This release is packed with new cool things, thanks to Bef from SektionEins's work on Suhosin-ng, sponsored by NLNet, which has been merged in Snuffleupagus, in accordance with last September's plan. I spent some time looking for bugs and tidying a bit the code, but BeF did the overwhelming majority of the work.
There is a new (optional) dependency on the re2c >=2.0 lexer generator, used to generate the code to parse the configuration file. It's the same used by php, meaning that it's likely already packaged in your distribution.
Snuffleupagus didn't port some features/mitigations of Suhosin, either because
we thought they were outdated, or didn't fit our threat-model. One of them was
enforcing size limit on
surely, in our days of PHP7 and PHP8, there aren't any bugs mitigated by this,
and reverse-proxies like nginx have limits as
Two months ago, Oblivion published a nice bug
~mitigated by this exact feature, ported to Snuffleupagus by BeF, proving me
While the testsuite has ~100% coverage, because so many neat things landed, and despite our best efforts, some bugs might be present, so if you're running super-duper-critical systems on exotic platforms deployed in a handcrafted special-snowflake fashion, you might want to wait until the inevitable 0.8.1 and 0.8.2.
I also acquired a stack of ~1000 Snuffleupagus stickers, so feel free to hit me up if you want some.
- Compatibility with PHP8.1
- Check for unsupported PHP version
- Backport of Suhosin-ng patches:
- Maximum stack depth/recursion limit
- Maximum length for session id
- Configuration dump
- Support for conditional rules
- INI settings protection
- Output SP logs to stderr
- Ported Suhosin rules to SP
- Massive simplification of the configuration parser
- Better memory management
- Removal of internal calls to
- Increased portability of the default rules access different version of PHP
- Start SP as late as possible, to hook as many things as possible
- XML and Session support are now checked at runtime instead of at compile time
disable_xxeis changed to
As usual, if you want to help, we have some low hanging fruits ♥
See you in your PHP stack!