Kuze kube manje, lapho kufakwa izibuyekezo ku-WordPress, into eyinhloko yokuphepha kwakuwukuthembela kungqalasizinda ye-WordPress namaseva (ngemuva kokulanda, i-hashi yahlolwa ngaphandle kokuqinisekisa umthombo). Uma amaseva ephrojekthi esengozini, abahlaseli bakwazile ukuphazamisa isibuyekezo futhi basabalalisa ikhodi enonya phakathi kwamasayithi asekelwe ku-WordPress asebenzisa isistimu yokufaka isibuyekezo esizenzakalelayo. Ngokuvumelana nemodeli yokulethwa okwethenjwa esetshenziswe ngaphambilini, ukushintshwa okunjalo bekungeke kuqashelwe ngasohlangothini lwabasebenzisi.
Ukucabangela iqiniso lokuthi
Endabeni yamasiginesha edijithali, ukuthola ukulawula iseva yokusabalalisa isibuyekezo ngeke kuholele ekulimaleni kwezinhlelo zabasebenzisi, ngoba ukuze wenze ukuhlasela, uzodinga futhi ukuthola ukhiye oyimfihlo ogcinwe ngokwehlukana, okusayinwa ngawo izibuyekezo.
Ukuqaliswa kokuhlola umthombo wezibuyekezo kusetshenziswa isiginesha yedijithali kwaphazanyiswa iqiniso lokuthi ukusekelwa kwama-algorithms e-cryptographic adingekayo kuvele kuphakheji evamile ye-PHP muva nje. I-cryptographic algorithms edingekayo ivele ngenxa yokuhlanganiswa komtapo wezincwadi
Isixazululo kwaba
I-algorithm isetshenziselwa ukukhiqiza amasignesha edijithali
Ekukhishweni kwe-WordPress 5.2, ukuqinisekiswa kwesiginesha yedijithali okwamanje kuhlanganisa kuphela izibuyekezo ezinkulu zenkundla futhi akuvimbi isibuyekezo ngokuzenzakalelayo, kodwa kwazisa umsebenzisi kuphela ngenkinga. Kunqunywe ukuthi kungavumeli ukuvinjwa okuzenzakalelayo ngokushesha ngenxa yesidingo sokuhlola okugcwele nokudlula
Ngokungeziwe ekusekeleni amasiginesha edijithali ku-WordPress 5.2, izinguquko ezilandelayo zingaqashelwa:
- Amakhasi amabili amasha engezwe esigabeni esithi "Impilo Yesayithi" ukuze kulungiswe izinkinga zokulungisa ezivamile, futhi kunikezwe nefomu lapho abathuthukisi bengakwazi ukushiya ulwazi lokususa iphutha kubaphathi besayithi;
- Ukuqaliswa okungeziwe "kwesikrini sokufa esimhlophe", esiboniswa uma kwenzeka kuba nezinkinga ezibulalayo nokusiza umlawuli ukuba alungise ngokuzimela izinkinga ezihlobene nama-plugin noma amatimu ngokushintshela kumodi ekhethekile yokutakula ukuphahlazeka;
- Uhlelo lokuhlola ukuhambisana nama-plugin seluqalisiwe, oluhlola ngokuzenzakalelayo ukuthi kungenzeka yini ukusebenzisa i-plugin ekucushweni kwamanje, kucatshangelwa inguqulo ye-PHP esetshenzisiwe. Uma i-plugin idinga inguqulo entsha ye-PHP ukuze isebenze, isistimu izovimba ngokuzenzakalelayo ukufakwa kwale plugin;
- Ukwesekwa okwengeziwe kokunika amandla amamojula ngekhodi ye-JavaScript kusetshenziswa
i-webpack ΠΈBabel ; - Kwengezwe isifanekiso esisha se-privacy-policy.php esikuvumela ukuthi wenze ngokwezifiso okuqukethwe kwekhasi lenqubomgomo yobumfihlo;
- Kumatimu, isibambi se-hook se-wp_body_open sengeziwe, esikuvumela ukuthi ufake ikhodi ngokushesha ngemva kwethegi yomzimba;
- Izidingo zenguqulo encane ye-PHP zinyuselwe ku-5.6.20; ama-plugin nezindikimba manje anamandla okusebenzisa izikhala zamagama nemisebenzi engaziwa;
- Kwengezwe izithonjana ezintsha eziyi-13.
Ukwengeza, ungasho
Inkinga izibonakalisa kukhodi yokulayisha amafayela kuseva futhi ikuvumela ukuthi udlule isheke lezinhlobo zamafayela avumelekile futhi ulayishe iskripthi se-PHP kuseva, bese usenza ngokuqondile ngewebhu. Kuyathakazelisa ukuthi ngonyaka odlule ubungozi obufanayo bese buvele buhlonzwe ku-Live Chat (CVE-2018-12426), obuvumele ukulayisha ikhodi ye-PHP ngaphansi kwesithunzi sesithombe, okucacisa uhlobo lokuqukethwe oluhlukile kunkambu yohlobo lokuqukethwe. Njengengxenye yokulungisa, ukuhlola okwengeziwe kungeziwe ohlotsheni olugunyaziwe kanye nohlobo lokuqukethwe lwe-MIME. Njengoba kuvela, lokhu kuhlola akwenziwa ngokungalungile futhi kungadlulwa kalula.
Ikakhulukazi, ukulayishwa okuqondile kwamafayela ngesandiso esithi β.phpβ akuvunyelwe, kodwa isandiso esithi β.phtmlβ, esihlotshaniswa nomhumushi we-PHP kumaseva amaningi, asizange sengezwe ohlwini oluvinjelwe. Uhlu olugunyaziwe luvumela kuphela ukulayishwa kwezithombe, kodwa ungakwazi ukukweqa ngokucacisa isandiso esikabili, isibonelo, β.gif.phtmlβ. Ukuze udlule isheke lohlobo lwe-MIME ekuqaleni kwefayela, ngaphambi kokuvula ithegi ngekhodi ye-PHP, kwanele ukucacisa umugqa "GIF89a".
Source: opennet.ru