Robert
3 years ago
parent
40440fd817
commit
a80c3d1e3d
@ -0,0 +1,42 @@ |
||||
Please note that main.inc.php, which should be called by index.php or main.page, does |
||||
the following: |
||||
|
||||
unset($_REQUEST); |
||||
unset($_GET); |
||||
unset($_POST); |
||||
|
||||
So, you must use a Sanitizer to get those input vars!!! |
||||
...in your input file: |
||||
use \bs_tts\use_io as IO; |
||||
... |
||||
$required_post_string_field = new IO(); |
||||
$required_post_string_field->input_type = INPUTS::post; |
||||
$required_post_string_field->field_filter = FIELD_FILTER::raw_string; |
||||
$required_post_string_field->escape_html = HTML_FLAG::escape; |
||||
$required_post_string_field->validation_rule = 'required'; |
||||
$required_post_string_field->use_db_filter = DB_FILTER::OFF; |
||||
$required_post_string_field->skip_the_db = false; |
||||
return [ |
||||
'name' => $required_post_string_field, |
||||
'address' => $required_post_string_field, |
||||
]; |
||||
|
||||
...After that, in your output file, you will pass in the input data of type IO: |
||||
use \bs_tts\safer_io as SafeIO; |
||||
... |
||||
$safer_html = []; |
||||
$errors = []; |
||||
foreach(SafeIO::html_escape_and_sanitize($input) as $html) { |
||||
$key = $html['name'] ?? ""; |
||||
$safer_html[$key] = $html['html']; |
||||
|
||||
if (\bs_tts\common::get_count($html['errors'])) { |
||||
$errors[$key] = $html['errors'][$key]; |
||||
} |
||||
} |
||||
... |
||||
Alternatively; use the built in PHP filter_input function. |
||||
|
||||
Likewise, if not using sanitize... then for all HTML output use |
||||
\bs_tts\safer_io::h(...) to escape it. |
||||
|
||||
@ -1,27 +1,13 @@ |
||||
These are my suggestions to lock things down, make a group called let's say coders. |
||||
The group coders is all the web developers on your team. |
||||
|
||||
# So let's make the group for coders: |
||||
$sudo groupadd -g 10000 coders |
||||
# Let's add out first web developer to the new group called coders: |
||||
$sudo usermod -a -G yourUSERNAME coders |
||||
|
||||
# If you made the coders group, let's assign it to the project: |
||||
sudo chgrp -R coders /var/www/new_dev/ |
||||
# Let's make that group Sticky, so new files/folder will belong to it: |
||||
sudo find /var/www/new_dev/ -type d -exec chmod g+s {} \; |
||||
# Let's allow coders to read/write to the project, but everyone else like |
||||
# ... the web server have just Read access. |
||||
sudo find /var/www/new_dev/ -type f -exec chmod 664 {} \; |
||||
# Assign Read/Write/eXecute to all coders and |
||||
# ... execute bit only for others like web-server, etc...to the view files/folders. |
||||
sudo find /var/www/new_dev/ -type d -exec chmod 775 {} \; |
||||
sudo find /var/www/tts_project/ -type f -exec chmod 664 {} \; |
||||
sudo find /var/www/tts_project/ -type d -exec chmod 775 {} \; |
||||
|
||||
# Assuming your web server belongs to the group called www-data, let's allow the |
||||
# ... server to modify these important folders only: |
||||
sudo chgrp -R www-data /var/www/new_dev/logs |
||||
sudo chgrp -R www-data /var/www/new_dev/configs |
||||
sudo chgrp -R www-data /var/www/new_dev/services |
||||
sudo chgrp -R www-data /var/www/tts_project/logs |
||||
sudo chgrp -R www-data /var/www/tts_project/configs |
||||
sudo chgrp -R www-data /var/www/tts_project/services |
||||
|
||||
# So, you probably want to allow cron-jobs to run code. Let's make it executable: |
||||
sudo chown +x /var/www/new_dev/cli_cron |
||||
sudo chown +x /var/www/tts_project/cli_cron |
||||
@ -1,45 +1,43 @@ |
||||
location ^~ /frames/tts_framework/src/ { |
||||
deny all; |
||||
return 403; |
||||
} |
||||
# Become Root: |
||||
$sudo -i |
||||
|
||||
location ^~ /frames/tts_framework/vendor/ { |
||||
deny all; |
||||
return 403; |
||||
} |
||||
$ cd /etc/nginx/sites-enabled |
||||
$ cp default tts_project |
||||
$ nano tts_project |
||||
Some where in side of your SERVER BLOCK, add the following: |
||||
|
||||
location ^~ /tts_project/vendor/ { |
||||
deny all; |
||||
return 403; |
||||
} |
||||
|
||||
location ^~ /tts_project/src/ { |
||||
deny all; |
||||
return 403; |
||||
} |
||||
root /var/www/tts_project/public; |
||||
|
||||
location /tts_project/ { |
||||
# ONLY allow these DOMAINS: |
||||
if ( $http_host !~* ^(127.0.0.1|localhost|mysite.com)$ ) { |
||||
return 444; |
||||
} |
||||
index main.page; |
||||
|
||||
rewrite ^/tts_project/([^/]*)/([^/]*)/([^/]*)/([^/]*)\.html$ /tts_project/index.php?project=$1&route=/$2/$3&m=$4 last; |
||||
try_files $uri $uri/ =404; |
||||
} |
||||
error_log /var/log/nginx/tts.log; |
||||
|
||||
location ~ /\.ht { |
||||
deny all; |
||||
} |
||||
server_name YOUR-WEB-SITE_DOMAIN_GOES_HERE!!; |
||||
|
||||
location ~ /\.git { |
||||
deny all; |
||||
location / { |
||||
gzip_static on; |
||||
try_files $uri /main.page$is_args$args; |
||||
} |
||||
|
||||
location ~ composer.* { |
||||
deny all; |
||||
} |
||||
location = /main.page { |
||||
gzip on; |
||||
# Replace php-fpm with unix:/var/run/php/php8.2-fpm.sock |
||||
# Your Version of PHP goes there... 8.2 or later... |
||||
fastcgi_pass php-fpm; |
||||
|
||||
fastcgi_split_path_info ^(.+?\.page)(/.*)$; |
||||
try_files $fastcgi_script_name =404; |
||||
set $path_info $fastcgi_path_info; |
||||
fastcgi_param PATH_INFO $path_info; |
||||
fastcgi_index main.page; |
||||
include fastcgi.conf; |
||||
|
||||
fastcgi_param SCRIPT_FILENAME $request_filename; |
||||
fastcgi_param SCRIPT_NAME $fastcgi_script_name; |
||||
|
||||
|
||||
location ~ README { |
||||
deny all; |
||||
# fastcgi_intercept_errors on; |
||||
# mirror @logging; |
||||
# mirror_request_body off; |
||||
} |
||||
@ -1,7 +0,0 @@ |
||||
$prj = $_GET['project'] ?? false; |
||||
if ($prj === 'mockup') { |
||||
ini_set('display_errors', 1); |
||||
ini_set('display_startup_errors', 1); |
||||
error_reporting(E_ALL); |
||||
} |
||||
|
||||
Loading…
Reference in new issue