A cikin iyakokin aikin wani tsari don haɗawa da mai fassarar PHP7, wanda aka tsara don inganta tsaro na muhalli da kuma toshe kurakuran gama gari waɗanda ke haifar da lahani a cikin gudanar da aikace-aikacen PHP. Har ila yau, tsarin yana ba ku damar ƙirƙirar faci mai kama-da-wane don gyara takamaiman matsaloli ba tare da canza lambar tushe na aikace-aikacen mara ƙarfi ba, wanda ya dace don amfani a cikin tsarin karɓar taro inda ba shi yiwuwa a ci gaba da duk aikace-aikacen mai amfani har zuwa yau. An rubuta tsarin a cikin C, an haɗa shi a cikin hanyar ɗakin karatu ("extension=snuffleupagus.so" a cikin php.ini) kuma lasisi a ƙarƙashin LGPL 3.0.
Snuffleupagus yana ba da tsarin ƙa'idodi waɗanda ke ba ku damar amfani da daidaitattun samfuran don inganta tsaro, ko ƙirƙirar ƙa'idodin ku don sarrafa bayanan shigarwa da sigogin aiki. Misali, ka'idar "sp.disable_function.function ("tsarin").param ("umarni").value_r ("[$|; & `\n]") drop();" yana ba ku damar iyakance amfani da haruffa na musamman a cikin muhawarar aiki () ba tare da canza aikace-aikacen ba. Hakazalika, zaka iya ƙirƙirar don toshe raunin da aka sani.
Yin la'akari da gwaje-gwajen da masu haɓaka suka yi, Snuffleupagus da wuya yana rage aikin. Don tabbatar da tsaron nasa (masu lahani mai yuwuwa a cikin matakan tsaro na iya zama ƙarin haɓaka don hare-hare), aikin yana amfani da cikakken gwaji na kowane aikatawa a cikin rarrabawa daban-daban, yana amfani da tsarin bincike a tsaye, kuma an tsara lambar kuma an rubuta shi don sauƙaƙe dubawa.
Ana samar da hanyoyin ginannun don toshe nau'ikan raunin rauni kamar batutuwa, tare da serialization data, amfani da aikin saƙon PHP(), ɓarna abubuwan kuki yayin harin XSS, matsaloli saboda loda fayiloli tare da lambar aiwatarwa (misali, a cikin tsari. ), rashin ingancin bazuwar adadin tsara da ginannen XML ba daidai ba.
Ana tallafawa hanyoyin masu zuwa don haɓaka tsaro na PHP:
- Ta atomatik kunna tutocin "amintattu" da "samesite" (kariyar CSRF) don Kukis, Kuki;
- Gin-ginen ƙa'idodi don gano alamun hare-hare da daidaita aikace-aikacen;
- Ƙaddamar da kunnawa na duniya ""(misali, yana toshe yunƙurin tantance kirtani lokacin tsammanin ƙimar lamba a matsayin hujja) da kariya daga ;
- Toshewa ta tsohuwa (misali, hana "phar://") tare da bayyanannen jerin sunayensu;
- Hani kan aiwatar da fayilolin da aka rubuta;
- Baki da fari jerin don eval;
- Ana buƙata don kunna duba takaddun TLS lokacin amfani
lankwasa; - Ƙara HMAC zuwa abubuwan da aka kera don tabbatar da cewa ɓarna yana maido da bayanan da aka adana ta ainihin aikace-aikacen;
- Neman yanayin shiga;
- Toshe loda fayilolin waje a cikin libxml ta hanyar haɗin kai a cikin takaddun XML;
- Ikon haɗa masu sarrafa waje (upload_validation) don dubawa da duba fayilolin da aka ɗora;
An ƙirƙiri aikin kuma an yi amfani da shi don kare masu amfani a cikin abubuwan more rayuwa na ɗaya daga cikin manyan masu ba da sabis na Faransa. kawai haɗa Snuffleupagus zai kare kariya daga yawancin haɗari masu haɗari da aka gano a wannan shekara a cikin Drupal, WordPress da phpBB. Za a iya toshe rashin lahani a cikin Magento da Horde ta hanyar kunna yanayin
"sp.readonly_exec.enable()".
source: budenet.ru