Emingceleni yephrojekthi imojula yokuxhuma kumhumushi we-PHP7, eklanyelwe ukuthuthukisa ukuphepha kwendawo futhi uvimbele amaphutha avamile aholela ekubeni sengozini ekusebenziseni izinhlelo zokusebenza ze-PHP. Imojula futhi ikuvumela ukuthi udale ama-patches abonakalayo ukuze ulungise izinkinga ezithile ngaphandle kokushintsha ikhodi yomthombo yohlelo lokusebenza olusengozini, olulungele ukusetshenziswa ezinhlelweni zokubamba ngobuningi lapho kungenakwenzeka khona ukugcina zonke izinhlelo zokusebenza zabasebenzisi zisesikhathini. Imojula ibhalwe ngo-C, ixhunywe ngendlela yomtapo wolwazi okwabelwana ngawo (βextension=snuffleupagus.soβ ku-php.ini) kanye ilayisensi ngaphansi kwe-LGPL 3.0.
I-Snuffleupagus inikeza uhlelo lwemithetho oluvumela ukuthi usebenzise izifanekiso ezijwayelekile ukuze uthuthukise ukuphepha, noma udale imithetho yakho yokulawula idatha yokufaka kanye nemingcele yokusebenza. Isibonelo, umthetho othi βsp.disable_function.function(βsystemβ).param(βcommandβ).value_r(β[$|;&`\\n]β).drop();β ikuvumela ukuthi ukhawulele ukusetshenziswa kwezinhlamvu ezikhethekile kuma-agumenti omsebenzi wesistimu() ngaphandle kokushintsha uhlelo lokusebenza. Ngokufanayo, ungakha ukuvimbela ubungozi obaziwayo.
Uma sibheka izivivinyo ezenziwa abathuthukisi, i-Snuffleupagus ayinciphisi ukusebenza. Ukuze kuqinisekiswe ukuphepha kwayo (ubungozi obungaba khona kusendlalelo sokuvikela bungasebenza njengevekhtha eyengeziwe yokuhlaselwa), iphrojekthi isebenzisa ukuhlola okuphelele kokuzibophezela ngakunye ekusabalaliseni okuhlukene, isebenzisa amasistimu okuhlaziya amile, futhi ikhodi iyafomethwa futhi ibhalwe phansi ukuze kube lula ukuhlola.
Izindlela ezakhelwe ngaphakathi zinikezwa ukuvimba izigaba zobungozi njengezinkinga, ngokwenziwa kwedatha, ukusetshenziswa komsebenzi we-PHP mail(), ukuvuza kokuqukethwe kwe-Cookie ngesikhathi sokuhlaselwa kwe-XSS, izinkinga ngenxa yokulayisha amafayela anekhodi esebenzisekayo (ngokwesibonelo, ngefomethi ), ukukhiqizwa kwenombolo okungahleliwe kwekhwalithi empofu kanye ukwakhiwa okungalungile kwe-XML.
Izindlela ezilandelayo ziyasekelwa ukuthuthukisa ukuphepha kwe-PHP:
- Nika amandla ngokuzenzakalelayo amafulegi "avikelekile" kanye "ne-samesite" (ukuvikelwa kwe-CSRF) kumakhukhi, Ikhukhi;
- Isethi eyakhelwe ngaphakathi yemithetho ukuhlonza iminonjana yokuhlaselwa kanye nokuyekethisa kwezicelo;
- Kuphoqelelwe ukwenziwa kusebenze komhlaba wonke kwe-"" (isibonelo, ivimba umzamo wokucacisa iyunithi yezinhlamvu uma ulindele inani eliyingqikithi njengengxabano) kanye nokuvikelwa ;
- Ukuvimbela okuzenzakalelayo (ngokwesibonelo, ukuvimbela okuthi "phar://") ngokugunyazwa kwabo okusobala;
- Ukwenqatshelwa ekusebenziseni amafayela abhalekayo;
- Izinhlu ezimnyama nezimhlophe ze-eval;
- Kuyadingeka ukuze unike amandla ukuhlolwa kwesitifiketi se-TLS uma usebenzisa
curl; - Ukwengeza i-HMAC ezintweni ze-serialized ukuqinisekisa ukuthi i-deserialization ithola idatha egcinwe uhlelo lokusebenza lwangempela;
- Cela imodi yokungena;
- Ukuvimbela ukulayishwa kwamafayela angaphandle ku-libxml ngezixhumanisi kumadokhumenti e-XML;
- Ikhono lokuxhuma izibambi zangaphandle (upload_validation) ukuhlola nokuskena amafayela alayishiwe;
Le phrojekthi yadalwa futhi yasetshenziselwa ukuvikela abasebenzisi kwingqalasizinda yomunye wabaqhubi abakhulu abasingatha baseFrance. ukuthi ukumane ukuxhuma i-Snuffleupagus kuzovikela ezingozini eziningi eziyingozi ezihlonzwe kulo nyaka ku-Drupal, WordPress kanye ne-phpBB. Ubungozi ku-Magento ne-Horde bungavinjwa ngokunika amandla imodi
"sp.readonly_exec.enable()".
Source: opennet.ru