Hello, it presents to me the following use-case:

• Enabling non-session cookie encryption to encrypt a cookie sent to the user browser is done with snuffleupagus config file.

• I want to check not only if snuffleupagus extension is enabled but if the cookie encryption is enabled for say the cookie "confidential" so I can encrypt it manually in PHP or not.

I propose a function for checking if a cookie encryption is enabled passing by parameter the name of the cookie.

Hello and thank your for your effort to secure PHP! I'm not an IT specialist, system administration is just my hobby.

Issue: Run make test - tests fail.

Test result summary: Test results.txt

System info: Ubuntu 20.04 with latest packages and updates, kernel 5.4.0-29-generic, arch. x86_64. pcre library 8.43 + pcre-dev Openssl 1.1.1g PHP 7.4.5 config.log

If there is something needed, just let me know.

Hi and thank for amazing project to harden PHP applications. I try to deploy SP on Heroku (PHP7.4, heroku-18) to get better protection.

I noticed this will crash application when sp.log_media("php") is specified. It's working good and smooth when I specified sp.log_media("syslog") instead.

But I can't get SP log in this mode, so I try to dig the code and figure it out. Finally zend_error function seems to break the Heroku deployment I guessed.

2020-07-02T12:21:52.465450+00:00 app[api]: Release v119 created by user [email protected]
2020-07-02T12:21:53.889399+00:00 heroku[web.1]: Starting process with command `vendor/bin/heroku-php-apache2 -F config/.php.ini public/`
2020-07-02T12:21:54.075582+00:00 heroku[web.1]: Stopping all processes with SIGTERM
2020-07-02T12:21:54.125333+00:00 app[web.1]: Stopping httpd...
2020-07-02T12:21:54.126635+00:00 app[web.1]: SIGTERM received, attempting graceful shutdown...
2020-07-02T12:21:54.127999+00:00 app[web.1]: Stopping php-fpm...
2020-07-02T12:21:54.135028+00:00 app[web.1]: Shutdown complete.
2020-07-02T12:21:54.219333+00:00 heroku[web.1]: Process exited with status 143
2020-07-02T12:21:56.571026+00:00 app[web.1]: [heroku-exec] Starting
2020-07-02T12:21:57.362702+00:00 app[web.1]: Unable to determine Composer vendor-dir setting; is 'composer' executable on path or 'composer.phar' in current working directory?
2020-07-02T12:21:57.429628+00:00 heroku[web.1]: Process exited with status 1
2020-07-02T12:21:57.470123+00:00 heroku[web.1]: State changed from starting to crashed

2020-07-02T12:23:29.182229+00:00 app[api]: Release v120 created by user [email protected]
2020-07-02T12:23:29.000000+00:00 app[api]: Build succeeded
2020-07-02T12:23:30.807877+00:00 heroku[web.1]: Starting process with command `vendor/bin/heroku-php-apache2 -F config/.php.ini public/`
2020-07-02T12:23:33.283824+00:00 app[web.1]: [heroku-exec] Starting
2020-07-02T12:23:34.225526+00:00 app[web.1]: DOCUMENT_ROOT changed to 'public/'
2020-07-02T12:23:34.225620+00:00 app[web.1]: Using PHP-FPM configuration include 'config/.php.ini'
2020-07-02T12:23:34.319130+00:00 app[web.1]: Detected 536870912 Bytes of RAM
2020-07-02T12:23:34.366133+00:00 app[web.1]: PHP memory_limit is 128M Bytes
2020-07-02T12:23:34.379623+00:00 app[web.1]: Starting php-fpm with 4 workers...
2020-07-02T12:23:34.487367+00:00 app[web.1]: Starting httpd...
2020-07-02T12:23:35.138709+00:00 heroku[web.1]: State changed from starting to up

Dirty Patch

sp_utils.txt

I decide to output SP log to stderr, blocking and logging both work ! Is there any settings I messed up ? thanks.

Remind: above patch is a workaround and SHOULD NOT deploy to production.

<snipped>
2020-07-02T14:17:32.985713+00:00 app[web.1]: Starting php-fpm with 4 workers...
2020-07-02T14:17:33.084648+00:00 app[web.1]: Starting httpd...
2020-07-02T14:17:33.578194+00:00 heroku[web.1]: State changed from starting to up
2020-07-02T14:17:38.477751+00:00 heroku[router]: at=info method=GET path="/test2.php?cmd=id|try_to_injection_here" host=example.herokuapp.com request_id=1 fwd="1.2.3.4" dyno=web.1 connect=1ms service=3ms status=200 bytes=150 protocol=https
2020-07-02T14:17:38.477621+00:00 app[web.1]: [snuffleupagus][unknown][disabled_function] Aborted execution on call of the function 'exec', because its argument '$command' content (id|try_to_injection_here) matched a rule in /app/public/test2.php on line 1
2020-07-02T14:17:38.478128+00:00 app[web.1]: 10.45.9.232 - - [02/Jul/2020:14:17:38 +0000] "GET /test2.php?cmd=id|try_to_injection_here HTTP/1.1" 200 - "-" "curl/7.68.0"

Known Issues

• REMOTE_ADDR and HTTP_X_FORWARDED_FOR are not available in getenv

Heroku Environment

• Apache: 2.4.43
• PHP: 7.4.7
• Ubuntu 18.04.4 LTS

Reproduce Pack

test-sp-logging.zip

1. Decompress above zip and deploy it to Heroku (with PHP7.4 pack)
2. Log will display that app is crashed by running heroku logs --tail
3. Uncomment scripts/install_php_ext-snuffleupagus.sh L#17 and L#18
4. Deploy it again and access http://app_url/test2.php?cmd=id|try_to_injection_here
5. Log should display [snuffleupagus][unknown][disabled_function] Aborted execution on ..

wget https://github.com/jvoisin/snuffleupagus/files/4865062/test-sp-logging.zip -O /tmp/test-sp-logging.zip
unzip /tmp/test-sp-logging.zip -d /tmp

cd /tmp/test-sp-logging

git init
/usr/local/bin/heroku git:remote -a <YOURHEROKU_APP_NAME>
git add .; git commit -am "test"; git push heroku master

/usr/local/bin/heroku logs --tail

Hi,

I'm was looking for an alternative to suhosin for php 7+ in order to be able to disable some php functions on a per virtualhost or per path basis without having to have one pool per site.

At the moment i'm testing snuffleupagus on a debian "10/unstable" box with:

• Apache/2.4.33 (Debian)
• PHP 7.2 (php-fpm)

I have one php-fpm pool per user and each user can have multiple virtual hosts.

Everything worked fine as long as I used one global rules file. Then I've decided to try to have one rule file per virtual host directory, so I added this to php.ini:

[PATH=/home/user1/site1.com]
sp.configuration_file=/etc/apache2/phpsettings/site1.com.sp
memory_limit=256M

[PATH=/home/user1/site2.com]
sp.configuration_file=/etc/apache2/phpsettings/site2.com.sp
memory_limit=128M

[PATH=/home/user2/site3.com]
sp.configuration_file=/etc/apache2/phpsettings/site3.com.sp
memory_limit=512M

At first it seemed to work, phpInfo on each different host returned the corresponding sp.configuration_file value.

The problem is that after 3 or 4 calls to some php pages, the php-fpm process for the user stop responding (it shows 100% cpu usage in top), and I have to kill/restart php-fpm.

Am I trying to do something that is not supposed to work ?

Just installed PHP8 for testing with new compiled Snuffleupagus. With profile rules like:

sp.disable_function.function("function_exists").param("function_name").value("eval").drop(); sp.disable_function.function("is_callable").param("var").value("eval").drop();

I get the following errors:

Warning: [snuffleupagus][127.0.0.1][config][log] It seems that you are filtering on a parameter 'var' of the function 'is_callable', but the parameter does not exists. in /var/www/***.php on line 49

Warning: [snuffleupagus][127.0.0.1][config][log] It seems that you are filtering on a parameter 'function_name' of the function 'function_exists', but the parameter does not exists. in /var/www/***.php on line 140

We should leverage GitLab CI/CD for external repositories to test Snuffleupagus in various dockers.

Linux

• [x] Archlinux
  • [x] : We have a working PKGBUILD, courtesy of @xXx-caillou-xXx
  • [x] Upstream it
• [x] AlpineLinux
  • [x] We have a working APKBUILD, courtesy of @xXx-caillou-xXx
  • [x] Upstream it
• [ ] Debian/Ubuntu
  • [x] Just type make debian, courtesy of @jvoisin and @blotus
  • [ ] Upstream it
  • [ ] Provide a package for debian stable when we do a release
• [ ] Red Hat stuff (@remicollet ♥)
  • [x] Fedora
  • [ ] CentOS
  • [ ] RHEL
• [ ] Gentoo (one might want to "borrow" the suhosin ebuild)
• [ ] NixOS

BSD

• [x] FreeBSD: Because "a lot" of people are using it, HardenedBSD and OPNSense are based on it.
  • We fixed a build error on FreeBSD #100
• [ ] ~~NetBSD~~, because I don't think that anyone uses it in production to be honest :/
• [ ] OpenBSD: Since they are paranoid, they might want to use mitigations that are working, for once.

Misc

• [ ] Windows: It would be nice to use appveyor to prove that Snuffleupagus is working on Windows. (@ylmrx)

Hi,

Today we pushed latest revision of snufflepagus on some shared hosting production servers and for some reason our config generator script missed the creation of some snufflepagus rules files.

I've then noticed that in the case a configuration file doesn't exists, the module throw a fatal error and the website is broken.

In some cases this is a good idea to act this way, because you want to know that something isn't right. But in some other cases, it would be preferable that it just disables the module and let the script execute anyway.

Maybe having a module configuration directive to toggle on/off strict config check would be an idea ?

What do you think about it ?

Buid ok with some warnings

/dev/shm/BUILD/snuffleupagus-bdc2d866c1c55826383c0b203a0702bc58cefe76/src/sp_crypt.c:127:23: warning: passing argument 1 of 'zend_string_release' from incompatible pointer type [-Wincompatible-pointer-types]
   zend_string_release(decrypted);
                       ^~~~~~~~~
In file included from /opt/remi/php74/root/usr/include/php/Zend/zend.h:32,
                 from /opt/remi/php74/root/usr/include/php/main/php.h:33,
                 from /opt/remi/php74/root/usr/include/php/main/SAPI.h:22,
                 from /dev/shm/BUILD/snuffleupagus-bdc2d866c1c55826383c0b203a0702bc58cefe76/src/php_snuffleupagus.h:17,
                 from /dev/shm/BUILD/snuffleupagus-bdc2d866c1c55826383c0b203a0702bc58cefe76/src/sp_crypt.c:1:
/opt/remi/php74/root/usr/include/php/Zend/zend_string.h:273:65: note: expected 'zend_string *' {aka 'struct _zend_string *'} but argument is of type 'unsigned char *'
 static zend_always_inline void zend_string_release(zend_string *s)
                                                    ~~~~~~~~~~~~~^

Test suite have 1 failed test

TEST 273/294 [tests/sloppy_comparison_array_keys.phpt]
========DIFF========
007+ array(0) {
007- array(3) {
008-   [0]=>
009-   string(4) "toto"
010-   [1]=>
011-   string(4) "titi"
012-   [2]=>
013-   string(4) "tata"
========DONE========
FAIL Sloppy comparison array_keys [tests/sloppy_comparison_array_keys.phpt] 

First commit to build a (somewhat) compliant Debian package.

• I say somewhat because I don't follow debian naming scheme where snuffleupagus would have to be named php-snuffleupagus
• I had to mv src/* . so we may need to decide where src/* files should be located

TODO:

• update .gitignore if needed as the file hierarchy had to be changed
• use git-buildpackage

not sure if this is supposed to be backward compatible (i only found information about 7.4). i downloaded the .deb https://github.com/jvoisin/snuffleupagus/releases/download/v0.5.1/snuffleupagus_0.5.1_amd64.deb installed it, added a 20-snuffleupagus.ini in /etc/php/7.3/fpm/conf.d as mentioned in the install guide

in the error log i can see:

[13-Aug-2020 18:23:41 Europe/Berlin] PHP Warning:  PHP Startup: Unable to load dynamic library 'snuffleupagus.so' (tried: /usr/lib/php/20180731/snuffleupagus.so (/usr/lib/php/20180731/snuffleupagus.so: cannot open shared object file: No such file or directory), /usr/lib/php/20180731/snuffleupagus.so.so (/usr/lib/php/20180731/snuffleupagus.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0

root@server:/etc/php/7.3/fpm/conf.d# find / | grep snuffle
/etc/php/7.4/mods-available/snuffleupagus.ini
/etc/php/7.3/fpm/conf.d/20-snuffleupagus.ini
/var/lib/dpkg/info/snuffleupagus.md5sums
/var/lib/dpkg/info/snuffleupagus.conffiles
/var/lib/dpkg/info/snuffleupagus.list
/usr/share/doc/snuffleupagus
/usr/share/doc/snuffleupagus/changelog.gz
/usr/share/doc/snuffleupagus/README.md.gz
/usr/share/doc/snuffleupagus/copyright
/usr/share/doc/snuffleupagus/examples
/usr/share/doc/snuffleupagus/examples/default.rules.gz
/usr/lib/php/20190902/snuffleupagus.so
/root/snuffleupagus_0.5.1_amd64.deb

Hi!

As a former Suhosin user I'm happy to see something similar for more recent php versions. But as you might have guessed there're some things I miss. Some globals like:

• suhosin.executor.max_depth
• suhosin.executor.include.max_traversal
• suhosin.multiheader
• suhosin.server.encode
• suhosin.server.strip

Particularly nice are the global post and get limits like max_name_length, max_value_length, max_vars and more. Of course if there's a way to do some of these things with existing settings I'm all ears. Otherwise I would welcome the addition of some of such globals at some point.

Further a bit more control of how cookies and sessions are treated. Suhosin allows not only to choose what's used for the encryption (cryptua, cryptdocroot, cryptraddr, checkraddr) but also lets you set different keys for sessions and cookies. In addition threre's a bunch of settings for taming the cookies content like max_array_depth, max_name_length, max_value_length and more. However these are more like a nice-to-have, the globals I mentioned before though would clearly be my priority.

Thanks for reading and keep up the good work!

Using PHP 8.2.1

=====================================================================
BORKED TEST SUMMARY
---------------------------------------------------------------------

Warning: [snuffleupagus][0.0.0.0][config][log] No configuration specificed via sp.configuration_file in Unknown on line 0

Warning: chmod(): No such file or directory in /dev/shm/BUILD/snuffleupagus-7d006a4b971aec04c42c06c877c0e496f1f62bc0/src/tests/deny_writable/deny_writable_execution.clean.php on line 3

Warning: chmod(): No such file or directory in /dev/shm/BUILD/snuffleupagus-7d006a4b971aec04c42c06c877c0e496f1f62bc0/src/tests/deny_writable/deny_writable_execution.clean.php on line 4

Warning: unlink(/dev/shm/BUILD/snuffleupagus-7d006a4b971aec04c42c06c877c0e496f1f62bc0/src/tests/deny_writable/non_writable_file.txt): No such file or directory in /dev/shm/BUILD/snuffleupagus-7d006a4b971aec04c42c06c877c0e496f1f62bc0/src/tests/deny_writable/deny_writable_execution.clean.php on line 5

Warning: unlink(/dev/shm/BUILD/snuffleupagus-7d006a4b971aec04c42c06c877c0e496f1f62bc0/src/tests/deny_writable/writable_file.txt): No such file or directory in /dev/shm/BUILD/snuffleupagus-7d006a4b971aec04c42c06c877c0e496f1f62bc0/src/tests/deny_writable/deny_writable_execution.clean.php on line 6
 [/dev/shm/BUILD/snuffleupagus-7d006a4b971aec04c42c06c877c0e496f1f62bc0/src/tests/deny_writable/deny_writable_execution.phpt]

Warning: [snuffleupagus][0.0.0.0][config][log] No configuration specificed via sp.configuration_file in Unknown on line 0
 [/dev/shm/BUILD/snuffleupagus-7d006a4b971aec04c42c06c877c0e496f1f62bc0/src/tests/deny_writable/deny_writable_execution_simulation.phpt]

Warning: [snuffleupagus][0.0.0.0][config][log] No configuration specificed via sp.configuration_file in Unknown on line 0
 [/dev/shm/BUILD/snuffleupagus-7d006a4b971aec04c42c06c877c0e496f1f62bc0/src/tests/deny_writable/dump_deny_writable_execution.phpt]
=====================================================================

OK with PHP 8.1.13

I'm trying to build this extension from source so that I can use it on platform.sh, but I'm running into an error (warning: missing initializer for field ‘retval’ of ‘sp_config_keyword’) when I run make.

I don't really understand this error so I'd appreciate if you can give me any suggestions about what may be wrong.

Running PHP 8.1

web@5accffd0f86b:/app/submodules/snuffleupagus/snuffleupagus/src$ phpize
Configuring for:
PHP Api Version:         20210902
Zend Module Api No:      20210902
Zend Extension Api No:   420210902

Next configure:

web@5accffd0f86b:/app/submodules/snuffleupagus/snuffleupagus/src$ ./configure --enable-snuffleupagus
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for a sed that does not truncate output... /bin/sed
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for cc... cc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether cc accepts -g... yes
checking for cc option to accept ISO C89... none needed
checking how to run the C preprocessor... cc -E
checking for icc... no
checking for suncc... no
checking for system library directory... lib
checking if compiler supports -Wl,-rpath,... yes
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking target system type... x86_64-pc-linux-gnu
checking for PHP prefix... /usr
checking for PHP includes... -I/usr/include/php/20210902-zts -I/usr/include/php/20210902-zts/main -I/usr/include/php/20210902-zts/TSRM -I/usr/include/php/20210902-zts/Zend -I/usr/include/php/20210902-zts/ext -I/usr/include/php/20210902-zts/ext/date/lib
checking for PHP extension directory... /usr/lib/php/20210902-zts
checking for PHP installed headers prefix... /usr/include/php/20210902-zts
checking if debug is enabled... no
checking if zts is enabled... yes
checking for gawk... no
checking for nawk... nawk
checking if nawk is broken... no
checking whether to enable snuffleupagus support... yes, shared
checking whether to enable coverage support... no
checking whether to enable debug messages... no
checking whether to enable debug messages... no
checking for cc option to accept ISO C99... none needed
checking for cc option to accept ISO Standard C... (cached) none needed
./configure: line 4426: pcre2-config: command not found
checking whether C compiler accepts -Wl,-z,relro,-z,now... yes
checking for pcre_compile in -lpcre... yes
checking for a sed that does not truncate output... /bin/sed
checking for ld used by cc... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for /usr/bin/ld option to reload object files... -r
checking for BSD-compatible nm... /usr/bin/nm -B
checking whether ln -s works... yes
checking how to recognize dependent libraries... pass_all
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking dlfcn.h usability... yes
checking dlfcn.h presence... yes
checking for dlfcn.h... yes
checking the maximum length of command line arguments... 1572864
checking command to parse /usr/bin/nm -B output from cc object... ok
checking for objdir... .libs
checking for ar... ar
checking for ranlib... ranlib
checking for strip... strip
checking if cc supports -fno-rtti -fno-exceptions... no
checking for cc option to produce PIC... -fPIC
checking if cc PIC flag -fPIC works... yes
checking if cc static flag -static works... yes
checking if cc supports -c -o file.o... yes
checking whether the cc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... no

creating libtool
appending configuration tag "CXX" to libtool
configure: patching config.h.in
configure: creating ./config.status
config.status: creating config.h
config.status: config.h is unchanged

And finally make:

web@5accffd0f86b:/app/submodules/snuffleupagus/snuffleupagus/src$ make
/bin/bash /app/submodules/snuffleupagus/snuffleupagus/src/libtool --mode=compile cc -I. -I/app/submodules/snuffleupagus/snuffleupagus/src -I/app/submodules/snuffleupagus/snuffleupagus/src/include -I/app/submodules/snuffleupagus/snuffleupagus/src/main -I/app/submodules/snuffleupagus/snuffleupagus/src -I/usr/include/php/20210902-zts -I/usr/include/php/20210902-zts/main -I/usr/include/php/20210902-zts/TSRM -I/usr/include/php/20210902-zts/Zend -I/usr/include/php/20210902-zts/ext -I/usr/include/php/20210902-zts/ext/date/lib  -DHAVE_CONFIG_H  -g -O2 -Wall -Wextra -Wno-unused-parameter -Wformat=2 -Wformat-security -D_FORTIFY_SOURCE=2 -fstack-protector-strong    -DZEND_COMPILE_DL_EXT=1 -c /app/submodules/snuffleupagus/snuffleupagus/src/snuffleupagus.c -o snuffleupagus.lo  -MMD -MF snuffleupagus.dep -MT snuffleupagus.lo
mkdir .libs
 cc -I. -I/app/submodules/snuffleupagus/snuffleupagus/src -I/app/submodules/snuffleupagus/snuffleupagus/src/include -I/app/submodules/snuffleupagus/snuffleupagus/src/main -I/app/submodules/snuffleupagus/snuffleupagus/src -I/usr/include/php/20210902-zts -I/usr/include/php/20210902-zts/main -I/usr/include/php/20210902-zts/TSRM -I/usr/include/php/20210902-zts/Zend -I/usr/include/php/20210902-zts/ext -I/usr/include/php/20210902-zts/ext/date/lib -DHAVE_CONFIG_H -g -O2 -Wall -Wextra -Wno-unused-parameter -Wformat=2 -Wformat-security -D_FORTIFY_SOURCE=2 -fstack-protector-strong -DZEND_COMPILE_DL_EXT=1 -c /app/submodules/snuffleupagus/snuffleupagus/src/snuffleupagus.c -MMD -MF snuffleupagus.dep -MT snuffleupagus.lo  -fPIC -DPIC -o .libs/snuffleupagus.o
/bin/bash /app/submodules/snuffleupagus/snuffleupagus/src/libtool --mode=compile cc -I. -I/app/submodules/snuffleupagus/snuffleupagus/src -I/app/submodules/snuffleupagus/snuffleupagus/src/include -I/app/submodules/snuffleupagus/snuffleupagus/src/main -I/app/submodules/snuffleupagus/snuffleupagus/src -I/usr/include/php/20210902-zts -I/usr/include/php/20210902-zts/main -I/usr/include/php/20210902-zts/TSRM -I/usr/include/php/20210902-zts/Zend -I/usr/include/php/20210902-zts/ext -I/usr/include/php/20210902-zts/ext/date/lib  -DHAVE_CONFIG_H  -g -O2 -Wall -Wextra -Wno-unused-parameter -Wformat=2 -Wformat-security -D_FORTIFY_SOURCE=2 -fstack-protector-strong    -DZEND_COMPILE_DL_EXT=1 -c /app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c -o sp_config.lo  -MMD -MF sp_config.dep -MT sp_config.lo
 cc -I. -I/app/submodules/snuffleupagus/snuffleupagus/src -I/app/submodules/snuffleupagus/snuffleupagus/src/include -I/app/submodules/snuffleupagus/snuffleupagus/src/main -I/app/submodules/snuffleupagus/snuffleupagus/src -I/usr/include/php/20210902-zts -I/usr/include/php/20210902-zts/main -I/usr/include/php/20210902-zts/TSRM -I/usr/include/php/20210902-zts/Zend -I/usr/include/php/20210902-zts/ext -I/usr/include/php/20210902-zts/ext/date/lib -DHAVE_CONFIG_H -g -O2 -Wall -Wextra -Wno-unused-parameter -Wformat=2 -Wformat-security -D_FORTIFY_SOURCE=2 -fstack-protector-strong -DZEND_COMPILE_DL_EXT=1 -c /app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c -MMD -MF sp_config.dep -MT sp_config.lo  -fPIC -DPIC -o .libs/sp_config.o
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:8:60: error: initializer element is not constant
     {parse_unserialize,         SP_TOKEN_UNSERIALIZE_HMAC, &(SPCFG(unserialize))},
                                                            ^
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:8:60: note: (near initialization for ‘sp_func[0].retval’)
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:8:5: warning: missing initializer for field ‘retval’ of ‘sp_config_keyword’ {aka ‘const struct <anonymous>’} [-Wmissing-field-initializers]
     {parse_unserialize,         SP_TOKEN_UNSERIALIZE_HMAC, &(SPCFG(unserialize))},
     ^
In file included from /app/submodules/snuffleupagus/snuffleupagus/src/php_snuffleupagus.h:82,
                 from /app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:5:
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.h:187:9: note: ‘retval’ declared here
   void *retval;
         ^~~~~~
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:9:57: error: initializer element is not constant
     {parse_enable,              SP_TOKEN_HARDEN_RANDOM, &(SPCFG(random).enable)},
                                                         ^
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:9:57: note: (near initialization for ‘sp_func[1].retval’)
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:9:5: warning: missing initializer for field ‘retval’ of ‘sp_config_keyword’ {aka ‘const struct <anonymous>’} [-Wmissing-field-initializers]
     {parse_enable,              SP_TOKEN_HARDEN_RANDOM, &(SPCFG(random).enable)},
     ^
In file included from /app/submodules/snuffleupagus/snuffleupagus/src/php_snuffleupagus.h:82,
                 from /app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:5:
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.h:187:9: note: ‘retval’ declared here
   void *retval;
         ^~~~~~
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:10:53: error: initializer element is not constant
     {parse_log_media,           SP_TOKEN_LOG_MEDIA, &(SPCFG(log_media))},
                                                     ^
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:10:53: note: (near initialization for ‘sp_func[2].retval’)
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:10:5: warning: missing initializer for field ‘retval’ of ‘sp_config_keyword’ {aka ‘const struct <anonymous>’} [-Wmissing-field-initializers]
     {parse_log_media,           SP_TOKEN_LOG_MEDIA, &(SPCFG(log_media))},
     ^
In file included from /app/submodules/snuffleupagus/snuffleupagus/src/php_snuffleupagus.h:82,
                 from /app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:5:
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.h:187:9: note: ‘retval’ declared here
   void *retval;
         ^~~~~~
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:12:57: error: initializer element is not constant
     {parse_readonly_exec,       SP_TOKEN_READONLY_EXEC, &(SPCFG(readonly_exec))},
                                                         ^
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:12:57: note: (near initialization for ‘sp_func[4].retval’)
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:12:5: warning: missing initializer for field ‘retval’ of ‘sp_config_keyword’ {aka ‘const struct <anonymous>’} [-Wmissing-field-initializers]
     {parse_readonly_exec,       SP_TOKEN_READONLY_EXEC, &(SPCFG(readonly_exec))},
     ^
In file included from /app/submodules/snuffleupagus/snuffleupagus/src/php_snuffleupagus.h:82,
                 from /app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:5:
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.h:187:9: note: ‘retval’ declared here
   void *retval;
         ^~~~~~
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:13:57: error: initializer element is not constant
     {parse_enable,              SP_TOKEN_GLOBAL_STRICT, &(SPCFG(global_strict).enable)},
                                                         ^
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:13:57: note: (near initialization for ‘sp_func[5].retval’)
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:13:5: warning: missing initializer for field ‘retval’ of ‘sp_config_keyword’ {aka ‘const struct <anonymous>’} [-Wmissing-field-initializers]
     {parse_enable,              SP_TOKEN_GLOBAL_STRICT, &(SPCFG(global_strict).enable)},
     ^
In file included from /app/submodules/snuffleupagus/snuffleupagus/src/php_snuffleupagus.h:82,
                 from /app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:5:
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.h:187:9: note: ‘retval’ declared here
   void *retval;
         ^~~~~~
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:14:61: error: initializer element is not constant
     {parse_upload_validation,   SP_TOKEN_UPLOAD_VALIDATION, &(SPCFG(upload_validation))},
                                                             ^
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:14:61: note: (near initialization for ‘sp_func[6].retval’)
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:14:5: warning: missing initializer for field ‘retval’ of ‘sp_config_keyword’ {aka ‘const struct <anonymous>’} [-Wmissing-field-initializers]
     {parse_upload_validation,   SP_TOKEN_UPLOAD_VALIDATION, &(SPCFG(upload_validation))},
     ^
In file included from /app/submodules/snuffleupagus/snuffleupagus/src/php_snuffleupagus.h:82,
                 from /app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:5:
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.h:187:9: note: ‘retval’ declared here
   void *retval;
         ^~~~~~
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:17:62: error: initializer element is not constant
     {parse_enable,              SP_TOKEN_AUTO_COOKIE_SECURE, &(SPCFG(auto_cookie_secure).enable)},
                                                              ^
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:17:62: note: (near initialization for ‘sp_func[9].retval’)
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:17:5: warning: missing initializer for field ‘retval’ of ‘sp_config_keyword’ {aka ‘const struct <anonymous>’} [-Wmissing-field-initializers]
     {parse_enable,              SP_TOKEN_AUTO_COOKIE_SECURE, &(SPCFG(auto_cookie_secure).enable)},
     ^
In file included from /app/submodules/snuffleupagus/snuffleupagus/src/php_snuffleupagus.h:82,
                 from /app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:5:
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.h:187:9: note: ‘retval’ declared here
   void *retval;
         ^~~~~~
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:18:58: error: initializer element is not constant
     {parse_enable,              SP_TOKEN_XXE_PROTECTION, &(SPCFG(xxe_protection).enable)},
                                                          ^
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:18:58: note: (near initialization for ‘sp_func[10].retval’)
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:18:5: warning: missing initializer for field ‘retval’ of ‘sp_config_keyword’ {aka ‘const struct <anonymous>’} [-Wmissing-field-initializers]
     {parse_enable,              SP_TOKEN_XXE_PROTECTION, &(SPCFG(xxe_protection).enable)},
     ^
In file included from /app/submodules/snuffleupagus/snuffleupagus/src/php_snuffleupagus.h:82,
                 from /app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:5:
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.h:187:9: note: ‘retval’ declared here
   void *retval;
         ^~~~~~
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:19:58: error: initializer element is not constant
     {parse_eval_filter_conf,    SP_TOKEN_EVAL_BLACKLIST, &(SPCFG(eval).blacklist)},
                                                          ^
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:19:58: note: (near initialization for ‘sp_func[11].retval’)
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:19:5: warning: missing initializer for field ‘retval’ of ‘sp_config_keyword’ {aka ‘const struct <anonymous>’} [-Wmissing-field-initializers]
     {parse_eval_filter_conf,    SP_TOKEN_EVAL_BLACKLIST, &(SPCFG(eval).blacklist)},
     ^
In file included from /app/submodules/snuffleupagus/snuffleupagus/src/php_snuffleupagus.h:82,
                 from /app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:5:
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.h:187:9: note: ‘retval’ declared here
   void *retval;
         ^~~~~~
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:20:58: error: initializer element is not constant
     {parse_eval_filter_conf,    SP_TOKEN_EVAL_WHITELIST, &(SPCFG(eval).whitelist)},
                                                          ^
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:20:58: note: (near initialization for ‘sp_func[12].retval’)
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:20:5: warning: missing initializer for field ‘retval’ of ‘sp_config_keyword’ {aka ‘const struct <anonymous>’} [-Wmissing-field-initializers]
     {parse_eval_filter_conf,    SP_TOKEN_EVAL_WHITELIST, &(SPCFG(eval).whitelist)},
     ^
In file included from /app/submodules/snuffleupagus/snuffleupagus/src/php_snuffleupagus.h:82,
                 from /app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:5:
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.h:187:9: note: ‘retval’ declared here
   void *retval;
         ^~~~~~
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:21:62: error: initializer element is not constant
     {parse_session,             SP_TOKEN_SESSION_ENCRYPTION, &(SPCFG(session))},
                                                              ^
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:21:62: note: (near initialization for ‘sp_func[13].retval’)
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:21:5: warning: missing initializer for field ‘retval’ of ‘sp_config_keyword’ {aka ‘const struct <anonymous>’} [-Wmissing-field-initializers]
     {parse_session,             SP_TOKEN_SESSION_ENCRYPTION, &(SPCFG(session))},
     ^
In file included from /app/submodules/snuffleupagus/snuffleupagus/src/php_snuffleupagus.h:82,
                 from /app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:5:
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.h:187:9: note: ‘retval’ declared here
   void *retval;
         ^~~~~~
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:22:61: error: initializer element is not constant
     {parse_enable,              SP_TOKEN_SLOPPY_COMPARISON, &(SPCFG(sloppy).enable)},
                                                             ^
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:22:61: note: (near initialization for ‘sp_func[14].retval’)
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:22:5: warning: missing initializer for field ‘retval’ of ‘sp_config_keyword’ {aka ‘const struct <anonymous>’} [-Wmissing-field-initializers]
     {parse_enable,              SP_TOKEN_SLOPPY_COMPARISON, &(SPCFG(sloppy).enable)},
     ^
In file included from /app/submodules/snuffleupagus/snuffleupagus/src/php_snuffleupagus.h:82,
                 from /app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:5:
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.h:187:9: note: ‘retval’ declared here
   void *retval;
         ^~~~~~
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:23:58: error: initializer element is not constant
     {parse_wrapper_whitelist,   SP_TOKEN_ALLOW_WRAPPERS, &(SPCFG(wrapper))},
                                                          ^
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:23:58: note: (near initialization for ‘sp_func[15].retval’)
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:23:5: warning: missing initializer for field ‘retval’ of ‘sp_config_keyword’ {aka ‘const struct <anonymous>’} [-Wmissing-field-initializers]
     {parse_wrapper_whitelist,   SP_TOKEN_ALLOW_WRAPPERS, &(SPCFG(wrapper))},
     ^
In file included from /app/submodules/snuffleupagus/snuffleupagus/src/php_snuffleupagus.h:82,
                 from /app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:5:
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.h:187:9: note: ‘retval’ declared here
   void *retval;
         ^~~~~~
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:24:58: error: initializer element is not constant
     {parse_ini_protection,      SP_TOKEN_INI_PROTECTION, &(SPCFG(ini))},
                                                          ^
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:24:58: note: (near initialization for ‘sp_func[16].retval’)
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:24:5: warning: missing initializer for field ‘retval’ of ‘sp_config_keyword’ {aka ‘const struct <anonymous>’} [-Wmissing-field-initializers]
     {parse_ini_protection,      SP_TOKEN_INI_PROTECTION, &(SPCFG(ini))},
     ^
In file included from /app/submodules/snuffleupagus/snuffleupagus/src/php_snuffleupagus.h:82,
                 from /app/submodules/snuffleupagus/snuffleupagus/src/sp_config.c:5:
/app/submodules/snuffleupagus/snuffleupagus/src/sp_config.h:187:9: note: ‘retval’ declared here
   void *retval;
         ^~~~~~
make: *** [Makefile:221: sp_config.lo] Error 1

Hello,

I am using Snuffleupagus along various Wordpress installs and I have trouble with readonly_exec() option that collides with the way Wordfence works.

After setting the correct permissions for the whole WP install (chmod ugo-w for all *.php *.inc) I notice the site doesn't load, because of Wordfence. Wordfence changes file permissions (apparently on load of WP) for its own files so that they are writable by the user. These files are specifically:

/wp-content/wflogs/attack-data.php
/wp-content/wflogs/config.php
/wp-content/wflogs/config-synced.php
...
/wp-content/wflogs/rules.php

Snuffleupagus stops execution of rules.php and thus of the whole site, which remains blank.

Is there a way to ignore these files / this directory and still be able to use readonly_exec() ? Otherwise I will have to disable it :(

Been using snuffleupagus for some time, and I see that phpMyAdmin 5.2.0 silently fails to load with a single rule:

sp.disable_function.function("eval").drop(); or sp.disable_function.function("eval").allow(); or sp.disable_function.function("eval").drop().simulate(); or sp.disable_function.function("eval").filename_r(".*").allow(); or sp.disable_function.function("eval").filename_r("var/www/phpmyadmin/.*$").allow(); No error is logged, and I get a blank page with 200 status.

An invalid conf rule such as: sp.disable_function.function("eval").simulate(); will correctly log as: [20-Jun-2022 16:09:20 UTC] PHP Fatal error: [snuffleupagus][1.2.3.4][config][log] Unexpected keyword 'simulate' on line 1 in Unknown on line 0

So the question is: How may I selectively enable eval for phpmyadmin?

I'm using snuffleupagus v0.8.2, and I tried this with php7.4-fpm and php-cgi7.4.

By disabling this single eval rule, the phpMyAdmin 5 page(s) will load. The eval rule might be triggered because of this.

Also found these conversations which may be related: • Snuffleupagus writable execution of eval'd code ? #409 • Is there any chance I can avoid using eval in Twig? #2428

/home/jvoisin/dev/snuffleupagus/src/sp_config_scanner.re: In function ‘sp_config_scan’:
/home/jvoisin/dev/snuffleupagus/src/sp_config_scanner.re:193:38: warning: ‘yyt4’ may be used uninitialized in this function [-Wmaybe-uninitialized]
  193 |       tmp = zend_string_init(t3+1, t4-t3-2, 1);
      |                                    ~~^~~
/home/jvoisin/dev/snuffleupagus/src/sp_config_scanner.c:158:13: note: ‘yyt4’ was declared here
  158 | const char *yyt4;
      |             ^~~~
/home/jvoisin/dev/snuffleupagus/src/sp_config_scanner.re:193:13: warning: ‘yyt3’ may be used uninitialized in this function [-Wmaybe-uninitialized]
  193 |       tmp = zend_string_init(t3+1, t4-t3-2, 1);
      |             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/home/jvoisin/dev/snuffleupagus/src/sp_config_scanner.c:157:13: note: ‘yyt3’ was declared here
  157 | const char *yyt3;
      |             ^~~~

Can you please take a look at it @bef ? I'm not yet comfortable with the code of your parser, and didn't manage to fix it on my own.