Skip to content
Pre-release
Pre-release

@kkadosh kkadosh released this Jun 12, 2019 · 23 commits to master since this release

Improvements

  • Tighten a bit a command-injection prevention rule in the default rules set
  • Increased the portability of the testsuite
  • Improved documentation
  • Usual code cleanup
  • Snuffleupagus will throw an informative error when compiled for PHP5
  • Snuffleupagus will throw an informative error when compiled without PCRE support
  • The testsuite is now run on Alpine, Fedora, Debian and Ubuntu.
  • Some rules against now-known vulnerabilities/techniques were added

Bug fixes

  • PHP7.4 is fully supported, without any compilation warning
  • Snuffleupagus can now be used with PHP compiled without sessions support as a builtin (which is the case on Alpine).
  • Fix a compilation warning on FreeBSD
  • Cookies hardening is now supported on PHP7.3+
Assets 3
Pre-release
Pre-release

@kkadosh kkadosh released this Dec 21, 2018 · 70 commits to master since this release

Improvements

  • Improve and clarify the documentation
  • Add support for PHP7.3
  • Improve the coverage, we have reached 99% of coverage
  • Improve mb_string hooking logic
  • The script that check uploaded file is now available in PHP

Bug fixes

  • Fix segfault on 32-bit for PHP7.3
  • Fix segfault when using sloppy_comparison feature with array
Assets 3
Pre-release
Pre-release

@jvoisin jvoisin released this Aug 31, 2018 · 115 commits to master since this release

New features

  • Add the possibility to whitelist stream wrappers
  • Snuffleupagus is now using php's logging mechanisms, instead of outputting its log directly into the syslog.
  • PHP is now prevented from ever disabling certificate verification thanks to a few lines in our default configuration.

Improvements

  • Significant code simplification for cookies handling thanks to Remi Collet
  • Our sloppy comparison feature is now complete
  • Snuffleupagus won't start with an invalid config anymore, except if the sp.allow_broken_configuration is set.
  • It's now possible to place virtual-patches on the return value of user-defined functions.
  • Since Snuffleupagus is used by more and more organisations, we added a bunch of them in our propaganda page.

Bug fixes

  • Add some missing pieces of documentation and fix some links
  • Fix the make install command
  • Fix various compilation warnings
  • Snuffleupagus is now running on platforms that aren't using the glibc, thanks to an external contributor Antoine Tenart
Assets 3
Pre-release
Pre-release

@he2ss he2ss released this Aug 20, 2018 · 142 commits to master since this release

Improvements

  • Disable XXE and harden PRNG by default
  • Use SameSite on PHP's session cookie in the default rules
  • Relax a bit what files can be included in the default rules
  • Add the possibility to ignore files hashes when generating rules
  • The filename filter is now accepting phar paths

Bug fixes

  • The harden rand_feature is not ignoring parameters anymore in function calls
  • Fix possible crashes/hangs when using php-fpm's pools
  • Fix an infinite loop on echo hook
  • Fix an issue with filename filter
  • Fix some documentation issues
  • Fix the Arch Linux's PKGBUILD
Assets 3
Pre-release

@kkadosh kkadosh released this Jul 18, 2018 · 165 commits to master since this release

New features

Improvements

  • The .filename() filter is now matching on the file where the function is called instead on the one where it's defined.
  • Vastly optimize the way we hook native functions
  • The format of the logs has been streamlined to ease their processing

Bug fixes

  • Better handling of filters for builtins functions
  • Fix various possible integer overflows
  • Fix an annoying memory leak impacting mostly mod_php
Assets 3
Pre-release

@jvoisin jvoisin released this Mar 12, 2018 · 201 commits to master since this release

New features

  • The .dump() filter is now supported for unserialize, readonly_exec, and eval black/whitelist

Improvements

  • Add some assertions
  • Add more rules examples
  • Provide a script to check for malicious file uploads
  • Significant performances improvement (at least +20%)
  • Significantly improve the performances of our default rules set
  • Our readme file is now shinier
  • Minor code simplification

Bug fixes

  • Fix a crash related to variadic functions
Assets 3
Pre-release

@jvoisin jvoisin released this Feb 7, 2018 · 235 commits to master since this release

Bug fixes

  • The testsuite can now be successfully run as root
  • Fix a double execution when snuffleupagus is used with some other extensions
  • Fix an execution-context related crash

Improvements

  • Support PCRE2, since it's required for PHP7.3
  • Improve a bit the portability of the code
  • Minor code simplification
Assets 3
Pre-release
Pre-release

@jvoisin jvoisin released this Jan 18, 2018 · 256 commits to master since this release

New features

  • Glob support in sp.configuration_file
  • Whitelist/blacklist functions in eval
  • phpinfo shows is the configuration is valid or not

Bug fixes

  • Off-by-one in configuration parsing fixed
  • Minor cookie-encryption related memory leaks fixes
  • Various crashes spotted by fr33tux fixes
  • Configuration files with windows EOL are correctly handled

Improvements

  • General code clean-up
  • Documentation overhaul
  • Compilation on FreeBSD and CentOS
  • Select which cookies to encrypt via regular expressions
  • Match on return values from user-defined functions

External contributions

  • Simplification and clean up of our linked-list implementation by smagnin
Assets 3
Pre-release
Pre-release

@jvoisin jvoisin released this Dec 21, 2017 · 328 commits to master since this release

This is our first release.

Assets 3
You can’t perform that action at this time.