Kuze kube ngoku, xa ufaka uhlaziyo kwi-WordPress, eyona nto iphambili yokhuseleko yayikuthembela kwisiseko se-WordPress kunye neeseva (emva kokukhuphela, i-hash ihlolwe ngaphandle kokuqinisekisa umthombo). Ukuba iiseva zeprojekthi ziye zaphazamiseka, abahlaseli bakwazi ukuphazamisa ukuhlaziywa kunye nokusabalalisa ikhowudi ekhohlakeleyo phakathi kweendawo ezisekelwe kwi-WordPress ezisebenzisa inkqubo yokufakela uhlaziyo oluzenzekelayo. Ngokuhambelana nemodeli yonikezelo lwentembeko ebisetyenziswa ngaphambili, ukutshintshwa okunjalo bekungayi kubonwa kwicala labasebenzisi.
Ukuthathela ingqalelo into yokuba
Kwimeko yotyikityo lwedijithali, ukufumana ulawulo kwiseva yokusasazwa kohlaziyo akuyi kukhokelela ekuthobeni kweenkqubo zomsebenzisi, kuba ukwenza uhlaselo, kuya kufuneka ukongezelele ukufumana isitshixo sabucala esigcinwe ngokwahlukileyo, apho uhlaziyo lusayinwe.
Ukuphunyezwa kokujonga umthombo wohlaziyo kusetyenziswa utyikityo lwedijithali kwathintelwa yinyaniso yokuba inkxaso ye-cryptographic algorithms efunekayo ivele kwiphakheji eqhelekileyo ye-PHP kutsha nje. Ii-algorithms eziyimfuneko ze-cryptographic zavela ngenxa yokuhlanganiswa kwethala leencwadi
Isicombululo yaba
I-algorithm isetyenziselwa ukuvelisa iisignesha zedijithali
Kwi-WordPress 5.2 ukukhutshwa, ukuqinisekiswa kwesignesha yedijithali okwangoku kuphela uhlaziyo lweqonga elikhulu kwaye aluthinteli uhlaziyo ngokungagqibekanga, kodwa lwazisa kuphela umsebenzisi malunga nengxaki. Kwagqitywa ekubeni kungenzeki ukuvalwa okungagqibekanga ngoko nangoko ngenxa yesidingo sokujonga ngokupheleleyo kunye nokudlula
Ukongeza kwinkxaso yesiginitsha yedijithali kwi-WordPress 5.2, olu tshintsho lulandelayo lunokuqatshelwa:
- Amaphepha amabini amatsha afakwe kwicandelo elithi "Impilo yeNdawo" yokulungiswa kweengxaki eziqhelekileyo zoqwalaselo, kwaye ifom nayo inikezelwe apho abaphuhlisi banokushiya ulwazi lokutshatyalaliswa kubalawuli besayithi;
- Ukuphunyezwa okongeziweyo "kwesikrini esimhlophe sokufa", kuboniswe kwimeko yeengxaki ezibulalayo kunye nokunceda umlawuli ukuba alungise ngokuzimeleyo iingxaki ezinxulumene neeplagi okanye imixholo ngokutshintshela kwimodi ekhethekileyo yokubuyisela ukuphahlazeka;
- Inkqubo yokukhangela ukuhambelana kunye neeplagi ziphunyeziwe, ezijonga ngokuzenzekelayo ithuba lokusebenzisa i-plugin kwi-configuration yangoku, ngokuqwalasela inguqu ye-PHP esetyenzisiweyo. Ukuba iplagin idinga inguqu entsha ye-PHP ukuba isebenze, inkqubo iya kuthintela ngokuzenzekelayo ukufakwa kwale plugin;
- Inkxaso eyongeziweyo yokwenza iimodyuli ezinekhowudi yeJavaScript usebenzisa
umqulu wewebhu ΠΈIBhabheli ; - Yongeza itemplate entsha ye-privacy-policy.php evumela ukuba wenze ngokwezifiso umxholo wephepha lomgaqo-nkqubo wabucala;
- Kwimixholo, i-wp_body_open hook handler yongezwe, ikuvumela ukuba ufake ikhowudi ngokukhawuleza emva kwethegi yomzimba;
- Iimfuno zenguqu encinci ye-PHP iphakanyiselwe kwi-5.6.20; iiplagi kunye nemixholo ngoku zinamandla okusebenzisa izithuba zamagama kunye nemisebenzi engaziwa;
- Kongezwe ii-icon ezintsha ezili-13.
Ukongeza, ungakhankanya
Ingxaki izibonakalisa kwikhowudi yokulayisha iifayile kumncedisi kwaye ikuvumela ukuba udlule isheke yeentlobo zefayile ezisebenzayo kwaye ulayishe iskripthi se-PHP kumncedisi, kwaye uphumeze ngokuthe ngqo kwiwebhu. Kuyathakazelisa ukuba kunyaka ophelileyo ubuthathaka obufanayo sele ichongiwe kwi-Live Chat (CVE-2018-12426), eyavumela ukulayishwa kwekhowudi ye-PHP phantsi komfanekiso womfanekiso, echaza uhlobo oluthile lomxholo kwi-Content-type field. Njengenxalenye yokulungisa, iitshekhi ezongezelelweyo zongezwe kuluhlu olumhlophe kunye nodidi lomxholo we-MIME. Njengoko kuvela, ezi zitshekishwa ziphunyezwa ngokungalunganga kwaye zinokugqithiswa ngokulula.
Ngokukodwa, ukulayishwa ngokuthe ngqo kweefayile kunye nesandiso esithi ".php" akuvumelekanga, kodwa isandiso esithi ".phtml", esidityaniswa netoliki ye-PHP kumaseva amaninzi, ayizange yongezwe kuluhlu olumnyama. Uluhlu olumhlophe luvumela kuphela ukufakwa kwemifanekiso, kodwa ungalugqitha ngokuchaza ukongezwa kabini, umzekelo, ".gif.phtml". Ukugqitha ukukhangela uhlobo lwe-MIME ekuqaleni kwefayile, ngaphambi kokuvula ithegi ngekhowudi ye-PHP, kwakwanele ukucacisa umgca "GIF89a".
umthombo: opennet.ru