Bayan shekara guda na ci gaba sakin aikin , wanda ke ba da tsari don mai fassarar PHP7 don inganta tsaro na muhalli da kuma toshe kurakuran gama gari waɗanda ke haifar da lahani a cikin gudanar da aikace-aikacen PHP. Hakanan tsarin yana ba ku damar ƙirƙira don kawar da ƙayyadaddun matsalolin ba tare da canza lambar tushe na aikace-aikacen mai rauni ba, wanda ya dace don amfani a cikin tsarin tattarawa mai yawa inda ba zai yiwu ba don kiyaye duk aikace-aikacen mai amfani har zuwa yau. An ƙiyasta kuɗin da ake kashewa na ƙirar zai zama kaɗan. An rubuta tsarin a cikin C, an haɗa shi a cikin hanyar ɗakin karatu da aka raba ("extension=snuffleupagus.so" a cikin php.ini) kuma lasisi a ƙarƙashin LGPL 3.0.
Snuffleupagus yana ba da tsarin ƙa'idodi waɗanda ke ba ku damar amfani da daidaitattun samfuran don inganta tsaro, ko ƙirƙirar ƙa'idodin ku don sarrafa bayanan shigarwa da sigogin aiki. Misali, ka'idar "sp.disable_function.function ("tsarin").param ("umarni").value_r ("[$|; & `\n]") drop();" yana ba ku damar iyakance amfani da haruffa na musamman a cikin muhawarar aiki () ba tare da canza aikace-aikacen ba. Ana samar da hanyoyin ginannun don toshe nau'ikan raunin rauni kamar batutuwa, tare da serialization data, amfani da aikin saƙon PHP(), ɓarna abubuwan kuki yayin harin XSS, matsaloli saboda loda fayiloli tare da lambar aiwatarwa (misali, a cikin tsari. ), rashin ingancin bazuwar adadin tsara da ginannen XML ba daidai ba.
Hanyoyin haɓaka tsaro na PHP wanda Snuffleupagus ke bayarwa:
- Ta atomatik kunna tutocin "amintattu" da "samesite" (kariyar CSRF) don Kukis, Kuki;
- Gin-ginen ƙa'idodi don gano alamun hare-hare da daidaita aikace-aikacen;
- Ƙaddamar da kunnawa na duniya ""(misali, yana toshe yunƙurin tantance kirtani lokacin tsammanin ƙimar lamba a matsayin hujja) da kariya daga ;
- Toshewa ta tsohuwa (misali, hana "phar://") tare da bayyanannen jerin sunayensu;
- Hani kan aiwatar da fayilolin da aka rubuta;
- Baki da fari jerin don eval;
- Ana buƙata don kunna duba takaddun TLS lokacin amfani
lankwasa; - Ƙara HMAC zuwa abubuwan da aka kera don tabbatar da cewa ɓarna yana maido da bayanan da aka adana ta ainihin aikace-aikacen;
- Neman yanayin shiga;
- Toshe loda fayilolin waje a cikin libxml ta hanyar haɗin kai a cikin takaddun XML;
- Ikon haɗa masu sarrafa waje (upload_validation) don dubawa da duba fayilolin da aka ɗora;
Daga cikin a cikin sabon saki: Ingantaccen tallafi don PHP 7.4 da aiwatar da dacewa tare da reshen PHP 8 a halin yanzu yana ci gaba. Ƙara ikon shiga abubuwan da suka faru ta hanyar syslog (an ba da umarnin sp.log_media don haɗawa, wanda zai iya ɗaukar php ko ƙimar syslog). An sabunta saitin ƙa'idodin da aka saba don haɗa sabbin ƙa'idodi don lahanin da aka gano kwanan nan da dabarun kai hari kan aikace-aikacen yanar gizo. Ingantattun tallafi don macOS da faɗaɗa amfani da ci gaba da dandamalin haɗin kai dangane da GitLab.
source: budenet.ru