diff --git a/APKBUILD b/APKBUILD index b784e38c..b3345f6f 100644 --- a/APKBUILD +++ b/APKBUILD @@ -1,4 +1,4 @@ -# Maintainer: +# Maintained by Julien (jvoisin) Voisin pkgname="php7-snuffleupagus" _pkgname="snuffleupagus" pkgver=0.1 @@ -10,7 +10,7 @@ license="LGPL3" depends="php7-dev php7-fpm" source="" -_giturl="https://github.com/nbs-system/snuffleupagus.git" +_giturl="https://github.com/jvoisin/snuffleupagus.git" prepare() { default_prepare diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 88a3297d..40ad357f 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -6,9 +6,9 @@ First off, thank you for considering contributing to snuffleupagus. If you've noticed a bug or have a question, look at the [faq](https://snuffleupagus.readthedocs.io/faq.html) and -[search the issue tracker](https://github.com/nbs-system/snuffleupagus/issues) +[search the issue tracker](https://github.com/jvoisin/snuffleupagus/issues) to see if someone else has already created a ticket. If not, go ahead and -[make one](https://github.com/nbs-system/snuffleupagus/issues/new)! +[make one](https://github.com/jvoisin/snuffleupagus/issues/new)! ### 2. Fork & create a branch @@ -28,7 +28,7 @@ Just type `make coverage` or `make debug`, the testsuite should be run automatically. Please add tests if you're fixing a bug or adding a new feature: we do have a -[high coverage](https://coveralls.io/github/nbs-system/snuffleupagus?branch=master) +[high coverage](https://coveralls.io/github/jvoisin/snuffleupagus?branch=master) (functions, lines and branches), and intend to keep it that way. #### 3.3 Debugging failures in the test suite @@ -45,9 +45,9 @@ launching it, in order to run the failing test inside GDB. ### 4. Did you find a bug? * **Ensure the bug was not already reported** by - [searching all issues](https://github.com/nbs-system/snuffleupagus/issues?q=). + [searching all issues](https://github.com/jvoisin/snuffleupagus/issues?q=). * If you're unable to find an open issue addressing the problem, - [open a new one](https://github.com/nbs-system/snuffleupagus/issues/new). + [open a new one](https://github.com/jvoisin/snuffleupagus/issues/new). Be sure to include a **title and clear description**, as much relevant information as possible, and a **code sample** or an **executable test case** demonstrating the expected behavior that is not @@ -67,7 +67,7 @@ At this point, you should switch back to your master branch and make sure it's up to date with our upstream master branch: ```sh -git remote add upstream git@github.com:nbs-system/snuffleupagus.git +git remote add upstream git@github.com:jvoisin/snuffleupagus.git git checkout master git pull upstream master ``` @@ -82,7 +82,7 @@ git push --set-upstream origin 325-kill-sql-injections Finally, go to GitHub and [make a Pull Request](https://help.github.com/articles/creating-a-pull-request) :D -Travis CI will [run our test suite](https://travis-ci.org/nbs-system/snuffleupagus) +Travis CI will [run our test suite](https://travis-ci.org/jvoisin/snuffleupagus) against all supported PHP versions. We care about quality, so your PR won't be merged until all tests pass. It's unlikely, but it's possible that your changes pass tests in one PHP version but fail in another. In that case, you'll have to @@ -121,7 +121,7 @@ Maintainers need to do the following to push out a release: 1. Make sure that all pending and mergeable pull requests are in 2. Close the corresponding - [milestone](https://github.com/nbs-system/snuffleupagus/milestones) + [milestone](https://github.com/jvoisin/snuffleupagus/milestones) 2. Run `valgrind` (by adding a `-m` after the `-q` in the Makefile) and check that everything is ok. Don't mind the python-related issues. 3. Update the `src/php_snuffleupagus.h` according to [semantic versioning](https://semver.org/) @@ -132,15 +132,13 @@ Maintainers need to do the following to push out a release: 8. Create a tag for the release: ```sh - git config user.signingkey 498C46FF087EDC36E7EAF9D445414A82A9B22D78 - git config user.email security@nbs-system.com git tag -s v$MAJOR.$MINOR.$PATCH -m "v$MAJOR.$MINOR.$PATCH" git push --tags git push origin master ``` 9. Build the debian package with `make debian` -10. Create the [release on github](https://github.com/nbs-system/snuffleupagus/releases) +10. Create the [release on github](https://github.com/jvoisin/snuffleupagus/releases) 11. Add the freshly built Debian package to the release 12. Publish a [tweet](https://twitter.com/sp_php) 13. Do the *secret release dance* diff --git a/PKGBUILD b/PKGBUILD index 9c7239eb..8ef050dd 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -1,4 +1,4 @@ -# Maintainer NBS System Security Team +# Maintained by Julien (jvoisin) Voisin pkgname="snuffleupagus" pkgver=r169.424845a pkgrel=1 @@ -8,7 +8,7 @@ arch=('i686' 'x86_64') license=('LGPL3') depends=('php' 'php-fpm') checkdepends=() -source=("${pkgname}::git+https://github.com/nbs-system/${pkgname}.git") +source=("${pkgname}::git+https://github.com/jvoisin/${pkgname}.git") md5sums=('SKIP') pkgver() { diff --git a/debian/control b/debian/control index 5ec04807..bd9c3615 100644 --- a/debian/control +++ b/debian/control @@ -1,11 +1,11 @@ Source: snuffleupagus Priority: optional -Maintainer: NBS System +Maintainer: Julien (jvoisin) Voisin Build-Depends: debhelper (>= 9), php7.0-dev | php7.1-dev | php7.2-dev Standards-Version: 4.1.3 -Homepage: https://snuffleupagus.fr +Homepage: https://github.com/jvoisin/snuffleupagus Section: php -Vcs-Git: https://github.com/nbs-system/snuffleupagus +Vcs-Git: https://github.com/jvoisin/snuffleupagus Package: snuffleupagus Architecture: any diff --git a/debian/copyright b/debian/copyright index a7924524..af8f5421 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,7 +1,7 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: Snuffleupagus -Upstream-Contact: NBS System -Source: https://github.com/nbs-system/snuffleupagus +Upstream-Contact: Julien (jvoisin) Voisin +Source: https://github.com/jvoisin/snuffleupagus Files: * Copyright: 2017 NBS System diff --git a/debian/watch b/debian/watch index 86028c70..2f88601b 100644 --- a/debian/watch +++ b/debian/watch @@ -1,2 +1,2 @@ version=3 -https://github.com/nbs-system/snuffleupagus/tags /nbs-system/snuffleupagus/archive/snuffleupagus-([0-9.]+)\.tar\.(gz|xz|bz2) +https://github.com/jvoisin/snuffleupagus/tags /jvoisin/snuffleupagus/archive/snuffleupagus-([0-9.]+)\.tar\.(gz|xz|bz2) diff --git a/doc/source/config.rst b/doc/source/config.rst index 4be8db7a..7691f89d 100644 --- a/doc/source/config.rst +++ b/doc/source/config.rst @@ -199,8 +199,8 @@ argument and various information about it in the environment: This feature can be used, for example, to check if an uploaded file contains php code, using `vld `_, -via `a python script `__, -or `a php one `__. +via `a python script `__, +or `a php one `__. The upload will be **allowed** if the script returns the value ``0``. Every other value will prevent the file from being uploaded. @@ -342,7 +342,7 @@ For clarity, the presence of the ``allow`` or ``drop`` action is **mandatory**. because it'll match the deny first. If you're paranoid, we're providing a `php script -`__ +`__ to automatically generate hash of files containing dangerous functions, and blacklisting them everywhere else. @@ -358,7 +358,7 @@ It's currently not possible to: things like this, odds are that you're doing something wrong anyway. - Hooks on ``echo`` and on ``print`` are equivalent: there is no way to hook one without hooking the other, at least - `for now `__). + `for now `__). This is why hooked ``print`` will be displayed as ``echo`` in the logs. - Hook `strlen`, since in latest PHP versions, this function is usually optimized away by the compiled. diff --git a/doc/source/debug.rst b/doc/source/debug.rst index b339366d..b2a1f28c 100644 --- a/doc/source/debug.rst +++ b/doc/source/debug.rst @@ -18,7 +18,7 @@ We're using `php qa `__ tests format for our testsuite, it is automatically run when you're building snuffleupagus. If it happens to have unexpected failures (Since we're using `TDD `__ as much -as we can, we do have some expected failures), please do `open an issue `__ +as we can, we do have some expected failures), please do `open an issue `__ on our bugtracker, and attach the generated ``.diff`` and ``.out`` files to it, so we can see what's happening. @@ -27,7 +27,7 @@ Snuffleupagus is crashing While we do our very best to make snuffleupagus solid as possible, we're humans, and computers are hard, so crashes can happen. If you're encountering one in production, -please try to launch the `testsuite `__ +please try to launch the `testsuite `__ to see if it's failing. If it does, please :ref:`tell us `. If the testsuite is passing, odds are that you're encountering an issue tied to your php code, diff --git a/doc/source/download.rst b/doc/source/download.rst index dfe47687..fd61099a 100644 --- a/doc/source/download.rst +++ b/doc/source/download.rst @@ -4,20 +4,20 @@ Download Arch Linux ---------- -We're providing a `PKGBUILD `__, +We're providing a `PKGBUILD `__, so you can build a package yourself. Alpine Linux ------------ -We're providing a `APKBUILD `__, +We're providing a `APKBUILD `__, so you can build a package yourself. Debian and Ubuntu ----------------- We're currently not providing a Debian/Ubuntu repository, -but you can grab the latest release on `github `__, +but you can grab the latest release on `github `__, or build your own package by cloning the source code and typing ``make debian``. Fedora @@ -39,4 +39,4 @@ We're currently using *github* as public code repository. :: - git clone https://github.com/nbs-system/snuffleupagus + git clone https://github.com/jvoisin/snuffleupagus diff --git a/doc/source/faq.rst b/doc/source/faq.rst index 4974c70a..285f0c84 100644 --- a/doc/source/faq.rst +++ b/doc/source/faq.rst @@ -46,6 +46,8 @@ with a strong focus on security. We do have several layers of hardening `IDS `_, etc), but we had nothing for PHP7. +Nowadays, Snuffleupagus is maintained by Julien (jvoisin) Voisin. + Why not Suhosin? """""""""""""""" @@ -70,7 +72,8 @@ What license is Snuffleupagus released under and why? """"""""""""""""""""""""""""""""""""""""""""""""""""" Snuffleupagus is licensed under the `LGPL `_ -and is developed by the fine people from `NBS System `__. +was developed by the fine people from `NBS System `__, +and is maintained by Julien (jvoisin) Voisin. We chose the LGPL because we don't care that much how you're using Snuffleupagus, but we'd like to force people to make their improvements/contributions @@ -171,7 +174,7 @@ By checking the logs; Snuffleupagus systematically prefix them with ``[snuffleup Does Snuffleupagus run on Windows? """""""""""""""""""""""""""""""""" -No idea, feel free to `try `_. +No idea, feel free to `try `_. Does Snuggleupagus run on `HHVM `_? @@ -204,46 +207,13 @@ discuss potential impact of the vulnerability, reference applicable patches or workarounds, and credit the discoverer. -Please send it us a mail to the ``security`` user, -on ``nbs-system.com``, using the gpg key -``498C46FF087EDC36E7EAF9D445414A82A9B22D78``: - -:: - - -----BEGIN PGP PUBLIC KEY BLOCK----- - - mQENBFnKHhoBCADaOa0MKEqRy0h2ohIzczblzkMQCbU9oD1HwJ1VkYnn7TGW2iKi - NISxisExIXpy2Bn/pA27GiV0V/Do3NL6D9r0oOCrGR27muGM0N/dk9UMv7MWw8zv - K8cO+Sa28s0cAv7r2ogUJj5YOo8D4wHEpE8424TE89V9+Qg/SaFCxKoELFP0c7wu - mtsm0PnL65piZ1EB7lQo2gxg+8AV45MD1Y2rREMKUoZE23X+nXKsmEh9BFEPaU5M - 7WQp0NasqeMNoGhwfw9ttVAeLhkEkaTjW1PkNRIb7vrtV9KVb5uKucflfbOnDlzu - tQ9U3tYto0mcSCRchAClfEmoSi/0mKyb5N6ZABEBAAG0NVNlY3VyaXR5IHRlYW0g - b2YgTkJTIFN5c3RlbSA8c2VjdXJpdHlAbmJzLXN5c3RlbS5jb20+iQE3BBMBCAAh - BQJZyh4aAhsDBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEEVBSoKpsi14jy0H - /1/XB9THhvmG0ow81sld2Zx8qhnNed8VvYDS6mEjpDWNVPxENwDbnakEjisq1Hrb - 2UQPYCyQ5dekPNFVwQHIGXkX0eb1Ank+4esBJuEpQ2985tgNhJy5ZX+Imb5C8nZC - 90uYSN1UUg559nUsFeElOXSEH6tIXK/TvjsvMYoi2Ukl6lb7PbIU2fjLY9Iqv3QY - 32p8/Bl1fVKWbXOk0HDgJ6zA3Kr56QhZOLBkxjOa2XAnnIE76jZxUJ9qPCwWd1vW - GFxtx1Y+eZriqHiC9CPe6aBWcIHaTXSu1WBbXrFu8/eCWw243Rxm8l9wgA/a7VWq - WBfO45IhJUwh95naRpw8/4a5AQ0EWcoeGgEIAJtzSyyzfn2RX+BsyoRFANUpIgrV - /9eohYQVNqK3AFthmq7Kjmt4+hszF5+0wCFmWwYqGnqk1/dsWmqpkXsJldEn6oPJ - Bng+Dc67Yki2dR3TroAf95UmI08fhyM7TMXp8m46BPRRMzPNwalEeEm49Oclmfxb - JsWWCChWVLWGz2xgPEAv3fPHqus7Rwz/WIl53l/qy1Wf0ewmjRpVEfnEMKBExtBK - 4kRxQ40LzUZ1SfpyGc3nMbswhevT7/klqrdJdCnlu67Y/IfRGxGZuNj1n1Dib3Hx - zTBHo3Y2R3BB93Ix8dkbLaxLqFbOYVdijCgJklqUWhx7btpQ2xnZyzyCMuUAEQEA - AYkBHwQYAQgACQUCWcoeGgIbDAAKCRBFQUqCqbIteFRvB/9u3Mae8n8ELrJKOn+P - PEbWjutObIuTplvY4QcbnNb9dsgsKryamp4CFJsA5XuitPpC31GDMXBZO5/LLOuH - HoMaXFJdic0NToL/3REhu+aZkNIU6S/iaPRNVhkSV4lwQsvncz+nBaiDUJjyfJm2 - kEjVcRTM8yqzcNo/9Gn0ts+XCUqRj7+S1M4Bj3NySoO/w2n+7OLbIAj+wQZcj3Gf - 5QhBYaY4YaFxrJE0IZxyXGHw8xhKR6AN+u4TO7LRCW+cWV/sHWir1MXieJoEG8+R - W/BhrB0Rz5uxOXMoGCCD2TUiHq7zpuHGnYFVmAnHQZaaQxXve4VrcmznxgpV8lpW - mZug - =+eIv - -----END PGP PUBLIC KEY BLOCK----- +Please do send a mail to [Julien (jvoisin) Voisin](https://dustri.org) should +you find a security issue. + I found a bug. How can I report it? """"""""""""""""""""""""""""""""""" -We do have an issue tracker on `Github `_. +We do have an issue tracker on `Github `_. Please make sure to include as much information as possible when reporting your issue, such as your operating system, your version of PHP 7, your version of Snuffleupagus, your logs, the problematic php code, the request, a brief description, … long story short, @@ -255,12 +225,9 @@ it's not that hard. Where can I find even more help? """""""""""""""""""""""""""""""" The :doc:`configuration page ` might be what you're looking for. -If you're adventurous, you can also check the `issue tracker `_ -(make sure to check the `closed issues `_ too). +If you're adventurous, you can also check the `issue tracker `_ +(make sure to check the `closed issues `_ too). -I need professional support for my company. -""""""""""""""""""""""""""""""""""""""""""" -Contact `NBS System `_. Unimplemented mitigations and abandoned ideas --------------------------------------------- diff --git a/doc/source/installation.rst b/doc/source/installation.rst index 74d5d4ff..a6b0ff8d 100644 --- a/doc/source/installation.rst +++ b/doc/source/installation.rst @@ -1,7 +1,7 @@ Installation ============ -Snuffleupagus is tested against `various PHP 7+ versions `_. +Snuffleupagus is tested against `various PHP 7+ versions `_. Manual installation ------------------- @@ -21,7 +21,7 @@ Quickstart :: - git clone https://github.com/nbs-system/snuffleupagus + git clone https://github.com/jvoisin/snuffleupagus cd snuffleupagus/src phpize ./configure --enable-snuffleupagus diff --git a/src/php_snuffleupagus.h b/src/php_snuffleupagus.h index 0141a875..5a02e932 100644 --- a/src/php_snuffleupagus.h +++ b/src/php_snuffleupagus.h @@ -4,7 +4,7 @@ #define PHP_SNUFFLEUPAGUS_VERSION "0.5.0" #define PHP_SNUFFLEUPAGUS_EXTNAME "snuffleupagus" #define PHP_SNUFFLEUPAGUS_AUTHOR "NBS System" -#define PHP_SNUFFLEUPAGUS_URL "https://github.com/nbs-system/snuffleupagus" +#define PHP_SNUFFLEUPAGUS_URL "https://github.com/jvoisin/snuffleupagus" #define PHP_SNUFFLEUPAGUS_COPYRIGHT "LGPLv2" #include diff --git a/src/sp_config_keywords.c b/src/sp_config_keywords.c index aebe45cb..c3a9c198 100644 --- a/src/sp_config_keywords.c +++ b/src/sp_config_keywords.c @@ -44,7 +44,7 @@ int parse_session(char *line) { "You're trying to use the session cookie encryption feature " "on line %zu without having session support statically built into PHP. " "This isn't supported, see " - "https://github.com/nbs-system/snuffleupagus/issues/278 for details.", + "https://github.com/jvoisin/snuffleupagus/issues/278 for details.", sp_line_no); pefree(session, 0); return -1; diff --git a/src/sp_disabled_functions.c b/src/sp_disabled_functions.c index 9e649930..4807955e 100644 --- a/src/sp_disabled_functions.c +++ b/src/sp_disabled_functions.c @@ -361,7 +361,7 @@ static void should_disable(zend_execute_data* execute_data, sp_log_warn( "disable_function", "Snuffleupagus doesn't support variadic functions yet, sorry. " - "Check https://github.com/nbs-system/snuffleupagus/issues/164 for " + "Check https://github.com/jvoisin/snuffleupagus/issues/164 for " "details."); } else if (false == is_param_matching( execute_data, config_node, builtin_param, diff --git a/src/sp_upload_validation.c b/src/sp_upload_validation.c index ee19df92..54b0481e 100644 --- a/src/sp_upload_validation.c +++ b/src/sp_upload_validation.c @@ -15,7 +15,7 @@ int sp_rfc1867_callback_win(unsigned int event, void *event_data, void **extra) { sp_log_msg("upload_validation", SP_LOG_SIMULATION, "The upload validation doesn't work for now on Windows yet, " - "see https://github.com/nbs-system/snuffleupagus/issues/248 for " + "see https://github.com/jvoisin/snuffleupagus/issues/248 for " "details."); return SUCCESS; } diff --git a/src/tests/disable_function/disabled_functions_drop_include.phpt b/src/tests/disable_function/disabled_functions_drop_include.phpt index e18dd730..ba1c9559 100644 --- a/src/tests/disable_function/disabled_functions_drop_include.phpt +++ b/src/tests/disable_function/disabled_functions_drop_include.phpt @@ -1,5 +1,5 @@ --TEST-- -Disable function, bug : https://github.com/nbs-system/snuffleupagus/issues/181 +Disable function, bug : https://github.com/jvoisin/snuffleupagus/issues/181 --SKIPIF-- --INI-- diff --git a/src/tests/disable_function/disabled_functions_drop_include_simulation.phpt b/src/tests/disable_function/disabled_functions_drop_include_simulation.phpt index 07c3e98d..1b139157 100644 --- a/src/tests/disable_function/disabled_functions_drop_include_simulation.phpt +++ b/src/tests/disable_function/disabled_functions_drop_include_simulation.phpt @@ -1,5 +1,5 @@ --TEST-- -Disable function, bug : https://github.com/nbs-system/snuffleupagus/issues/181 +Disable function, bug : https://github.com/jvoisin/snuffleupagus/issues/181 --SKIPIF-- --INI-- diff --git a/src/tests/disable_function/disabled_functions_variadic.phpt b/src/tests/disable_function/disabled_functions_variadic.phpt index 5bace630..32b6b0ef 100644 --- a/src/tests/disable_function/disabled_functions_variadic.phpt +++ b/src/tests/disable_function/disabled_functions_variadic.phpt @@ -13,6 +13,6 @@ function foo(...$b) { echo foo(5, 4, 3, 2, 1); ?> --EXPECTF-- -Warning: [snuffleupagus][0.0.0.0][disable_function] Snuffleupagus doesn't support variadic functions yet, sorry. Check https://github.com/nbs-system/snuffleupagus/issues/164 for details. in %a/disabled_functions_variadic.php on line %d +Warning: [snuffleupagus][0.0.0.0][disable_function] Snuffleupagus doesn't support variadic functions yet, sorry. Check https://github.com/jvoisin/snuffleupagus/issues/164 for details. in %a/disabled_functions_variadic.php on line %d Fatal error: [snuffleupagus][0.0.0.0][disabled_function] Aborted execution on call of the function 'foo' in %a/disabled_functions_variadic.php on line %d