Ngemva konyaka wentuthuko ukukhululwa kwephrojekthi , ehlinzeka ngemojuli yomhumushi we-PHP7 ukuze athuthukise ukuphepha kwemvelo futhi avimbele amaphutha avamile aholela ekubeni sengozini ekusebenziseni izinhlelo zokusebenza ze-PHP. Imojuli futhi ikuvumela ukuthi udale ukuqeda izinkinga ezithile ngaphandle kokushintsha ikhodi yomthombo yesicelo esisengozini, esilungele ukusetshenziswa ezinhlelweni zokubamba ngobuningi lapho kungenakwenzeka ukugcina zonke izinhlelo zokusebenza zabasebenzisi zisesikhathini. Izindleko eziphezulu zemojuli zilinganiselwa ukuthi zincane. Imojula ibhalwe ngo-C, ixhunywe ngendlela yomtapo wolwazi okwabelwana ngawo (βextension=snuffleupagus.soβ ku-php.ini) kanye ilayisensi ngaphansi kwe-LGPL 3.0.
I-Snuffleupagus inikeza uhlelo lwemithetho oluvumela ukuthi usebenzise izifanekiso ezijwayelekile ukuze uthuthukise ukuphepha, noma udale imithetho yakho yokulawula idatha yokufaka kanye nemingcele yokusebenza. Isibonelo, umthetho othi βsp.disable_function.function(βsystemβ).param(βcommandβ).value_r(β[$|;&`\\n]β).drop();β ikuvumela ukuthi ukhawulele ukusetshenziswa kwezinhlamvu ezikhethekile kuma-agumenti omsebenzi wesistimu() ngaphandle kokushintsha uhlelo lokusebenza. Izindlela ezakhelwe ngaphakathi zinikezwe ukuvimba izigaba zobungozi njengezinkinga, ngokwenziwa kwedatha, ukusetshenziswa komsebenzi we-PHP mail(), ukuvuza kokuqukethwe kwe-Cookie ngesikhathi sokuhlaselwa kwe-XSS, izinkinga ngenxa yokulayisha amafayela anekhodi esebenzisekayo (ngokwesibonelo, ngefomethi ), ukukhiqizwa kwenombolo okungahleliwe kwekhwalithi empofu kanye ukwakhiwa okungalungile kwe-XML.
Izindlela zokuthuthukisa ukuphepha kwe-PHP ezinikezwe i-Snuffleupagus:
- Nika amandla ngokuzenzakalelayo amafulegi "avikelekile" kanye "ne-samesite" (ukuvikelwa kwe-CSRF) kumakhukhi, Ikhukhi;
- Isethi eyakhelwe ngaphakathi yemithetho ukuhlonza iminonjana yokuhlaselwa kanye nokuyekethisa kwezicelo;
- Kuphoqelelwe ukwenziwa kusebenze komhlaba wonke kwe-"" (isibonelo, ivimba umzamo wokucacisa iyunithi yezinhlamvu uma ulindele inani eliyingqikithi njengengxabano) kanye nokuvikelwa ;
- Ukuvimbela okuzenzakalelayo (ngokwesibonelo, ukuvimbela okuthi "phar://") ngokugunyazwa kwabo okusobala;
- Ukwenqatshelwa ekusebenziseni amafayela abhalekayo;
- Izinhlu ezimnyama nezimhlophe ze-eval;
- Kuyadingeka ukuze unike amandla ukuhlolwa kwesitifiketi se-TLS uma usebenzisa
curl; - Ukwengeza i-HMAC ezintweni ze-serialized ukuqinisekisa ukuthi i-deserialization ithola idatha egcinwe uhlelo lokusebenza lwangempela;
- Cela imodi yokungena;
- Ukuvimbela ukulayishwa kwamafayela angaphandle ku-libxml ngezixhumanisi kumadokhumenti e-XML;
- Ikhono lokuxhuma izibambi zangaphandle (upload_validation) ukuhlola nokuskena amafayela alayishiwe;
Phakathi kwe ekukhishweni okusha: Ukusekelwa okuthuthukisiwe kwe-PHP 7.4 nokusetshenziswa kokuhambisana negatsha le-PHP 8 elisathuthukayo Kwengezwe ikhono lokungena imicimbi nge-syslog (isiyalelo se-sp.log_media sihlongozwa ukuthi sifakwe, esingathatha amanani we-php noma we-syslog). Isethi ezenzakalelayo yemithetho ibuyekeziwe ukuze ifake imithetho emisha yokulimala okusanda kukhonjwa kanye namasu okuhlasela ngokumelene nezinhlelo zokusebenza zewebhu. Ukusekelwa okuthuthukisiwe kwe-macOS nokusetshenziswa okunwetshiwe kwenkundla yokuhlanganisa eqhubekayo esekelwe ku-GitLab.
Source: opennet.ru