ukukhululwa kwenkqubo yokulawula umxholo wewebhu . Ukukhutshwa kuphawuleka ekugqityweni kwayo ekuphunyezweni ukujonga uhlaziyo kunye nezongezelelo usebenzisa umsayino wedijithali.
Kuze kube ngoku, xa ufaka uhlaziyo kwi-WordPress, eyona nto iphambili yokhuseleko yayikuthembela kwisiseko se-WordPress kunye neeseva (emva kokukhuphela, i-hash ihlolwe ngaphandle kokuqinisekisa umthombo). Ukuba iiseva zeprojekthi ziye zaphazamiseka, abahlaseli bakwazi ukuphazamisa ukuhlaziywa kunye nokusabalalisa ikhowudi ekhohlakeleyo phakathi kweendawo ezisekelwe kwi-WordPress ezisebenzisa inkqubo yokufakela uhlaziyo oluzenzekelayo. Ngokuhambelana nemodeli yonikezelo lwentembeko ebisetyenziswa ngaphambili, ukutshintshwa okunjalo bekungayi kubonwa kwicala labasebenzisi.
Ukuthathela ingqalelo into yokuba yeprojekthi ye-w3techs, iqonga le-WordPress lisetyenziswa kwi-33.8% yeendawo kwinethiwekhi, isiganeko siya kuthatha umlinganiselo wentlekele. Kwangaxeshanye, ingozi yokuthotywa kweziseko zophuhliso yayingeyontelekelelo, kodwa iyinyani. Ngokomzekelo, kwiminyaka eliqela eyadlulayo omnye wabaphandi bokhuseleko Ubuthathaka obuvumele umhlaseli aphumeze ikhowudi yakhe kwicala lomncedisi we api.wordpress.org.
Kwimeko yotyikityo lwedijithali, ukufumana ulawulo kwiseva yokusasazwa kohlaziyo akuyi kukhokelela ekuthobeni kweenkqubo zomsebenzisi, kuba ukwenza uhlaselo, kuya kufuneka ukongezelele ukufumana isitshixo sabucala esigcinwe ngokwahlukileyo, apho uhlaziyo lusayinwe.
Ukuphunyezwa kokujonga umthombo wohlaziyo kusetyenziswa utyikityo lwedijithali kwathintelwa yinyaniso yokuba inkxaso ye-cryptographic algorithms efunekayo ivele kwiphakheji eqhelekileyo ye-PHP kutsha nje. Ii-algorithms eziyimfuneko ze-cryptographic zavela ngenxa yokuhlanganiswa kwethala leencwadi kwiqela eliphambili . Kodwa njengeyona nguqulo incinci yenkxaso ye-PHP kwi-WordPress ukukhululwa kwe-5.2.4 (ukusuka kwi-WordPress 5.2 - 5.6.20). Ukunika amandla inkxaso yeesignesha zedijithali kuya kukhokelela ekunyuseni okubalulekileyo kwiimfuno zenguqu ephantsi yenkxaso ye-PHP okanye ukongezwa kokuxhomekeka kwangaphandle, abaphuhlisi abangenakwenza ngokunikezelwa kweenguqulelo ze-PHP kwiinkqubo zokubamba.
Isicombululo yaba kunye nokufakwa kwe-compact version ye-Libsodium kwi-WordPress 5.2 - , apho ubuncinci beesethi ze-algorithms zokuqinisekisa iisignesha zedijithali ziphunyezwe kwi-PHP. Ukuphunyezwa kushiya into enqwenelekayo ngokwemigaqo yokusebenza, kodwa isombulula ngokupheleleyo ingxaki yokuhambelana, kwaye ivumela abaphuhlisi be-plugin ukuba baqalise ukuphumeza i-algorithms ye-cryptographic yanamhlanje.
I-algorithm isetyenziselwa ukuvelisa iisignesha zedijithali , yaphuhliswa ngenxaxheba kaDaniel J. Bernstein. Isiginitsha yedijithali yenzelwe ixabiso le-SHA384 le-hash elibalwe kwimixholo yogcino lohlaziyo. I-Ed25519 inomgangatho ophezulu wokhuseleko kune-ECDSA kunye ne-DSA, kwaye ibonisa isantya esiphezulu kakhulu sokuqinisekisa nokudalwa kotyikityo. Ukuchasana nokukhwabanisa kwe-Ed25519 malunga ne-2 ^ 128 (ngokomndilili, ukuhlaselwa kwe-Ed25519 kuya kufuna i-2 ^ 140 bit operations), ehambelana nokuchaswa kwe-algorithms efana ne-NIST P-256 kunye ne-RSA kunye nobukhulu obuphambili be-3000 bits. okanye 128 bit block cipher. I-Ed25519 nayo ayinakuchaphazeleka kwiingxaki zokungqubana kwe-hash, kwaye ayikhuselekanga kuhlaselo lwe-cache-timeing okanye uhlaselo lwe-side-channel.
Kwi-WordPress 5.2 ukukhutshwa, ukuqinisekiswa kwesignesha yedijithali okwangoku kuphela uhlaziyo lweqonga elikhulu kwaye aluthinteli uhlaziyo ngokungagqibekanga, kodwa lwazisa kuphela umsebenzisi malunga nengxaki. Kwagqitywa ekubeni kungenzeki ukuvalwa okungagqibekanga ngoko nangoko ngenxa yesidingo sokujonga ngokupheleleyo kunye nokudlula . Kwixesha elizayo, kucetywa kwakhona ukongeza ukuqinisekiswa kwesignesha yedijithali ukuqinisekisa umthombo wofakelo lwemixholo kunye neeplagi (abavelisi baya kukwazi ukusayina ukukhutshwa ngesitshixo sabo).
Ukongeza kwinkxaso yesiginitsha yedijithali kwi-WordPress 5.2, olu tshintsho lulandelayo lunokuqatshelwa:
- Amaphepha amabini amatsha afakwe kwicandelo elithi "Impilo yeNdawo" yokulungiswa kweengxaki eziqhelekileyo zoqwalaselo, kwaye ifom nayo inikezelwe apho abaphuhlisi banokushiya ulwazi lokutshatyalaliswa kubalawuli besayithi;
- Ukuphunyezwa okongeziweyo "kwesikrini esimhlophe sokufa", kuboniswe kwimeko yeengxaki ezibulalayo kunye nokunceda umlawuli ukuba alungise ngokuzimeleyo iingxaki ezinxulumene neeplagi okanye imixholo ngokutshintshela kwimodi ekhethekileyo yokubuyisela ukuphahlazeka;
- Inkqubo yokukhangela ukuhambelana kunye neeplagi ziphunyeziwe, ezijonga ngokuzenzekelayo ithuba lokusebenzisa i-plugin kwi-configuration yangoku, ngokuqwalasela inguqu ye-PHP esetyenzisiweyo. Ukuba iplagin idinga inguqu entsha ye-PHP ukuba isebenze, inkqubo iya kuthintela ngokuzenzekelayo ukufakwa kwale plugin;
- Inkxaso eyongeziweyo yokwenza iimodyuli ezinekhowudi yeJavaScript usebenzisa ΠΈ ;
- Yongeza itemplate entsha ye-privacy-policy.php evumela ukuba wenze ngokwezifiso umxholo wephepha lomgaqo-nkqubo wabucala;
- Kwimixholo, i-wp_body_open hook handler yongezwe, ikuvumela ukuba ufake ikhowudi ngokukhawuleza emva kwethegi yomzimba;
- Iimfuno zenguqu encinci ye-PHP iphakanyiselwe kwi-5.6.20; iiplagi kunye nemixholo ngoku zinamandla okusebenzisa izithuba zamagama kunye nemisebenzi engaziwa;
- Kongezwe ii-icon ezintsha ezili-13.
Ukongeza, ungakhankanya Ubuthathaka obubalulekileyo kwiplagi ye-WordPress (CVE-2019-11185). Ukuba sesichengeni kuvumela ikhowudi ye-PHP engafanelekanga ukuba iqhutywe kumncedisi. Iplagin isetyenziswa kwiindawo ezingaphezu kwamawaka angama-27 ukuququzelela ingxoxo edibeneyo kunye nondwendwe, kubandakanywa kwiindawo zeenkampani ezifana ne-IKEA, i-Adobe, iHuawei, i-PayPal, i-Tele2 kunye ne-McDonald's (Ingxoxo ebukhoma ihlala isetyenziselwa ukuphumeza i-pop-up ecaphukisayo. iingxoxo kwiisayithi zenkampani ezineentengiso zengxoxo kunye nomsebenzi).
Ingxaki izibonakalisa kwikhowudi yokulayisha iifayile kumncedisi kwaye ikuvumela ukuba udlule isheke yeentlobo zefayile ezisebenzayo kwaye ulayishe iskripthi se-PHP kumncedisi, kwaye uphumeze ngokuthe ngqo kwiwebhu. Kuyathakazelisa ukuba kunyaka ophelileyo ubuthathaka obufanayo sele ichongiwe kwi-Live Chat (CVE-2018-12426), eyavumela ukulayishwa kwekhowudi ye-PHP phantsi komfanekiso womfanekiso, echaza uhlobo oluthile lomxholo kwi-Content-type field. Njengenxalenye yokulungisa, iitshekhi ezongezelelweyo zongezwe kuluhlu olumhlophe kunye nodidi lomxholo we-MIME. Njengoko kuvela, ezi zitshekishwa ziphunyezwa ngokungalunganga kwaye zinokugqithiswa ngokulula.
Ngokukodwa, ukulayishwa ngokuthe ngqo kweefayile kunye nesandiso esithi ".php" akuvumelekanga, kodwa isandiso esithi ".phtml", esidityaniswa netoliki ye-PHP kumaseva amaninzi, ayizange yongezwe kuluhlu olumnyama. Uluhlu olumhlophe luvumela kuphela ukufakwa kwemifanekiso, kodwa ungalugqitha ngokuchaza ukongezwa kabini, umzekelo, ".gif.phtml". Ukugqitha ukukhangela uhlobo lwe-MIME ekuqaleni kwefayile, ngaphambi kokuvula ithegi ngekhowudi ye-PHP, kwakwanele ukucacisa umgca "GIF89a".
umthombo: opennet.ru