self-hosted/Mailu
1
0
Fork 0
mirror of https://github.com/Mailu/Mailu.git synced 2025-09-16 09:06:32 +02:00
Code Issues Releases Activity

Merge #3908

Browse Source 
3908: Snuffleupagus v0.12 r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Upgrade to Snuffleupagus 0.12 to fix a NULL ptr deref; re-enable the related rules.

See https://github.com/jvoisin/snuffleupagus/issues/515

`@ghostwheel42` Do we want to backport this or are we content for it to be master only?

### Related issue(s)
- #3899 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
This commit is contained in:
bors-mailu[bot]
2025-08-22 16:10:06 +00:00
committed by GitHub
parent 2f89dc6b9a e9825477dc
commit d5b78fc048
3 changed files with 9 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
core/base/Dockerfile
View File

@@ -27,7 +27,7 @@ CMD /bin/bash
FROM system as build
ARG MAILU_DEPS=prod
ARG SNUFFLEUPAGUS_VERSION=0.11.0
ARG SNUFFLEUPAGUS_VERSION=0.12.0
ENV VIRTUAL_ENV=/app/venv

1
towncrier/newsfragments/3899.bugfix Normal file
View File

@@ -0,0 +1 @@
Upgrade to Snuffleupagus 0.12 to fix a NULL ptr deref; re-enable the related rules

12
webmails/snuffleupagus.rules
View File

@@ -144,11 +144,11 @@ sp.disable_function.function("ini_set").param("option").value_r("display_errors"
# Classic webshells patterns
# Those create SIGSEGV on arm64 for some reason
#sp.disable_function.function("system>base64_decode").drop();
#sp.disable_function.function("shell_exec>base64_decode").drop();
#sp.disable_function.function("exec>base64_decode").drop();
#sp.disable_function.function("passthru>base64_decode").drop();
#sp.disable_function.function("proc_open>base64_decode").drop();
sp.disable_function.function("system>base64_decode").drop();
sp.disable_function.function("shell_exec>base64_decode").drop();
sp.disable_function.function("exec>base64_decode").drop();
sp.disable_function.function("passthru>base64_decode").drop();
sp.disable_function.function("proc_open>base64_decode").drop();
sp.eval_blacklist.list("system,exec,shell_exec,passthru,proc_open");
sp.auto_cookie_secure.enable();
@@ -156,6 +156,8 @@ sp.auto_cookie_secure.enable();
# TODO: ensure this is up to date
sp.cookie.name("roundcube_sessauth").samesite("strict");
sp.cookie.name("roundcube_sessid").samesite("strict");
sp.cookie.name("smtoken").samesite("strict");
sp.cookie.name("smctoken").samesite("strict");
sp.ini_protection.policy_silent_fail();
# roundcube uses unserialize() everywhere.