Mastodon

New features

• Compatibility with PHP8.4
• Print key and value on INI violations
• Improve scripts/generate_rules.php with regard to functions from global space prefixed with \
• Add option to specify the allowed "php" wrapper types

Bug fixes

• Make 'phar' filenames work in sp.disabled_functions
• Improve the documentation
• Improve the default set of rules, especially with regard to portability
• Improve the Debian packaging
• Improve behaviour when dealing with broken configuration file
• Update the internal deprecation checks
• Don't whitelist files if the function name is actually a method of a class in scripts/generate_rules.php
• Ignore function definition in scripts/generate_rules.php
• Improve configuration dumping
• Fixed compilation on FreeBSD

Babar the Elephant

New features

• Compatibility with PHP8.3
• Add sp.log_max_len to limit the maximum size of the log messages
• Add an example configuration for Xenforo 2.2.12

Breaking Changes

• Url encode functions arguments when logging them

Bug fixes

• Fix a possible NULL-byte truncation when outputting parameters in the logs
• Make readonly_exec play nice on readonly filesystems

Elephant Seal

New features

• Compatibility with PHP8.2
• Add the ability block object unserialization globally.

Elephant Gambit

New features

• Add the ability to dump the parameter passed to eval
• Add the ability to match on eval's parameter
• Add optional extended checks for readonly_exec
• Add config error for ini rules with identical key
• Add disabled functions return type to config export

Breaking Changes

• Mix the stacktrace in the sha256 for the filename of .dump()

Bug fixes

• Make it actually possible to configure sloppy comparison on latests PHP7
• Allow file:// prefix in include() wich readonly_exec mode
• Fix a possible crash when exporting function list
• Fix a minor memory leak when parsing cookie-related configuration

Surus

Bug fixes

• Fix compilation when ZTS is used ( 5843e8c )
• Fix a possible infinite loop ( 90723b8 )

Batyr

• Fix the version number
• Fix a test on PHP7

Woolly Mammoth

New features

• Compatibility with PHP8.1
• Check for unsupported PHP version
• Backport of Suhosin-ng patches:
  • Maximum stack depth/recursion limit
  • Maximum length for session id
  • $_SERVER strip/encode
  • Configuration dump
  • Support for conditional rules
  • INI settings protection
  • Output SP logs to stderr
  • Ported Suhosin rules to SP

Improvements

• Massive simplification of the configuration parser
• Better memory management
• Removal of internal calls to call_user_func
• Increased portability of the default rules access different version of PHP
• Start SP as late as possible, to hook as many things as possible

Bug fixes

• XML and Session support are now checked at runtime instead of at compile time

Breaking changes

• disable_xxe is renamed xxe_protection

Proboscideans

• Fixed possible memory-leaks when hooking via regular expressions
• Modernise the code by removing usage of strtok
• Prevent a possible crash during configuration reloading
• Fix the default rules to catch dangerous chmod calls
• Improve compatibility with various libpcre configurations/versions
• Improve the default rules' compatibility with php8
• Prevent XXE in php8 as well
• Improve a bit the verbosity of the logs
• Add a rules file for php8

Los Elefantes

New features

• PHP8 support
• Stacktraces in dumps
• The > operator now skips over functions

Improvements

• Move the CI from travis to gitlab-ci
• Some code simplifications and constifications
• PCRE2 is now used when possible
• The generate_rules.php script is now more portable

Bug fixes

• The strict mode is now disableable

Elephant in the room

• Allow empty configurations
• More constification
• Snuffleupagus should now be able to get client's ip addresses in more cases
• Documented compatibility with Heroku
• Improved logging
• Added a couple of tests