用Suhosin加强PHP脚本语言安全性
2009-10-10 09:11
232 查看
http://www.hardened-php.net/suhosin/
Hardened-PHP 最近推出了 Suhosin 測試版(beta version),這是一個從原始碼層面提升 PHP 安全性的系統,所以不論是已知和尚未發現的安全性漏洞,不論這些漏洞出現在應用程式還是在 PHP 的核心部分,Suhosin 的安全關卡都可以防止這些漏洞做成破壞。
Suhosin 是一個韓語的音譯,意思大約是守護天使,但是別誤會 Hardened-PHP 是由韓國人組成,它其實是由三名知名的 PHP 保安專家和 PHP 核心編程人員合作的網站。
Suhosin 由兩部分組成,第一部份是 PHP 核心的補丁,提供低階的安全保護,例如緩衝區溢滿等,第二部分是一個 PHP 擴充模組,提供多項保護功能,包括:
自動把 cookies 加密/解密
容許關閉 preg_replace() 中的 /e 選項
容許關閉 eval()
透過設定函式呼叫層數的限制,避免出現無窮遞歸(infinite recursion)
防止應用程式修改 memory_limit
保護 mail() 免受「newline 攻擊」
保護 preg_replace() 免受「/0 攻擊」
自動加密/解密 session 數據
保護 session 免受騎劫
若果用戶呈交的資料包含 GLOBALS、_GET、_COOKIE 等敏感名稱,一律過濾掉
容許設定用戶呈交的資料的數量和長度上限
從上載檔案中自動禁止那些可以在伺服器上執行的程式
http://blog.m6699.com/diomedea/article/29073.html
http://www.93198.com/Article/wl/Php/3707.html
http://www.jefflei.com/post/295.html
當apache的errorlog出現configured request variable name length limit exceeded
之前在寫Picasa2Wordpress的時候,測試的時候,遇到一個詭異的問題,在我有權限能access的機器們上面跑,就是有一台跑不起來,後來查了一下apache2的log才發現,原來是php suhosin module的問題,預設最大的POST及GET變數名稱最大只能夠是64字元,但是Picasa POST出去的卻遠超過,所以就被檔下來了。
解決方法很簡單,編輯/etc/php5/apache2/conf.d/suhosin.ini,加上下面這三行即可:
suhosin.request.max_varname_length=128
suhosin.get.max_name_length=128
suhosin.post.max_name_length=128
搞定收工。
http://advosys.ca/papers/web/62-php-hardening-suhosin.html
I've always compiled Suhosin with any of the Apache builds I've made in WHM on production/public servers. On every server CodeCall has been on, it has been there. The purpose of Suhosin is to protect servers and users from known flaws in PHP.
I never had a problem with it before. I've seen it strip variables and prevent server requests in the log files and it always seemed to help. Last night I ran into something annoying: Suhosin limits the character length for any request variable. It doesn't truncate the value as you might expect, it drops the variable completely.
I needed the ability to post considerably long string queries for ASCIIBin. For some reason the variables were being dropped and an empty BIN was being created. I couldn't figure out why. It worked fine on my test box (which didn't have suhosin) and I could see the data before actual POST using JavaScript. After some time I came to realize that Suhosin was the culprit.
The Fix
Taking a look at the documentation for Suhosin, you can figure out fairly quick that post.max_value_length is the configuration variable limiting character size.
Quote:
Defines the maximum length of a variable that is registered through a POST request.
The default character limit is 65,000.
Method 1: Obviously, you can just disable Suhosin to fix the problem. Remove the suhosin.o file from your php.ini config file and restart Apache.
Method 2: You probably want to keep Suhosin around so a different approach is to edit the configuration file. The file is named suhosin.ini, following the PHP ini configuration system. I added these lines:
Code:
Restart apache.
Method 3: Alternatively, you can change these values per user using .htaccess. Edit the .htaccess file in the user directory and set the parameters to what you want. Here is an example:
Code:
Conclusion
I hope this helps you if you ever run into the same situation. Perhaps it will save you some time. I know if there had been a post labeled "PHP POST character limit" and was indexed by google, I would have an hour of my time saved. Alas, there isn't so I'm making one.
Hardened-PHP 最近推出了 Suhosin 測試版(beta version),這是一個從原始碼層面提升 PHP 安全性的系統,所以不論是已知和尚未發現的安全性漏洞,不論這些漏洞出現在應用程式還是在 PHP 的核心部分,Suhosin 的安全關卡都可以防止這些漏洞做成破壞。
Suhosin 是一個韓語的音譯,意思大約是守護天使,但是別誤會 Hardened-PHP 是由韓國人組成,它其實是由三名知名的 PHP 保安專家和 PHP 核心編程人員合作的網站。
Suhosin 由兩部分組成,第一部份是 PHP 核心的補丁,提供低階的安全保護,例如緩衝區溢滿等,第二部分是一個 PHP 擴充模組,提供多項保護功能,包括:
自動把 cookies 加密/解密
容許關閉 preg_replace() 中的 /e 選項
容許關閉 eval()
透過設定函式呼叫層數的限制,避免出現無窮遞歸(infinite recursion)
防止應用程式修改 memory_limit
保護 mail() 免受「newline 攻擊」
保護 preg_replace() 免受「/0 攻擊」
自動加密/解密 session 數據
保護 session 免受騎劫
若果用戶呈交的資料包含 GLOBALS、_GET、_COOKIE 等敏感名稱,一律過濾掉
容許設定用戶呈交的資料的數量和長度上限
從上載檔案中自動禁止那些可以在伺服器上執行的程式
http://blog.m6699.com/diomedea/article/29073.html
http://www.93198.com/Article/wl/Php/3707.html
http://www.jefflei.com/post/295.html
當apache的errorlog出現configured request variable name length limit exceeded
之前在寫Picasa2Wordpress的時候,測試的時候,遇到一個詭異的問題,在我有權限能access的機器們上面跑,就是有一台跑不起來,後來查了一下apache2的log才發現,原來是php suhosin module的問題,預設最大的POST及GET變數名稱最大只能夠是64字元,但是Picasa POST出去的卻遠超過,所以就被檔下來了。
解決方法很簡單,編輯/etc/php5/apache2/conf.d/suhosin.ini,加上下面這三行即可:
suhosin.request.max_varname_length=128
suhosin.get.max_name_length=128
suhosin.post.max_name_length=128
搞定收工。
http://advosys.ca/papers/web/62-php-hardening-suhosin.html
I've always compiled Suhosin with any of the Apache builds I've made in WHM on production/public servers. On every server CodeCall has been on, it has been there. The purpose of Suhosin is to protect servers and users from known flaws in PHP.
I never had a problem with it before. I've seen it strip variables and prevent server requests in the log files and it always seemed to help. Last night I ran into something annoying: Suhosin limits the character length for any request variable. It doesn't truncate the value as you might expect, it drops the variable completely.
I needed the ability to post considerably long string queries for ASCIIBin. For some reason the variables were being dropped and an empty BIN was being created. I couldn't figure out why. It worked fine on my test box (which didn't have suhosin) and I could see the data before actual POST using JavaScript. After some time I came to realize that Suhosin was the culprit.
The Fix
Taking a look at the documentation for Suhosin, you can figure out fairly quick that post.max_value_length is the configuration variable limiting character size.
Quote:
Defines the maximum length of a variable that is registered through a POST request.
The default character limit is 65,000.
Method 1: Obviously, you can just disable Suhosin to fix the problem. Remove the suhosin.o file from your php.ini config file and restart Apache.
Method 2: You probably want to keep Suhosin around so a different approach is to edit the configuration file. The file is named suhosin.ini, following the PHP ini configuration system. I added these lines:
Code:
suhosin.post.max_vars = 5000 suhosin.post.max_value_length = 500000 suhosin.request.max_vars = 5000 suhosin.request.max_value_length = 500000
Restart apache.
Method 3: Alternatively, you can change these values per user using .htaccess. Edit the .htaccess file in the user directory and set the parameters to what you want. Here is an example:
Code:
php_value suhosin.post.max_vars 5000 php_value suhosin.post.max_value_length 500000 php_value suhosin.request.max_vars 5000 php_value suhosin.request.max_value_length 500000
Conclusion
I hope this helps you if you ever run into the same situation. Perhaps it will save you some time. I know if there had been a post labeled "PHP POST character limit" and was indexed by google, I would have an hour of my time saved. Alas, there isn't so I'm making one.
相关文章推荐
- 用Suhosin加强PHP脚本语言安全性
- 用Suhosin加强PHP脚本语言安全性
- 用Suhosin加强PHP脚本语言安全性
- PHP与Python与其它脚本语言
- php:跨平台的服务器端嵌入式脚本语言(1)
- 将PHP作为Shell脚本语言使用
- Atitit. 脚本语言的断点单步调试的设计与实现 attialx 总结 php 參照java
- PHP漏洞全解(PHP安全性/命令注入/脚本植入/xss跨站/SQL注入/伪跨站请求/Session劫持/HTTP响应拆分/文件上传漏洞)
- 如何将PHP作为Shell脚本语言使用
- PHP是一种没有前途的嵌入式脚本语言?
- 脚本语言语言脚本语言:Shell , JavaScript、VBScript、Perl、PHP、Python、Ruby、Lua
- 认识PHP代码标识 想在页面中编写PHP代码非常容易,如下面代码: <?php echo "想学习php吗?来慕课网吧"; ?> 就像你可以编写JavaScript脚本语言需要写在<scri
- FCEUX金手指加强版 - 使用Lua脚本语言编写FC/NES金手指脚本
- php嵌入脚本语言基础知识整理
- 将PHP作为Shell脚本语言使用
- 终于觉得PHP只是个脚本语言了
- PHP-学习笔记—— 认识脚本语言; 动态网站开发所需的Web构件儿;
- 缺陷月项目启动 披露PHP脚本语言漏洞
- [转]如何将PHP作为Shell脚本语言使用
- 将PHP作为Shell脚本语言使用