N'ókè nke oru ngo modul maka ijikọ na onye ntụgharị PHP7, emebere iji melite nchekwa nke gburugburu ebe obibi na igbochi mmejọ nkịtị nke na-eduga na adịghị ike na-agba ọsọ ngwa PHP. Modul ahụ na-enyekwa gị ohere ịmepụta patches mebere iji dozie nsogbu ụfọdụ na-enweghị ịgbanwe koodu isi mmalite nke ngwa ngwa adịghị ike, nke dị mma maka iji ya na usoro nchịkọta nchịkọta ebe ọ na-agaghị ekwe omume idobe ngwa onye ọrụ niile. Edere modul ahụ na C, jikọtara ya n'ụdị ọbá akwụkwọ nkekọrịta ("extension=snuffleupagus.so" na php.ini) na nyere ikike n'okpuru LGPL 3.0.
Snuffleupagus na-enye usoro iwu na-enye gị ohere iji ndebiri ọkọlọtọ iji melite nchekwa, ma ọ bụ mepụta iwu nke gị iji jikwaa data ntinye na paramita ọrụ. Dịka ọmụmaatụ, iwu "sp.disable_function.function ("sistemu").param ("iwu").value_r ("[$|; & `\n]") drop ();" na-enye gị ohere ịmachi iji mkpụrụedemede pụrụ iche na arụmụka ọrụ sistemụ () na-agbanweghị ngwa ahụ. N'otu aka ahụ, ị nwere ike ịmepụta iji gbochie adịghị ike ama ama.
Na-ekpe ikpe site na ule ndị mmepe mere, Snuffleupagus anaghị ebelata arụmọrụ. Iji hụ na nchekwa nke ya (ihe ọghọm nwere ike na oyi akwa nchekwa nwere ike ịbụ ihe mgbakwunye vector maka ọgụ), ọrụ ahụ na-eji nyocha nke ọma nke onye ọ bụla na-eme na nkesa dị iche iche, na-eji sistemụ nyocha static, na koodu na-ahazi ma detuo ya ka ọ dị mfe nyocha.
A na-enye ụzọ arụrụ arụ ọrụ iji gbochie klaasị nke adịghị ike dịka okwu, na usoro nke data, iji PHP mail() ọrụ, ntapu nke ọdịnaya kuki n'oge ọgụ XSS, nsogbu n'ihi na-ebufe faịlụ na executable koodu (dịka ọmụmaatụ, na usoro ), adịghị mma random nọmba ọgbọ na arụrụ XML ezighi ezi.
A na-akwado ụdịdị ndị a iji kwalite nchekwa PHP:
- Kwado ọkọlọtọ "echekwabara" na "samesite" (nchedo CSRF) maka Kuki na-akpaghị aka, Kuki;
- Usoro iwu arụnyere n'ime ya iji chọpụta akara mwakpo na imebi ngwa;
- Mmanye zuru ụwa ọnụ nke ""(dịka ọmụmaatụ, na-egbochi mbọ ịkọwapụta eriri mgbe ị na-atụ anya uru integer dị ka arụmụka) yana nchebe megide ;
- Mgbochi ndabara (dịka ọmụmaatụ, machibido "phar://") site na ndenye ọcha ha doro anya;
- Mmachibido iwu na-emezu faịlụ ndị edere;
- Ndepụta oji na ọcha maka eval;
- Achọrọ iji mee ka ịlele asambodo TLS mgbe ị na-eji
curl; - Ịgbakwunye HMAC na ihe serialized iji hụ na deserialization na-eweghachite data nke ngwa mbụ echekwara;
- Rịọ ọnọdụ ndekọ;
- Na-egbochi nbudata faịlụ mpụga na libxml site na njikọ dị na akwụkwọ XML;
- Ikike ijikọ ndị na-ahụ maka mpụga (upload_validation) iji lelee na nyochaa faịlụ ebugoro;
Emepụtara ọrụ ahụ ma jiri ya chebe ndị ọrụ na akụrụngwa nke otu n'ime nnukwu ndị ọrụ nnabata French. na naanị ijikọ Snuffleupagus ga-echebe megide ọtụtụ ọghọm dị ize ndụ amatara n'afọ a na Drupal, WordPress na phpBB. Enwere ike igbochi adịghị ike na Magento na Horde site n'ịkwalite ọnọdụ ahụ
"sp.readonly_exec.enable()".
isi: opennet.ru