snuffleupagus (0.11.0) UNRELEASED; urgency=low
  [ jvoisin ]
  * Compatibility with PHP8.4                                                     
  * Fixed compilation on FreeBSD
  * Update the internal deprecation checks                                        

  [ cgzones ]
  * Print key and value on INI violations                                         
  * Improve `scripts/generate_rules.php` with regard to functions from global space prefixed with `\`
  * Add option to specify the allowed "php" wrapper types                         
  * Make 'phar' filenames work in `sp.disabled_functions`                         
  * Improve the documentation                                                     
  * Improve the default set of rules, especially with regard to portability       
  * Improve the Debian packaging                                                  
  * Improve behaviour when dealing with broken configuration file                 
  * Don't whitelist files if the function name is actually a method of a class in `scripts/generate_rules.php`
  * Ignore function definition in `scripts/generate_rules.php`                    
  * Improve configuration dumping                                                 

 -- jvoisin <julien.voisin+snuffleupagus@dustri.org>  Fri, 06 Sep 2024 14:30:00 +0200

snuffleupagus (0.10.0) UNRELEASED; urgency=low
  [ jvoisin ]
  * Compatibility with PHP8.3
  * Add `sp.log_max_len` to limit the maximum size of the log messages
  * Add an example configuration for Xenforo 2.2.12 
  * Url encode functions arguments when logging them

 -- jvoisin <julien.voisin+snuffleupagus@dustri.org>  Wed, 20 Sep 2023 15:25:00 +0200

snuffleupagus (0.9.0) UNRELEASED; urgency=low
  [ jvoisin ]
  * Compatibility with PHP8.2
  * Add the ability block object unserialization globally.

 -- jvoisin <julien.voisin+snuffleupagus@dustri.org>  Tue, 03 Jan 2023 20:25:00 +0200

snuffleupagus (0.8.3) UNRELEASED; urgency=low
  [ jvoisin ]
  * Mix the stacktrace in the sha256 for the filename of .dump()
  * Add the ability to dump the parameter passed to `eval`
  * Add the ability to match on `eval`'s parameter
  * Add optional extended checks for `readonly_exec`
  * Add config error for ini rules with identical key
  * Add disabled functions return type to config export
  * Make it actually possible to configure sloppy comparison on latests PHP7
  * Allow file:// prefix in include() with readonly_exec mode
  * Fix a possible crash when exporting function list
  * Fix a minor memory leak when parsing cookie-related configuration

 -- jvoisin <julien.voisin+snuffleupagus@dustri.org>  Sat, 27 Aug 2022 17:30:00 +0200

snuffleupagus (0.8.2) UNRELEASED; urgency=low
  [ jvoisin ]
  * Fix compilation when ZTS is used
  * Fix a possible infinite loop

 -- jvoisin <julien.voisin+snuffleupagus@dustri.org>  Sun, 20 Apr 2022 22:00:00 +0200

snuffleupagus (0.8.1) UNRELEASED; urgency=low
  [ jvoisin ]
  * Fix the version number
  * Fix a test on PHP7

 -- jvoisin <julien.voisin+snuffleupagus@dustri.org>  Sun, 16 Apr 2022 19:45:00 +0200

snuffleupagus (0.8.0) UNRELEASED; urgency=low
  [ jvoisin ]
  * Compatibility with PHP8.1
  * Check for unsupported PHP version
  * Backport of Suhosin-ng patches:
    * Maximum stack depth/recursion limit
    * Maximum length for session id
    * $_SERVER strip/encode
    * Configuration dump
    * Support for conditional rules
    * INI settings protection
    * Output SP logs to stderr
    * Ported Suhosin rules to SP
  * Massive simplification of the configuration parser
  * Better memory management
  * Removal of internal calls to `call_user_func`
  * Increased portability of the default rules access different version of PHP
  * Start SP as late as possible, to hook as many things as possible
  * XML and Session support are now checked at runtime instead of at compile time

 -- jvoisin <julien.voisin+snuffleupagus@dustri.org>  Sun, 15 Apr 2022 18:00:00 +0200

snuffleupagus (0.7.1) UNRELEASED; urgency=low
  [ jvoisin ]
  * Fixed possible memory-leaks when hooking via regular expressions               
  * Modernise the code by removing usage of `strtok`                               
  * Prevent a possible crash during configuration reloading                        
  * Fix the default rules to catch dangerous `chmod` calls                         
  * Improve compatibility with various `libpcre` configurations/versions           
  * Improve the default rules' compatibility with php8                             
  * Prevent XXE in php8 as well                                                    
  * Improve a bit the verbosity of the logs                                        
  * Add a rules file for php8  

 -- jvoisin <julien.voisin+snuffleupagus@dustri.org>  Sun, 02 Aug 2021 19:29:00 +0200

snuffleupagus (0.7.0) UNRELEASED; urgency=medium
  [ jvoisin ]
  * PHP8 support
  * Stacktraces in dumps
  * The `>` operator skips over functions
  * PCRE2 is used when possible
  * The `generate_rules.php` script is now more portable
  * The strict mode is now disableable

 -- jvoisin <julien.voisin+snuffleupagus@dustri.org>  Sun, 02 Jan 2021 19:22:00 +0100

snuffleupagus (0.6.0) UNRELEASED; urgency=medium

  [ jvoisin ]
  * More constification
  * Snuffleupagus should now be able to get client's ip addresses in more cases
  * Documented compatibility with Heroku
  * Improved logging
  * Added a couple of tests

  [ wargio ]
  * allow empty configurations

 -- jvoisin <julien.voisin+snuffleupagus@dustri.org>  Fri, 06 Nov 2020 17:45:00 +0200

snuffleupagus (0.5.1) UNRELEASED; urgency=medium

  [ jvoisin ]
  * Add support for syslog
  * Improve OSX support
  * Improve marginally of php8+ compatibility
  * Improve php7.4 compatibility
  * Improve the default ruleset
  * Improve the documentation
  * Improve the gitlab CI

 -- jvoisin <julien.voisin+snuffleupagus@dustri.org>  Sat, 20 Jun 2020 12:30:00 +0200

snuffleupagus (0.5.0) UNRELEASED; urgency=medium

  [ kkadosh ]
  * Tighten a bit a command-injection prevention rule in the default rules set
  * Increased the portability of the testsuite
  * Improved documentation
  * Usual code cleanup
  * Snuffleupagus will throw an informative error when compiled for PHP5
  * Snuffleupagus will throw an informative error when compiled for PHP5
  * The testsuite is now run on Alpine, Fedora, Debian and Ubuntu
  * Some rules against now-known vulnerabilities/techniques were added
  * PHP7.4 is fully supported, without any compilation warning
  * Snuffleupagus can now be used with PHP compiled without sessions support as a builtin (which is the case on Alpine)
  * Fix a compilation warning on FreeBSD
  * Cookies hardening is now supported on PHP7.3+


 -- kkadosh <snuffleupagus@nbs-system.com>  Wed, 12 Jun 2019 16:40:00 +0200

snuffleupagus (0.4.1) UNRELEASED; urgency=medium

  [ kkadosh ]
  * Improve and clarify the documentation
  * Add support for PHP7.3
  * Improve the coverage, we have now reached 99% of coverage
  * Improve the `mb_string` hooking logic
  * The script that check uploaded file is now available in PHP
  * Fix segfault on 32-bit for PHP7.3
  * Fix segfault when using `sloppy_comparison` feature with array


 -- kkadosh <snuffleupagus@nbs-system.com>  Fri, 21 Dec 2018 11:50:00 +0200

snuffleupagus (0.4.0) UNRELEASED; urgency=medium

  [ jvoisin ]
  * Add the possibility to whitelist `stream wrappers`
  * Snuffleupagus is now using php's logging mechanisms, instead of outputting its log directly into the syslog.
  * PHP is now prevented from ever disabling certificate verification thanks to a few lines in our default configuration.
  * Significant code simplification for cookies handling
  * Our `sloppy comparison` feature is now complete
  * Snuffleupagus won't start with an invalid config anymore, except if the `sp.allow_broken_configuration` is set.
  * It's now possible to place virtual-patches on the return value of user-defined functions.
  * Since Snuffleupagus is used by more and more organisations, we added a bunch of them in our propaganda page.
  * Add some missing pieces of documentation and fix some links
  * Fix the `make install` command
  * Fix various compilation warnings
  * Snuffleupagus is now running on platforms that aren't using the glibc

 -- jvoisin <snuffleupagus@nbs-system.com>  Fri, 31 Aug 2018 16:50:00 +0200

snuffleupagus (0.3.1) UNRELEASED; urgency=medium

  * Disable XXE and harden PRNG by default
  * Use SameSite on PHP's session cookie in the default rules
  * Relax a bit what files can be included in the default rules
  * Add the possibility to ignore files hashes when generating rules
  * The filename filter is now accepting phar paths
  * The harden rand_feature is not ignoring parameters anymore in function calls
  * Fix possible crashes/hangs when using php-fpm's pools
  * Fix an infinite loop on echo hook
  * Fix an issue with filename filter
  * Fix some documentation issues
  * Fix the Arch Linux's PKGBUILD

 -- he2ss <snuffleupagus@nbs-system.com>  Tue, 20 Aug 2018 15:00:00 +0200

snuffleupagus (0.3.0) UNRELEASED; urgency=medium

  * Session cookies can now be encrypted
  * Some occurrences of type juggling can now be eradicated
  * It's now possible to hook echo and print
  * The .filename() filter is now matching on the file where the function is called instead on the one where it's defined.
  * Vastly optimize the way native functions are hooked
  * The format of the logs has been streamlined to ease their processing
  * Better handling of filters for built-in functions
  * Fix various possible integer overflows
  * Fix an annoying memory leak

 -- kkadosh <snuffleupagus@nbs-system.com>  Tue, 17 Jul 2018 15:00:00 +0200

snuffleupagus (0.2.2) UNRELEASED; urgency=medium
  * Add some assertions in the code
  * The `.dump()` filter is now supported for `unserialize`, `readonly_exec`, and `eval` black/whitelist
  * Add more rules examples
  * Provide a script to check for malicious file uploads
  * Significant performances improvement (at least +20%)
  * Significantly improve the performances of our default rules set
  * Our readme file is now shinier
  * Minor code simplification
  * Fix a crash related to variadic functions

 -- jvoisin <snuffleupagus@nbs-system.com>  Tue, 12 Mar 2018 10:00:00 +0200

snuffleupagus (0.2.1) UNRELEASED; urgency=medium
  * The testsuite can now be successfully run as root
  * Fix a double execution when snuffleupagus is used with some other extensions
  * Fix an execution-context related crash
  * Support PCRE2, since it's required for PHP7.3
  * Improve a bit the portability of the code
  * Minor code simplification

 -- jvoisin <snuffleupagus@nbs-system.com>  Tue, 07 Feb 2018 11:00:00 +0200

snuffleupagus (0.2.0) UNRELEASED; urgency=medium

  * Glob support in `sp.configuration_file`
  * Whitelist/blacklist functions in `eval`
  * `phpinfo` shows is the configuration is valid or not
  * Off-by-one in configuration parsing fixed
  * Minor cookie-encryption related memory leaks fixes
  * Various crashes fixes
  * Configuration files with windows EOL are correctly handled
  * General code clean-up
  * Documentation overhaul
  * Compilation on FreeBSD and CentOS
  * Select which cookies to encrypt via regular expressions
  * Match on return values from user-defined functions
  * Simplification and clean up of our linked-list implementation

 -- jvoisin <snuffleupagus@nbs-system.com>  Tue, 18 Jan 2018 13:00:00 +0200

snuffleupagus (0.1.0) UNRELEASED; urgency=medium

  * Initial release.

 -- jvoisin <snuffleupagus@nbs-system.com>  Tue, 04 Jul 2017 17:51:31 +0200
