養鴨宗師: security

2024-09-13

TOMCAT設定特定目錄不得執行JSP及JSPX

如果網站允許使用者上傳檔案，通常會禁止上傳可執行檔(如jsp & jspx)，

除了檢查副檔名外，也可在app的web.xml加上以下設定，讓jsp/jspx變成唯讀：

<servlet-name>DefaultServlet</servlet-name>

<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>

<init-param>

<param-name>readonly</param-name>

<param-value>true</param-value>

</init-param>

<load-on-startup>1</load-on-startup>

</servlet>

<servlet-mapping>

<servlet-name>DefaultServlet</servlet-name>

<url-pattern>/path/to/upload/*</url-pattern>

</servlet-mapping>

但像jspx一般也很少人會去寫，建議直接在tomcat/conf/web.xml禁用：

<servlet-mapping>

<servlet-name>jsp</servlet-name>

<url-pattern>*.jsp</url-pattern>

</servlet-mapping>

2015-02-03

.htaccess
http://www.socss.cn/2011/php_0902/167.html

php.ini
http://jamesbond0479.blog.163.com/blog/static/241475820115231759458/

在php的生產環境下建議做一些額外的安全措施:
enable_dl = Off
disable_functions = exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,dl,popen,show_source

如果你建立的是虛擬主機那麼你需要一份更長的函數列表：
disable_functions = escapeshellarg, escapeshellcmd, exec, passthru, proc_close, proc_get_status, proc_open, proc_nice, proc_terminate, shell_exec, system, ini_restore, popen, dl, disk_free_space, diskfreespace, set_time_limit, tmpfile, fopen, readfile, fpassthru, fsockopen, mail, ini_alter, highlight_file, openlog, show_source, symlink, apache_child_terminate, apache_get_modules, apache_get_version, apache_getenv, apache_note,apache_setenv, parse_ini_file

2024-09-13

TOMCAT設定特定目錄不得執行JSP及JSPX

2015-02-03

APACHE & PHP 基本安全設定