Snuffleupagus 0.9.0 - Elephant seal
Tue 03 January 2023 — download

snuffleupagus logo

I just published a new release of Snuffleupagus, the hardening module for php7+ and php8+, version 0.9.0, codename "Elephant seal", named after a majestic seal species.

Adding support for PHP 8.2 in Snuffleupagus was relatively straightforward:

  • A few function prototypes changed signatures.
  • A broken macro, namely ZEND_HASH_FOREACH_END_DEL can't be used with ZEND_HASH_REVERSE_FOREACH_KEY_PTR, so it was replaced with ZEND_HASH_FOREACH_END. Since ZEND_HASH_FOREACH_END_DEL isn't used anywhere in PHP's codebase, nor anywhere else actually, to my knowledge, except in Snuffleupagus, it's no wonder that nobody noticed it to be completely broken.
  • The test suite was broken due to the --CLEAN-- part loading Snuffleupagus, but not obeying the --INI-- part, leading to error logs being outputted, breaking the tests making use of --CLEAN--. This was "fixed" by moving the cleaning parts before/after the actual tests.
  • zend_atol is deprecated, and was replaced with ZEND_STRTOL.
  • Amusingly, PHP_VERSION_ID for PHP 8.2 isn't 82000, but 80200. This wasn't a source of confusion at all, as usual.

There is also a new mitigation: unserialize_noclass, available on PHP8+. As its name implies, it disables the deserialization of objects via unserialize, the equivalent of setting the options parameter of unserialize to false for every call. It was suggested by Nextgens.

Changelog

  • Compatibility with PHP8.2
  • Add the ability block object unserialization globally.

As usual, if you want to help, we have some low hanging fruits

See you in your PHP stack!