Skip to content

Releases: jvoisin/snuffleupagus

Elephant Gambit

Choose a tag to compare

New features

  • Add the ability to dump the parameter passed to eval
  • Add the ability to match on eval's parameter
  • Add optional extended checks for readonly_exec
  • Add config error for ini rules with identical key
  • Add disabled functions return type to config export

Breaking Changes

  • Mix the stacktrace in the sha256 for the filename of .dump()

Bug fixes

  • Make it actually possible to configure sloppy comparison on latests PHP7
  • Allow file:// prefix in include() wich readonly_exec mode
  • Fix a possible crash when exporting function list
  • Fix a minor memory leak when parsing cookie-related configuration


Choose a tag to compare

Bug fixes

  • Fix compilation when ZTS is used ( 5843e8c )
  • Fix a possible infinite loop ( 90723b8 )


Choose a tag to compare
  • Fix the version number
  • Fix a test on PHP7

Woolly Mammoth

Choose a tag to compare

New features

  • Compatibility with PHP8.1
  • Check for unsupported PHP version
  • Backport of Suhosin-ng patches:
    • Maximum stack depth/recursion limit
    • Maximum length for session id
    • $_SERVER strip/encode
    • Configuration dump
    • Support for conditional rules
    • INI settings protection
    • Output SP logs to stderr
    • Ported Suhosin rules to SP


  • Massive simplification of the configuration parser
  • Better memory management
  • Removal of internal calls to call_user_func
  • Increased portability of the default rules access different version of PHP
  • Start SP as late as possible, to hook as many things as possible

Bug fixes

  • XML and Session support are now checked at runtime instead of at compile time

Breaking changes

  • disable_xxe is renamed xxe_protection


Choose a tag to compare
  • Fixed possible memory-leaks when hooking via regular expressions
  • Modernise the code by removing usage of strtok
  • Prevent a possible crash during configuration reloading
  • Fix the default rules to catch dangerous chmod calls
  • Improve compatibility with various libpcre configurations/versions
  • Improve the default rules' compatibility with php8
  • Prevent XXE in php8 as well
  • Improve a bit the verbosity of the logs
  • Add a rules file for php8

Los Elefantes

Choose a tag to compare

New features

  • PHP8 support
  • Stacktraces in dumps
  • The > operator now skips over functions


  • Move the CI from travis to gitlab-ci
  • Some code simplifications and constifications
  • PCRE2 is now used when possible
  • The generate_rules.php script is now more portable

Bug fixes

  • The strict mode is now disableable

Elephant in the room

Choose a tag to compare
  • Allow empty configurations
  • More constification
  • Snuffleupagus should now be able to get client's ip addresses in more cases
  • Documented compatibility with Heroku
  • Improved logging
  • Added a couple of tests

Order of the Elephant

Choose a tag to compare
Order of the Elephant Pre-release
  • Add support for syslog
  • Improve OSX support
  • Improve marginally of php8+ compatibility
  • Improve php7.4 compatibility
  • Improve the default ruleset
  • Improve the documentation
  • Improve the gitlab CI

Elephant Flats

Choose a tag to compare
Elephant Flats Pre-release


  • Tighten a bit a command-injection prevention rule in the default rules set
  • Increased the portability of the testsuite
  • Improved documentation
  • Usual code cleanup
  • Snuffleupagus will throw an informative error when compiled for PHP5
  • Snuffleupagus will throw an informative error when compiled without PCRE support
  • The testsuite is now run on Alpine, Fedora, Debian and Ubuntu.
  • Some rules against now-known vulnerabilities/techniques were added

Bug fixes

  • PHP7.4 is fully supported, without any compilation warning
  • Snuffleupagus can now be used with PHP compiled without sessions support as a builtin (which is the case on Alpine).
  • Fix a compilation warning on FreeBSD
  • Cookies hardening is now supported on PHP7.3+


Choose a tag to compare
Loxodonta Pre-release


  • Improve and clarify the documentation
  • Add support for PHP7.3
  • Improve the coverage, we have reached 99% of coverage
  • Improve mb_string hooking logic
  • The script that check uploaded file is now available in PHP

Bug fixes

  • Fix segfault on 32-bit for PHP7.3
  • Fix segfault when using sloppy_comparison feature with array