]> git.immae.eu Git - github/shaarli/Shaarli.git/blame - doc/html/Security/index.html
docker: remove `dev` image, update documentation
[github/shaarli/Shaarli.git] / doc / html / Security / index.html
CommitLineData
53ed6d7d 1<!DOCTYPE html>
2<!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
3<!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
4<head>
5 <meta charset="utf-8">
6 <meta http-equiv="X-UA-Compatible" content="IE=edge">
7 <meta name="viewport" content="width=device-width, initial-scale=1.0">
8
9
10 <link rel="shortcut icon" href="../img/favicon.ico">
11 <title>Security - Shaarli Documentation</title>
12 <link href='https://fonts.googleapis.com/css?family=Lato:400,700|Roboto+Slab:400,700|Inconsolata:400,700' rel='stylesheet' type='text/css'>
13
14 <link rel="stylesheet" href="../css/theme.css" type="text/css" />
15 <link rel="stylesheet" href="../css/theme_extra.css" type="text/css" />
16 <link rel="stylesheet" href="../css/highlight.css">
17 <link href="../github-markdown.css" rel="stylesheet">
18
19 <script>
20 // Current page data
21 var mkdocs_page_name = "Security";
22 var mkdocs_page_input_path = "Security.md";
23 var mkdocs_page_url = "/Security/";
24 </script>
25
26 <script src="../js/jquery-2.1.1.min.js"></script>
27 <script src="../js/modernizr-2.8.3.min.js"></script>
28 <script type="text/javascript" src="../js/highlight.pack.js"></script>
29
30</head>
31
32<body class="wy-body-for-nav" role="document">
33
34 <div class="wy-grid-for-nav">
35
36
37 <nav data-toggle="wy-nav-shift" class="wy-nav-side stickynav">
38 <div class="wy-side-nav-search">
39 <a href=".." class="icon icon-home"> Shaarli Documentation</a>
40 <div role="search">
41 <form id ="rtd-search-form" class="wy-form" action="../search.html" method="get">
42 <input type="text" name="q" placeholder="Search docs" />
43 </form>
44</div>
45 </div>
46
47 <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
48 <ul class="current">
49
50
51 <li class="toctree-l1">
52
53 <a class="" href="..">Home</a>
54 </li>
55
56 <li class="toctree-l1">
57
58 <span class="caption-text">Setup</span>
59 <ul class="subnav">
60 <li class="">
61
62 <a class="" href="../Download-and-Installation/">Download and Installation</a>
63 </li>
64 <li class="">
65
66 <a class="" href="../Upgrade-and-migration/">Upgrade and migration</a>
67 </li>
68 <li class="">
69
70 <a class="" href="../Server-requirements/">Server requirements</a>
71 </li>
72 <li class="">
73
74 <a class="" href="../Server-configuration/">Server configuration</a>
75 </li>
76 <li class="">
77
78 <a class="" href="../Server-security/">Server security</a>
79 </li>
80 <li class="">
81
82 <a class="" href="../Shaarli-configuration/">Shaarli configuration</a>
83 </li>
84 <li class="">
85
86 <a class="" href="../Plugins/">Plugins</a>
87 </li>
88 </ul>
89 </li>
90
91 <li class="toctree-l1">
92
93 <span class="caption-text">Docker</span>
94 <ul class="subnav">
95 <li class="">
96
97 <a class="" href="../Docker-101/">Docker 101</a>
98 </li>
99 <li class="">
100
101 <a class="" href="../Shaarli-images/">Shaarli images</a>
102 </li>
103 <li class="">
104
105 <a class="" href="../Reverse-proxy-configuration/">Reverse proxy configuration</a>
106 </li>
107 <li class="">
108
109 <a class="" href="../Docker-resources/">Docker resources</a>
110 </li>
111 </ul>
112 </li>
113
114 <li class="toctree-l1">
115
116 <span class="caption-text">Usage</span>
117 <ul class="subnav">
118 <li class="">
119
120 <a class="" href="../Features/">Features</a>
121 </li>
122 <li class="">
123
124 <a class="" href="../Bookmarklet/">Bookmarklet</a>
125 </li>
126 <li class="">
127
128 <a class="" href="../Browsing-and-searching/">Browsing and searching</a>
129 </li>
130 <li class="">
131
132 <a class="" href="../Firefox-share/">Firefox share</a>
133 </li>
134 <li class="">
135
136 <a class="" href="../RSS-feeds/">RSS feeds</a>
137 </li>
138 <li class="">
139
140 <a class="" href="../REST-API/">REST API</a>
141 </li>
142 </ul>
143 </li>
144
145 <li class="toctree-l1">
146
147 <span class="caption-text">How To</span>
148 <ul class="subnav">
149 <li class="">
150
151 <a class="" href="../Backup,-restore,-import-and-export/">Backup, restore, import and export</a>
152 </li>
153 <li class="">
154
0433c688 155 <a class="" href="../Various-hacks/">Various hacks</a>
53ed6d7d 156 </li>
157 </ul>
158 </li>
159
160 <li class="toctree-l1">
161
162 <a class="" href="../Troubleshooting/">Troubleshooting</a>
163 </li>
164
165 <li class="toctree-l1">
166
167 <span class="caption-text">Development</span>
168 <ul class="subnav">
169 <li class="">
170
171 <a class="" href="../Development-guidelines/">Development guidelines</a>
172 </li>
173 <li class="">
174
175 <a class="" href="../Continuous-integration-tools/">Continuous integration tools</a>
176 </li>
177 <li class="">
178
179 <a class="" href="../GnuPG-signature/">GnuPG signature</a>
180 </li>
181 <li class="">
182
183 <a class="" href="../Coding-guidelines/">Coding guidelines</a>
184 </li>
185 <li class="">
186
187 <a class="" href="../Directory-structure/">Directory structure</a>
188 </li>
189 <li class="">
190
191 <a class="" href="../3rd-party-libraries/">3rd party libraries</a>
192 </li>
193 <li class="">
194
195 <a class="" href="../Plugin-System/">Plugin System</a>
196 </li>
197 <li class="">
198
199 <a class="" href="../Release-Shaarli/">Release Shaarli</a>
200 </li>
201 <li class="">
202
203 <a class="" href="../Versioning-and-Branches/">Versioning and Branches</a>
204 </li>
205 <li class=" current">
206
207 <a class="current" href="./">Security</a>
208 <ul class="subnav">
209
210 <li class="toctree-l3"><a href="#client-browser">Client browser</a></li>
211
212
213 <li class="toctree-l3"><a href="#php">PHP</a></li>
214
215
216 <li class="toctree-l3"><a href="#server-and-sessions">Server and sessions</a></li>
217
218
219 <li class="toctree-l3"><a href="#shaarli-datastore-and-configuration">Shaarli datastore and configuration</a></li>
220
221
222 </ul>
223 </li>
224 <li class="">
225
226 <a class="" href="../Static-analysis/">Static analysis</a>
227 </li>
228 <li class="">
229
230 <a class="" href="../Theming/">Theming</a>
231 </li>
232 <li class="">
233
234 <a class="" href="../Unit-tests/">Unit tests</a>
235 </li>
236 </ul>
237 </li>
238
239 <li class="toctree-l1">
240
241 <span class="caption-text">About</span>
242 <ul class="subnav">
243 <li class="">
244
245 <a class="" href="../FAQ/">FAQ</a>
246 </li>
247 <li class="">
248
249 <a class="" href="../Community-&-Related-software/">Community & Related software</a>
250 </li>
251 </ul>
252 </li>
253
254 </ul>
255 </div>
256 &nbsp;
257 </nav>
258
259 <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">
260
261
262 <nav class="wy-nav-top" role="navigation" aria-label="top navigation">
263 <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
264 <a href="..">Shaarli Documentation</a>
265 </nav>
266
267
268 <div class="wy-nav-content">
269 <div class="rst-content">
270 <div role="navigation" aria-label="breadcrumbs navigation">
271 <ul class="wy-breadcrumbs">
272 <li><a href="..">Docs</a> &raquo;</li>
273
274
275
276 <li>Development &raquo;</li>
277
278
279
280 <li>Security</li>
281 <li class="wy-breadcrumbs-aside">
282
283 <a href="https://github.com/shaarli/Shaarli/edit/master/docs/Security.md"
284 class="icon icon-github"> Edit on GitHub</a>
285
286 </li>
287 </ul>
288 <hr/>
289</div>
290 <div role="main">
291 <div class="section">
292
293 <h2 id="client-browser">Client browser</h2>
294<ul>
295<li>Shaarli relies on <code>HTTP_REFERER</code> for some functions (like redirects and clicking on tags). If you have disabled or masqueraded <code>HTTP_REFERER</code> in your browser, some features of Shaarli may not work</li>
296</ul>
297<h2 id="php">PHP</h2>
298<ul>
299<li><code>magic_quotes</code> is an horrible option of PHP which is often activated on servers. No serious developer should rely on this horror to secure their code against SQL injections. You should disable it (and Shaarli expects this option to be disabled). Nevertheless, I have added code to cope with <code>magic_quotes</code> on, so you should not be bothered even on crappy hosts.</li>
300</ul>
301<h2 id="server-and-sessions">Server and sessions</h2>
302<ul>
303<li>Directories are protected using <code>.htaccess</code> files</li>
304<li>Forms are protected against XSRF (Cross-site requests forgery):</li>
305<li>Forms which act on data (save,deleteā€¦) contain a token generated by the server.</li>
306<li>Any posted form which does not contain a valid token is rejected.</li>
307<li>Any token can only be used once.</li>
308<li>Tokens are attached to the session and cannot be reused in another session.</li>
309<li>Sessions automatically expire after 60 minutes.</li>
310<li>Sessions are protected against hijacking: the session ID cannot be used from a different IP address.</li>
311</ul>
312<h2 id="shaarli-datastore-and-configuration">Shaarli datastore and configuration</h2>
313<ul>
314<li>The password is salted, hashed and stored in the data subdirectory, in a PHP file, and protected by htaccess. Even if the webserver does not support htaccess, the hash is not readable by URL. Even if the .php file is stolen, the password cannot deduced from the hash. The salt prevents rainbow-tables attacks.</li>
315<li>Links are stored as an associative array which is serialized, compressed (with deflate), base64-encoded and saved as a comment in a <code>.php</code> file.</li>
316<li>Even if the server does not support <code>.htaccess</code> files, the data file will still not be readable by URL.</li>
317<li>The database looks like this:</li>
318</ul>
319<pre><code class="php">&lt;?php /* zP1ZjxxJtiYIvvevEPJ2lDOaLrZv7o...
320...ka7gaco/Z+TFXM2i7BlfMf8qxpaSSYfKlvqv/x8= */ ?&gt;
321</code></pre>
322
323<ul>
324<li>Small hashes are used to make a link to an entry in Shaarli. They are unique. In fact, the date of the items (eg. <code>20110923_150523</code>) is hashed with CRC32, then converted to base64 and some characters are replaced. They are always 6 characters longs and use only <code>A-Z a-z 0-9 - _</code> and <code>@</code>.</li>
325</ul>
326
327 </div>
328 </div>
329 <footer>
330
331 <div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
332
333 <a href="../Static-analysis/" class="btn btn-neutral float-right" title="Static analysis">Next <span class="icon icon-circle-arrow-right"></span></a>
334
335
336 <a href="../Versioning-and-Branches/" class="btn btn-neutral" title="Versioning and Branches"><span class="icon icon-circle-arrow-left"></span> Previous</a>
337
338 </div>
339
340
341 <hr/>
342
343 <div role="contentinfo">
344 <!-- Copyright etc -->
345
346 </div>
347
348 Built with <a href="http://www.mkdocs.org">MkDocs</a> using a <a href="https://github.com/snide/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>.
349</footer>
350
351 </div>
352 </div>
353
354 </section>
355
356 </div>
357
358 <div class="rst-versions" role="note" style="cursor: pointer">
359 <span class="rst-current-version" data-toggle="rst-current-version">
360
361 <a href="https://github.com/shaarli/Shaarli" class="fa fa-github" style="float: left; color: #fcfcfc"> GitHub</a>
362
363
364 <span><a href="../Versioning-and-Branches/" style="color: #fcfcfc;">&laquo; Previous</a></span>
365
366
367 <span style="margin-left: 15px"><a href="../Static-analysis/" style="color: #fcfcfc">Next &raquo;</a></span>
368
369 </span>
370</div>
371 <script src="../js/theme.js"></script>
372
373</body>
374</html>