Snuffleupagus, ingantaccen tsari don toshe rauni a aikace-aikacen PHP

Darkcrizt

4 minti

Idan kai masanin yanar gizo ne, wannan labarin na iya zama mai ban sha'awa a gare ka tunda a ciki zamuyi magana kadan game da aikin snuffleupagus, wanda yana ba da darasi ga mai fassarar PHP don haɓaka tsaron mahalli kuma toshe kuskuren kuskuren da ke haifar da rauni yayin aiwatar da aikace-aikacen PHP.

Wannan tsarin An tsara shi ta hanya mai ban sha'awa, tun ƙaruwa ƙara aiki abin da ya kamata a yi domin samun nasarar kai hare-hare kan gidajen yanar gizo, ta hanyar cire duka azuzuwan kurakurai. Hakanan yana samar da ingantaccen tsarin facin kama-da-wane, wanda ke bawa mai gudanarwa damar gyara takamaiman rauni da kuma bincika halayyar tuhuma ba tare da taɓa lambar PHP ba.

Game da Snuffleupagus

snuffleupagus yana da halin samar da tsarin dokoki wanda ke ba da izinin amfani da daidaitattun samfuran don kara kariya da kirkirar dokokin ka don sarrafa bayanan shigarwa da sigogin aiki.

Hakanan yana samar da hanyoyin ginanniya don toshe azuzuwan rauni kamar matsalolin da suka danganci yin amfani da bayanan bayanai, rashin amfani da aikin PHP mail () na rashin tsaro, asarar abun cikin cookie yayin hare-haren XSS, matsaloli saboda zazzage fayiloli tare da lambar zartarwa (alal misali, a tsarin phar), Sauya kayan gini Ba daidai ba XML.

A koyaushe kuma zai baka damar ba ka damar ƙirƙirar faci kama-da-wane zuwa ga mai kula da gidan yanar gizo don gyara takamaiman matsaloli ba tare da canza lambar asalin aikace-aikacen ba mai rauni, wanda ya dace don amfani a cikin tsarin karɓar taro inda ba shi yiwuwa a ci gaba da duk aikace-aikacen masu amfani har zuwa yau.

Gabaɗaya yawan kuɗaɗen albarkatun da aka samo daga aikin rukunin an kiyasta su a matsayin mafi ƙarancin. An rubuta module a cikin yaren C, an haɗa shi a cikin hanyar laburaren da aka raba a cikin fayil ɗin "php.ini".

Daga cikin zaɓuɓɓukan tsaro waɗanda Snuffleupagus ke bayarwa, waɗannan masu ficewa suna zuwa:

  • Haɗa tutocin "lafiya" da "samesite" ta atomatik (kariya ga CSRF) don kukis, ɓoye ɓoyayyen kuki.
  • Tsarin ginannun dokoki don gano alamomin hare-hare da lalata aikace-aikace.
  • Globalarfafa yanayin duniya na tsananin "tsattsauran ra'ayi" wanda misali ya toshe yunƙurin saka kirtani yayin jiran adadin adadi a matsayin jayayya da kariya daga magudi iri.
  • Tsoffin toshewar masu ladabi (alal misali, "phar: //" ban) tare da izini bayyananne don mai aiki.
  • Haramtawa aiwatar da fayilolin rubutu.
  • Lissafin baƙi da fari don eval.
  • Ba da izinin tabbatar da m na takaddun TLS lokacin amfani da curl.
  • Hara HMAC zuwa abubuwan da aka kera don tabbatar da cewa ƙaddamarwa zai dawo da bayanan da aka samo asali ta aikace-aikacen asali.
  • Nemi yanayin rajista.
  • Toshe fayilolin waje daga loda a cikin libxml ta amfani da hanyar haɗin cikin takaddun XML.
  • Ikon haɗa mahaɗan waje (upload_validation) don tabbatarwa da bincika fayilolin da aka zazzage.
  • Yi amfani da takaddun shaidar TLS lokacin amfani da curl
  • Nemi damar saukarwa
  • Relativelyarin asalin lambar lafiya
  • Cikakken kunshin gwaji tare da kusan 100% ɗaukar hoto
  • Ana gwada kowane ƙaddamar akan rarrabawa da yawa

Ƙarin bayani

A halin yanzu wannan darajan yana cikin sigar 0.5.1 kuma a ciki akwai fitarwa a mafi kyawun tallafi ga PHP 7.4 da aiwatar da daidaituwa tare da reshe na PHP 8 (wanda ke ci gaba a halin yanzu).

Bayan haka an sabunta dokar da ta saba kuma zuwa menene an kara sabbin dokoki don sababbin abubuwan da aka gano da fasaha don kai farmaki kan aikace-aikacen yanar gizo.

Yadda ake girka Snuffleupagus akan Linux?

Finalmente ga masu sha'awar iya gwada wannan tsarin cikin gwaje-gwajen binciken aikace-aikacen ku don inganta tsaron su ko don haɓaka tsaro na aikace-aikacen ku.

Abin da ya kamata su yi shi ne zuwa gidan yanar gizon hukuma na koyaushe da a cikin sashin saukarwa Kuna iya samun umarni don wasu daga cikin rarraba Linux daban-daban, mahaɗin shine wannan.

Ko da yake, suna kuma iya zaɓar girkawa daga lambar tushe, saboda wannan zasu iya bin umarnin da suke daki-daki a cikin wannan mahaɗin.

Arshe amma ba mafi ƙaranci ba, idan kuna son ƙarin sani game da shi, karanta takaddun ko samo lambar tushe don nazari, kuna iya yin hakan. daga wannan hanyar haɗi.


Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Alhakin bayanai: AB Internet Networks 2008 SL
  2. Manufar bayanan: Sarrafa SPAM, sarrafa sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.