Artificial truth

archives | latest | homepage | atom/rss/twitter

The more you see, the less you believe.

Snuffleupagus 0.8.0 - Woolly Mammoth
Sun 15 May 2022 — download

snuffleupagus logo

I just published a new release of Snuffleupagus, the hardening module for php7+ and php8+, the version 0.8.0, codename "Woolly Mammoth", named after the famous mammoth species.

This release is packed with new cool things, thanks to Bef from SektionEins's work on Suhosin-ng, sponsored by NLNet, which has been merged in Snuffleupagus, in accordance with last September's plan. I spent some time looking for bugs and tidying a bit the code, but BeF did the overwhelming majority of the work.

There is a new (optional) dependency on the re2c >=2.0 lexer generator, used to generate the code to parse the configuration file. It's the same used by php, meaning that it's likely already packaged in your distribution.

Snuffleupagus didn't port some features/mitigations of Suhosin, either because we thought they were outdated, or didn't fit our threat-model. One of them was enforcing size limit on REQUEST variables, because surely, in our days of PHP7 and PHP8, there aren't any bugs mitigated by this, and reverse-proxies like nginx have limits as well. Two months ago, Oblivion published a nice bug in filter_var, ~mitigated by this exact feature, ported to Snuffleupagus by BeF, proving me wrong.

While the testsuite has ~100% coverage, because so many neat things landed, and despite our best efforts, some bugs might be present, so if you're running super-duper-critical systems on exotic platforms deployed in a handcrafted special-snowflake fashion, you might want to wait until the inevitable 0.8.1 and 0.8.2.

I also acquired a stack of ~1000 Snuffleupagus stickers, so feel free to hit me up if you want some.

Changelog

  • Compatibility with PHP8.1
  • Check for unsupported PHP version
  • Backport of Suhosin-ng patches:
  • Maximum stack depth/recursion limit
  • Maximum length for session id
  • $_SERVER strip/encode
  • Configuration dump
  • Support for conditional rules
  • INI settings protection
  • Output SP logs to stderr
  • Ported Suhosin rules to SP
  • Massive simplification of the configuration parser
  • Better memory management
  • Removal of internal calls to call_user_func
  • Increased portability of the default rules access different version of PHP
  • Start SP as late as possible, to hook as many things as possible
  • XML and Session support are now checked at runtime instead of at compile time
  • disable_xxe is changed to xxe_protection

As usual, if you want to help, we have some low hanging fruits

See you in your PHP stack!