Friday, June 17, 2011
Thursday, June 16, 2011
Example of getopts and HEREDOC in shell script
#!/bin/sh
prog=`basename $0`
usage () {
msg=$1
cat <<EOT
usage: $prog [-h][-y][-r <message>]
$msg
EOT
#
# handle options here
#
reportFlag=0
yesFlag=0
reportMessage='none'
while getopts 'hr:y' OPTION
do
case $OPTION in
h) helpFlag=1
;;
r) reportFlag=1
reportMessage="$OPTARG"
;;
y) yesFlag=1
;;
?) usage "Unknown arg [$NAME]" ; exit 1; shift;
;;
esac
done
shift $(($OPTIND - 1))
if [ "$helpFlag" ]
then
usage "Help called."
exit 0
fi
cat <<EOT
The report flag is $reportFlag and reportMessage is "$reportMessage".
The yes flag is $yesFlag.
EOT
Tuesday, June 14, 2011
Monday, June 13, 2011
Some php best practices
Set the open_basedir to the web root. That way PHP can't execute elsewhere (especially in /tmp).
disable_functions = php_uname, getmyuid, getmypid, passthru, leak, listen, diskfreespace, tmpfile, link, ignore_user_abord, shell_exec, dl, set_time_limit, exec, system, highlight_file, source, show_source, fpaththru, virtual, proc_open, proc_close, proc_get_status, proc_nice, proc_terminate, phpinfo
Really no need for most of those functions and while phpinfo can be useful for troubleshooting and version checking, it's great recon as well. Exec and system commands are equally powerful and userful as well. Posix_* commands should be depreciated but they're not so nuke those as well (not shown above)
Turn off errors (display_errors = off)
Turn off register globals (register_globals = off). There is so much wrong with this feature and yet it was default to on in early 4.x and all of 3.x. Scary.
File uploads are a mixed bag. On one hand it's useful on the other it's easy to upload and then execute if you know the path to the upload directory. For things like vBulletin / SMF / phpBB it's easy to upload files, pictures and so on that way. For professional apps, using a java applet is better served here for file handling. It's 6 one and 1/2 dozen the other though. (file_uploads = off). If you do allow uploads, store them outside of the web root, set a max size and manually (or script) move them after they've been verified.
Don't allow remote includes (allow_url_fopen = off and allow_url_include = off)
Run PHP as a CGI versus CLI
Don't rely on safe_mode. It's a joke and doesn't do what people expect/think it does. That and it's being removed in v6 anyways
There's more but beyond that one has to look at the Apache/Lighttpd/LiteSpeed/IIS config as well since the two largely go hand in hand. Making sure your httpd.conf and .htaccess templates are solid are just as important. You can also delve into the need to "fix" the /tmp directory and any shared memory as well.
Thursday, June 09, 2011
Subscribe to:
Posts (Atom)