Title: Snuffleupagus 0.8.0 - Woolly Mammoth Date: 2022-05-15 18:15 [![snuffleupagus logo]({static}/images/sp.png)](https://snuffleupagus.readthedocs.org) I just published a new release of [Snuffleupagus](https://github.com/jvoisin/snuffleupagus/releases/tag/v0.8.0), the hardening module for php7+ and php8+, the version `0.8.0`, codename "Woolly Mammoth", named after the famous [mammoth species](en.wikipedia.org/wiki/Woolly_mammoth). This release is packed with new cool things, thanks to [Bef](https://github.com/bef) from [SektionEins](https://www.sektioneins.de/en/)'s work on [Suhosin-ng](https://www.sektioneins.de/en/blog/19-08-05-suhosin-ng.html), sponsored by [NLNet](https://nlnet.nl/project/Suhosin-NG/), which has been merged in Snuffleupagus, in accordance with [last September]({filename}/php/snuffleupagus_future.md)'s plan. I spent some time looking for bugs and tidying a bit the code, but BeF did the overwhelming majority of the work. There is a new (optional) dependency on the [re2c](https://re2c.org) [>=2.0](https://re2c.org/releases/changelog/changelog.html) lexer generator, used to generate the code to parse the configuration file. It's the same used by php, meaning that it's likely already packaged in your distribution. Snuffleupagus didn't port some features/mitigations of Suhosin, either because we thought they were outdated, or didn't fit our threat-model. One of them was [enforcing size limit on `REQUEST` variables](https://suhosin5.suhosin.org/stories/feature-list.html), because surely, in our days of PHP7 and PHP8, there aren't any bugs mitigated by this, and reverse-proxies like nginx [have limits as well](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size). Two months ago, [Oblivion](https://pwning.systems/about) published a [nice bug in `filter_var`]( https://pwning.systems/posts/php_filter_var_shenanigans ), ~mitigated by this exact feature, ported to Snuffleupagus by BeF, proving me wrong. While the testsuite has [~100% coverage](https://coveralls.io/github/jvoisin/snuffleupagus?branch=master), because so many neat things landed, and despite our best efforts, some bugs might be present, so if you're running super-duper-critical systems on exotic platforms deployed in a handcrafted special-snowflake fashion, you might want to wait until the inevitable [0.8.1](https://github.com/jvoisin/snuffleupagus/releases/tag/v0.8.1) and [0.8.2](https://github.com/jvoisin/snuffleupagus/releases/tag/v0.8.2). I also acquired a stack of ~1000 Snuffleupagus stickers, so feel free to hit me up if you want some. ## Changelog * Compatibility with PHP8.1 * Check for unsupported PHP version * Backport of Suhosin-ng patches: * Maximum stack depth/recursion limit * Maximum length for session id * `$_SERVER` strip/encode * Configuration dump * Support for conditional rules * INI settings protection * Output SP logs to stderr * Ported Suhosin rules to SP * Massive simplification of the configuration parser * Better memory management * Removal of internal calls to `call_user_func` * Increased portability of the default rules access different version of PHP * Start SP as late as possible, to hook as many things as possible * XML and Session support are now checked at runtime instead of at compile time * `disable_xxe` is changed to `xxe_protection` As usual, if you want to help, we have some [low hanging fruits]( https://github.com/jvoisin/snuffleupagus/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22) ♥ See you in your PHP stack!