[转/译] Xoops and SUHOSIN |
||||
---|---|---|---|---|
Support Team
注册日期:
2006/11/30 20:48 来自 beijing
所属群组:
网站管理员 注册会员 Dev+Hack 资料整理组 等级: 30; EXP: 30
HP: 146 / 732 MP: 403 / 10791 |
SUHOSIN is a PHP extension from the Hardened PHP Project. Its purpose is to protect the server from various attacks. It is becoming popular among hosting providers. One its techniques is to limit the number of variables in $_POST, $_GET and $_REQUEST.
SUHOSIN是来自PHP增强计划(Hardened-PHP project)的一个扩展.它的目的是保护服务器抵御各种的攻击. 它将会成为服务器提供商的主流配置. 它其中一项技术就是在$_POST, $_GET和$_REQUERT中限制变量数. Xoops puts lots of variables in $_POST when modules update group permissions (groupperm.php). For example in User Profile, that comes optional with the core, on each of the 21 standard fields ‘editable from profile’ can be set Yes or No for each group. 在模块更新群组权限时(groupperm.php)Xoops 在$_POST中放置了一些变量. 比如在用户管理(User Profile)模块, 它已经变成系统可选的模块, 其中21个默认字段中'是否可编辑权限'可以在每个群组中设置. With a standard install of SUHOSIN the permissions tab in User Profile will not work with more than four groups – yes FOUR groups! 用户管理模块(User Profile)在带有常规安装的SUHOSIN扩展的环境中, 当用户组超过4个, 权限设置将不能正常工作. Here’s why. SUHOSIN’s default limit for the maximum number of variables in $_POST is 200. It seems to count both the ‘index’ and ‘value’ bits within $_POST as separate variables so updating the permissions in User Profile with four groups results in 4 x 21 x 2 = 168 and with five groups it’s 210. So with more than four groups and it fails. 这是为什么呢. SUHOSIN 的默认设置中, 限制$_POST中变量数为200个. 它似乎是将统计$_POST中'index'和'value'的位数作为变量分隔符所以在更新用户管理(User Profile)模块的权限当群组是4个时, 变量数为4*21*2 = 168 当群组是5个时变量数就是210.所以在超过4个群组时会执行失败. This problem will also show up when updating a single category/topic/item within a module where you have lots of groups. For example in the News module, submit, approve and view permissions are set in each topic so here you are limited to 33 groups (33 x 3 x 2 = 198). This might sound like a lot of groups but with XOOPS modules offering fine-grained control over their categories/topics a site with several modules can easily exceed this. Groups are good and add power to the system. 这个问题也会出现在更新模块的分类/主题/项目, 当系统中有很多群组的时候. 比如在新闻(News)模块,提交、审核和查看权限,当设置这权限的时候也被限制到33个群组(33×3×2=198). 这个听起来像很多群组,但是在XOOPS模块中细粒度的控制时很容易超出这个限制。 [...] 原文:http://dev.xoopsengine.org/?p=10
2/13 15:13
|
|||
|