From e9825477dca8ba128097bda768028994dd444d39 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Fri, 22 Aug 2025 12:24:38 +0200
Subject: [PATCH] Snuffleupagus v0.12

---
 core/base/Dockerfile                |  2 +-
 towncrier/newsfragments/3899.bugfix |  1 +
 webmails/snuffleupagus.rules        | 12 +++++++-----
 3 files changed, 9 insertions(+), 6 deletions(-)
 create mode 100644 towncrier/newsfragments/3899.bugfix

diff --git a/core/base/Dockerfile b/core/base/Dockerfile
index 31216497..7085fcc0 100644
--- a/core/base/Dockerfile
+++ b/core/base/Dockerfile
@@ -27,7 +27,7 @@ CMD /bin/bash
 FROM system as build
 
 ARG MAILU_DEPS=prod
-ARG SNUFFLEUPAGUS_VERSION=0.11.0
+ARG SNUFFLEUPAGUS_VERSION=0.12.0
 
 ENV VIRTUAL_ENV=/app/venv
 
diff --git a/towncrier/newsfragments/3899.bugfix b/towncrier/newsfragments/3899.bugfix
new file mode 100644
index 00000000..c3a90f91
--- /dev/null
+++ b/towncrier/newsfragments/3899.bugfix
@@ -0,0 +1 @@
+Upgrade to Snuffleupagus 0.12 to fix a NULL ptr deref; re-enable the related rules
diff --git a/webmails/snuffleupagus.rules b/webmails/snuffleupagus.rules
index 5734f6e9..f2257672 100644
--- a/webmails/snuffleupagus.rules
+++ b/webmails/snuffleupagus.rules
@@ -144,11 +144,11 @@ sp.disable_function.function("ini_set").param("option").value_r("display_errors"
 
 # Classic webshells patterns
 # Those create SIGSEGV on arm64 for some reason
-#sp.disable_function.function("system>base64_decode").drop();
-#sp.disable_function.function("shell_exec>base64_decode").drop();
-#sp.disable_function.function("exec>base64_decode").drop();
-#sp.disable_function.function("passthru>base64_decode").drop();
-#sp.disable_function.function("proc_open>base64_decode").drop();
+sp.disable_function.function("system>base64_decode").drop();
+sp.disable_function.function("shell_exec>base64_decode").drop();
+sp.disable_function.function("exec>base64_decode").drop();
+sp.disable_function.function("passthru>base64_decode").drop();
+sp.disable_function.function("proc_open>base64_decode").drop();
 sp.eval_blacklist.list("system,exec,shell_exec,passthru,proc_open");
 
 sp.auto_cookie_secure.enable();
@@ -156,6 +156,8 @@ sp.auto_cookie_secure.enable();
 # TODO: ensure this is up to date
 sp.cookie.name("roundcube_sessauth").samesite("strict");
 sp.cookie.name("roundcube_sessid").samesite("strict");
+sp.cookie.name("smtoken").samesite("strict");
+sp.cookie.name("smctoken").samesite("strict");
 sp.ini_protection.policy_silent_fail();
 
 # roundcube uses unserialize() everywhere.