logs has been streamlined to ease their processing
Bug fixes
^^^^^^^^^
- Better handling of filters for built-in functions
- Fix various possible integer overflows
- Fix an `annoying memory leak <https://github.com/nbs-system/snuffleupagus/issues/192#issuecomment-404538124>`__ impacting mostly `mod_php`
0.2.2 - `Elephant Moraine <https://github.com/nbs-system/snuffleupagus/releases/tag/v0.2.2>`__ 2018/04/12
---------------------------------------------------------------------------------------------------------
New features
^^^^^^^^^^^^
- The `.dump()` filter is now supported for `unserialize`, `readonly_exec`, and `eval` black/whitelist
Improvements
^^^^^^^^^^^^
- Add some assertions
- Add more rules examples
- Provide a script to check for malicious file uploads
- Significant performances improvement (at least +20%)
- Significantly improve the performances of our default rules set
- Our readme file is now shinier
- Minor code simplification
Bug fixes
^^^^^^^^^
- Fix a crash related to variadic functions
0.2.1 - `Elephant Point <https://github.com/nbs-system/snuffleupagus/releases/tag/v0.2.1>`__ 2018/02/07
-------------------------------------------------------------------------------------------------------
Bug fixes
^^^^^^^^^
- The testsuite can now be successfully run as root
- Fix a double execution when snuffleupagus is used with some other extensions
- Fix an execution-context related crash
Improvements
^^^^^^^^^^^^
- Support PCRE2, since it's `required for PHP7.3 <https://wiki.php.net/rfc/pcre2-migration>`__
- Improve a bit the portability of the code
- Minor code simplification
0.2.0 - `Elephant Rally <https://github.com/nbs-system/snuffleupagus/releases/tag/v0.2.0>`__ - 2018/01/18
---------------------------------------------------------------------------------------------------------
New features
^^^^^^^^^^^^
- `Glob <https://en.wikipedia.org/wiki/Glob_%28programming%29>`__ support in ``sp.configuration_file``
- Whitelist/blacklist functions in ``eval``
- ``phpinfo`` shows if the configuration is valid or not
Bug fixes
^^^^^^^^^
- Off-by-one in configuration parsing fixed
- Minor cookie-encryption related memory leaks fixes
- Various crashes spotted by `fr33tux <https://fr33tux.org/>`__ fixes
- Configuration files with windows EOL are correctly handled
Improvements
^^^^^^^^^^^^
- General code clean-up
- Documentation overhaul
- Compilation on FreeBSD and CentOS
- Select which cookies to encrypt via regular expressions
- Match on return values from user-defined functions
External contributions
^^^^^^^^^^^^^^^^^^^^^^
- Simplification and clean up of our linked-list implementation by `smagnin <https://github.com/smagnin>`__
0.1.0 - `Mighty Mammoth <https://github.com/nbs-system/snuffleupagus/releases/tag/v0.1.0>`__ - 2017/12/21
---------------------------------------------------------------------------------------------------------
- Initial release
|
