blob: 534537f97fd41b5f5163f293b93fcb6c1644abd2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
|
Changelog
=========
0.4.0 - `Oliphant Chuckerbutty <https://github.com/nbs-system/snuffleupagus/releases/tag/v0.4.0>`__ 2018/08/31
--------------------------------------------------------------------------------------------------------------
New features
^^^^^^^^^^^^
- Add the possibility to whitelist `stream
wrappers <https://secure.php.net/manual/en/intro.stream.php>`__
- Snuffleupagus is now using php's logging mechanisms, instead of
outputting its log directly into the syslog.
- PHP is now prevented from ever disabling certificate verification
thanks to a few lines in our default configuration.
Improvements
^^^^^^^^^^^^
- Significant code simplification for cookies handling
thanks to `Remi Collet <http://famillecollet.com>`__
- Our ``sloppy comparison`` feature is now complete
- Snuffleupagus won't start with an invalid config anymore,
except if the ``sp.allow_broken_configuration`` is set.
- It's now possible to place virtual-patches on the return value
of user-defined functions.
- Since Snuffleupagus is used by more and more organisations,
we added a bunch of them in our propaganda page.
Bug fixes
^^^^^^^^^
- Add some missing pieces of documentation and fix some links
- Fix the ``make install`` command
- Fix various compilation warnings
- Snuffleupagus is now running on platforms that aren't using
the glibc, thanks to an external contributor `Antoine Tenart
<https://ack.tf>`__
0.3.1 - `Elephant Arch <https://github.com/nbs-system/snuffleupagus/releases/tag/v0.3.1>`__ 2018/08/20
------------------------------------------------------------------------------------------------------
Improvements
^^^^^^^^^^^^
- Disable XXE and harden PRNG by default
- Use ``SameSite`` on PHP's session cookie in the default rules
- Relax a bit what files can be included in the default rules
- Add the possibility to ignore files hashes when generating rules
- The ``filename`` filter is now accepting phar paths
Bug fixes
^^^^^^^^^
- The harden rand_feature is not ignoring parameters anymore in function calls
- Fix possible crashes/hangs when using php-fpm's pools
- Fix an infinite loop on ``echo`` hook
- Fix an issue with ``filename`` filter
- Fix some documentation issues
- Fix the Arch Linux's PKGBUILD
0.3.0 - `Dentalium elephantinum <https://github.com/nbs-system/snuffleupagus/releases/tag/v0.3.0>`__ 2018/07/17
---------------------------------------------------------------------------------------------------------------
New features
^^^^^^^^^^^^
- Session cookies can now be `encrypted <https://github.com/nbs-system/snuffleupagus/pull/178>`__
- Some occurrences of `type juggling <https://github.com/nbs-system/snuffleupagus/pull/186>`__ can now be eradicated
- It's `now possible <https://github.com/nbs-system/snuffleupagus/pull/187>`__ to hook `echo` and `print`
Improvements
^^^^^^^^^^^^
- The `.filename()` filter is `now matching <https://github.com/nbs-system/snuffleupagus/pull/167>`__ on the file where the function is called instead on the one where it's defined.
- Vastly `optimize <https://github.com/nbs-system/snuffleupagus/issues/166>`__ the way we hook native functions
- The format of the logs has been streamlined to ease their processing
Bug fixes
^^^^^^^^^
- Better handling of filters for built-in functions
- Fix various possible integer overflows
- Fix an `annoying memory leak <https://github.com/nbs-system/snuffleupagus/issues/192#issuecomment-404538124>`__ impacting mostly `mod_php`
0.2.2 - `Elephant Moraine <https://github.com/nbs-system/snuffleupagus/releases/tag/v0.2.2>`__ 2018/04/12
---------------------------------------------------------------------------------------------------------
New features
^^^^^^^^^^^^
- The `.dump()` filter is now supported for `unserialize`, `readonly_exec`, and `eval` black/whitelist
Improvements
^^^^^^^^^^^^
- Add some assertions
- Add more rules examples
- Provide a script to check for malicious file uploads
- Significant performances improvement (at least +20%)
- Significantly improve the performances of our default rules set
- Our readme file is now shinier
- Minor code simplification
Bug fixes
^^^^^^^^^
- Fix a crash related to variadic functions
0.2.1 - `Elephant Point <https://github.com/nbs-system/snuffleupagus/releases/tag/v0.2.1>`__ 2018/02/07
-------------------------------------------------------------------------------------------------------
Bug fixes
^^^^^^^^^
- The testsuite can now be successfully run as root
- Fix a double execution when snuffleupagus is used with some other extensions
- Fix an execution-context related crash
Improvements
^^^^^^^^^^^^
- Support PCRE2, since it's `required for PHP7.3 <https://wiki.php.net/rfc/pcre2-migration>`__
- Improve a bit the portability of the code
- Minor code simplification
0.2.0 - `Elephant Rally <https://github.com/nbs-system/snuffleupagus/releases/tag/v0.2.0>`__ - 2018/01/18
---------------------------------------------------------------------------------------------------------
New features
^^^^^^^^^^^^
- `Glob <https://en.wikipedia.org/wiki/Glob_%28programming%29>`__ support in ``sp.configuration_file``
- Whitelist/blacklist functions in ``eval``
- ``phpinfo`` shows if the configuration is valid or not
Bug fixes
^^^^^^^^^
- Off-by-one in configuration parsing fixed
- Minor cookie-encryption related memory leaks fixes
- Various crashes spotted by `fr33tux <https://fr33tux.org/>`__ fixes
- Configuration files with windows EOL are correctly handled
Improvements
^^^^^^^^^^^^
- General code clean-up
- Documentation overhaul
- Compilation on FreeBSD and CentOS
- Select which cookies to encrypt via regular expressions
- Match on return values from user-defined functions
External contributions
^^^^^^^^^^^^^^^^^^^^^^
- Simplification and clean up of our linked-list implementation by `smagnin <https://github.com/smagnin>`__
0.1.0 - `Mighty Mammoth <https://github.com/nbs-system/snuffleupagus/releases/tag/v0.1.0>`__ - 2017/12/21
---------------------------------------------------------------------------------------------------------
- Initial release
|
