We just did a new release of Snuffleupagus, the 0.3.1, named Elephant Arch, after the cool-looking Elephant Arch, in the Red Cliffs national conservation area.

It's the second release that I didn't do myself, letting the release manager seat to my colleague h2ess, to reduce the bus factor even further.

Changelog

Improvements

• Default rules were improved, with disabled xxe and hard_rand on, along with relaxed restrictions on what files extension can be included. Session cookies are also coming with the SameSite flag on, killing CSRF!
• Because managing immutable websites is non-trivial, we added an option to generate rules without hashes, only based on file names.
• Php uses phar archives for various reasons, so we made snuffleupagus' filename filter accept pathes that are starting with phar://.

Bug fixes

• The harden rand feature was ignoring parameters in some cases, it's not the case anymore
• Fix possible crashes/hangs when using php-fpm's pools, reported by sriccioa, who answered the resolution of the issue with "Thanks a lot for this. I've tried this in a sandbox system, now time to see how it will react on a shared hosting production server with ca. 200 pools :)" ♥
• Fix an infinite loop on echo hook, related to the previous point.
• Fix an issue with filename filter, because we didn't managed to wrap our head around the multitude of functions prodived by php to deal with zval and zend_string, again.
• Apparently, people are reading our documentation and found some typos for us to dix.
• Arch Linux's PKGBUILD is working again.

If you want to help, as usual, we have some low hanging fruits ♥

See you in your PHP stack!