Babar the Elephant

New features

• Compatibility with PHP8.3
• Add sp.log_max_len to limit the maximum size of the log messages
• Add an example configuration for Xenforo 2.2.12

Breaking Changes

• Url encode functions arguments when logging them

Bug fixes

• Fix a possible NULL-byte truncation when outputting parameters in the logs
• Make readonly_exec play nice on readonly filesystems

Elephant Seal

New features

• Compatibility with PHP8.2
• Add the ability block object unserialization globally.

Elephant Gambit

New features

• Add the ability to dump the parameter passed to eval
• Add the ability to match on eval's parameter
• Add optional extended checks for readonly_exec
• Add config error for ini rules with identical key
• Add disabled functions return type to config export

Breaking Changes

• Mix the stacktrace in the sha256 for the filename of .dump()

Bug fixes

• Make it actually possible to configure sloppy comparison on latests PHP7
• Allow file:// prefix in include() wich readonly_exec mode
• Fix a possible crash when exporting function list
• Fix a minor memory leak when parsing cookie-related configuration

Surus

Bug fixes

• Fix compilation when ZTS is used ( 5843e8c )
• Fix a possible infinite loop ( 90723b8 )

Batyr

• Fix the version number
• Fix a test on PHP7

Woolly Mammoth

New features

• Compatibility with PHP8.1
• Check for unsupported PHP version
• Backport of Suhosin-ng patches:
  • Maximum stack depth/recursion limit
  • Maximum length for session id
  • $_SERVER strip/encode
  • Configuration dump
  • Support for conditional rules
  • INI settings protection
  • Output SP logs to stderr
  • Ported Suhosin rules to SP

Improvements

• Massive simplification of the configuration parser
• Better memory management
• Removal of internal calls to call_user_func
• Increased portability of the default rules access different version of PHP
• Start SP as late as possible, to hook as many things as possible

Bug fixes

• XML and Session support are now checked at runtime instead of at compile time

Breaking changes

• disable_xxe is renamed xxe_protection

Proboscideans

• Fixed possible memory-leaks when hooking via regular expressions
• Modernise the code by removing usage of strtok
• Prevent a possible crash during configuration reloading
• Fix the default rules to catch dangerous chmod calls
• Improve compatibility with various libpcre configurations/versions
• Improve the default rules' compatibility with php8
• Prevent XXE in php8 as well
• Improve a bit the verbosity of the logs
• Add a rules file for php8

Los Elefantes

New features

• PHP8 support
• Stacktraces in dumps
• The > operator now skips over functions

Improvements

• Move the CI from travis to gitlab-ci
• Some code simplifications and constifications
• PCRE2 is now used when possible
• The generate_rules.php script is now more portable

Bug fixes

• The strict mode is now disableable

Elephant in the room

• Allow empty configurations
• More constification
• Snuffleupagus should now be able to get client's ip addresses in more cases
• Documented compatibility with Heroku
• Improved logging
• Added a couple of tests

Order of the Elephant

• Add support for syslog
• Improve OSX support
• Improve marginally of php8+ compatibility
• Improve php7.4 compatibility
• Improve the default ruleset
• Improve the documentation
• Improve the gitlab CI