Artificial truth

The more you see, the less you believe.

[archives] [latest] | [homepage] | [atom/rss]

Snuffleupagus 0.3.1 - Elephant Arch
Mon 20 August 2018 — download

snuffleupagus logo

We just did a new release of Snuffleupagus, the 0.3.1, named Elephant Arch, after the cool-looking Elephant Arch, in the Red Cliffs national conservation area.

It's the second release that I didn't do myself, letting the release manager seat to my colleague h2ess, to reduce the bus factor even further.

Changelog

Improvements

  • Default rules were improved, with disabled xxe and hard_rand on, along with relaxed restrictions on what files extension can be included. Session cookies are also coming with the SameSite flag on, killing CSRF!
  • Because managing immutable websites is non-trivial, we added an option to generate rules without hashes, only based on file names.
  • Php uses phar archives for various reasons, so we made snuffleupagus' filename filter accept pathes that are starting with phar://.

Bug fixes

  • The harden rand feature was ignoring parameters in some cases, it's not the case anymore
  • Fix possible crashes/hangs when using php-fpm's pools, reported by sriccioa, who answered the resolution of the issue with "Thanks a lot for this. I've tried this in a sandbox system, now time to see how it will react on a shared hosting production server with ca. 200 pools :)" ♥
  • Fix an infinite loop on echo hook, related to the previous point.
  • Fix an issue with filename filter, because we didn't managed to wrap our head around the multitude of functions prodived by php to deal with zval and zend_string, again.
  • Apparently, people are reading our documentation and found some typos for us to dix.
  • Arch Linux's PKGBUILD is working again.

If you want to help, as usual, we have some low hanging fruits

See you in your PHP stack!