Order of the Elephant

• Add support for syslog
• Improve OSX support
• Improve marginally of php8+ compatibility
• Improve php7.4 compatibility
• Improve the default ruleset
• Improve the documentation
• Improve the gitlab CI

Elephant Flats

Improvements

• Tighten a bit a command-injection prevention rule in the default rules set
• Increased the portability of the testsuite
• Improved documentation
• Usual code cleanup
• Snuffleupagus will throw an informative error when compiled for PHP5
• Snuffleupagus will throw an informative error when compiled without PCRE support
• The testsuite is now run on Alpine, Fedora, Debian and Ubuntu.
• Some rules against now-known vulnerabilities/techniques were added

Bug fixes

• PHP7.4 is fully supported, without any compilation warning
• Snuffleupagus can now be used with PHP compiled without sessions support as a builtin (which is the case on Alpine).
• Fix a compilation warning on FreeBSD
• Cookies hardening is now supported on PHP7.3+

Loxodonta

Improvements

• Improve and clarify the documentation
• Add support for PHP7.3
• Improve the coverage, we have reached 99% of coverage
• Improve mb_string hooking logic
• The script that check uploaded file is now available in PHP

Bug fixes

• Fix segfault on 32-bit for PHP7.3
• Fix segfault when using sloppy_comparison feature with array

Oliphant Chuckerbutty

New features

• Add the possibility to whitelist stream wrappers
• Snuffleupagus is now using php's logging mechanisms, instead of outputting its log directly into the syslog.
• PHP is now prevented from ever disabling certificate verification thanks to a few lines in our default configuration.

Improvements

• Significant code simplification for cookies handling thanks to Remi Collet
• Our sloppy comparison feature is now complete
• Snuffleupagus won't start with an invalid config anymore, except if the sp.allow_broken_configuration is set.
• It's now possible to place virtual-patches on the return value of user-defined functions.
• Since Snuffleupagus is used by more and more organisations, we added a bunch of them in our propaganda page.

Bug fixes

• Add some missing pieces of documentation and fix some links
• Fix the make install command
• Fix various compilation warnings
• Snuffleupagus is now running on platforms that aren't using the glibc, thanks to an external contributor Antoine Tenart

Elephant Arch

Improvements

• Disable XXE and harden PRNG by default
• Use SameSite on PHP's session cookie in the default rules
• Relax a bit what files can be included in the default rules
• Add the possibility to ignore files hashes when generating rules
• The filename filter is now accepting phar paths

Bug fixes

• The harden rand_feature is not ignoring parameters anymore in function calls
• Fix possible crashes/hangs when using php-fpm's pools
• Fix an infinite loop on echo hook
• Fix an issue with filename filter
• Fix some documentation issues
• Fix the Arch Linux's PKGBUILD

Dentalium elephantinum

New features

• Session cookies can now be encrypted
• Some occurrences of type juggling can now be eradicated
• It's now possible to hook echo and print

Improvements

• The .filename() filter is now matching on the file where the function is called instead on the one where it's defined.
• Vastly optimize the way we hook native functions
• The format of the logs has been streamlined to ease their processing

Bug fixes

• Better handling of filters for builtins functions
• Fix various possible integer overflows
• Fix an annoying memory leak impacting mostly mod_php

Elephant Moraine

New features

• The .dump() filter is now supported for unserialize, readonly_exec, and eval black/whitelist

Improvements

• Add some assertions
• Add more rules examples
• Provide a script to check for malicious file uploads
• Significant performances improvement (at least +20%)
• Significantly improve the performances of our default rules set
• Our readme file is now shinier
• Minor code simplification

Bug fixes

• Fix a crash related to variadic functions

Elephant Point

Bug fixes

• The testsuite can now be successfully run as root
• Fix a double execution when snuffleupagus is used with some other extensions
• Fix an execution-context related crash

Improvements

• Support PCRE2, since it's required for PHP7.3
• Improve a bit the portability of the code
• Minor code simplification

Elephant Rally

New features

• Glob support in sp.configuration_file
• Whitelist/blacklist functions in eval
• phpinfo shows is the configuration is valid or not

Bug fixes

• Off-by-one in configuration parsing fixed
• Minor cookie-encryption related memory leaks fixes
• Various crashes spotted by fr33tux fixes
• Configuration files with windows EOL are correctly handled

Improvements

• General code clean-up
• Documentation overhaul
• Compilation on FreeBSD and CentOS
• Select which cookies to encrypt via regular expressions
• Match on return values from user-defined functions

External contributions

• Simplification and clean up of our linked-list implementation by smagnin

Mighty Mammoth

This is our first release.