]> git.immae.eu Git - github/shaarli/Shaarli.git/blame - doc/html/Security/index.html
doc: rename "datastore hacks" -> "various hacks", move example scripts to gist.github...
[github/shaarli/Shaarli.git] / doc / html / Security / index.html
CommitLineData
53ed6d7d 1<!DOCTYPE html>
2<!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
3<!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
4<head>
5 <meta charset="utf-8">
6 <meta http-equiv="X-UA-Compatible" content="IE=edge">
7 <meta name="viewport" content="width=device-width, initial-scale=1.0">
8
9
10 <link rel="shortcut icon" href="../img/favicon.ico">
11 <title>Security - Shaarli Documentation</title>
12 <link href='https://fonts.googleapis.com/css?family=Lato:400,700|Roboto+Slab:400,700|Inconsolata:400,700' rel='stylesheet' type='text/css'>
13
14 <link rel="stylesheet" href="../css/theme.css" type="text/css" />
15 <link rel="stylesheet" href="../css/theme_extra.css" type="text/css" />
16 <link rel="stylesheet" href="../css/highlight.css">
17 <link href="../github-markdown.css" rel="stylesheet">
18
19 <script>
20 // Current page data
21 var mkdocs_page_name = "Security";
22 var mkdocs_page_input_path = "Security.md";
23 var mkdocs_page_url = "/Security/";
24 </script>
25
26 <script src="../js/jquery-2.1.1.min.js"></script>
27 <script src="../js/modernizr-2.8.3.min.js"></script>
28 <script type="text/javascript" src="../js/highlight.pack.js"></script>
29
30</head>
31
32<body class="wy-body-for-nav" role="document">
33
34 <div class="wy-grid-for-nav">
35
36
37 <nav data-toggle="wy-nav-shift" class="wy-nav-side stickynav">
38 <div class="wy-side-nav-search">
39 <a href=".." class="icon icon-home"> Shaarli Documentation</a>
40 <div role="search">
41 <form id ="rtd-search-form" class="wy-form" action="../search.html" method="get">
42 <input type="text" name="q" placeholder="Search docs" />
43 </form>
44</div>
45 </div>
46
47 <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
48 <ul class="current">
49
50
51 <li class="toctree-l1">
52
53 <a class="" href="..">Home</a>
54 </li>
55
56 <li class="toctree-l1">
57
58 <span class="caption-text">Setup</span>
59 <ul class="subnav">
60 <li class="">
61
62 <a class="" href="../Download-and-Installation/">Download and Installation</a>
63 </li>
64 <li class="">
65
66 <a class="" href="../Upgrade-and-migration/">Upgrade and migration</a>
67 </li>
68 <li class="">
69
70 <a class="" href="../Server-requirements/">Server requirements</a>
71 </li>
72 <li class="">
73
74 <a class="" href="../Server-configuration/">Server configuration</a>
75 </li>
76 <li class="">
77
78 <a class="" href="../Server-security/">Server security</a>
79 </li>
80 <li class="">
81
82 <a class="" href="../Shaarli-configuration/">Shaarli configuration</a>
83 </li>
84 <li class="">
85
86 <a class="" href="../Plugins/">Plugins</a>
87 </li>
88 </ul>
89 </li>
90
91 <li class="toctree-l1">
92
93 <span class="caption-text">Docker</span>
94 <ul class="subnav">
95 <li class="">
96
97 <a class="" href="../Docker-101/">Docker 101</a>
98 </li>
99 <li class="">
100
101 <a class="" href="../Shaarli-images/">Shaarli images</a>
102 </li>
103 <li class="">
104
105 <a class="" href="../Reverse-proxy-configuration/">Reverse proxy configuration</a>
106 </li>
107 <li class="">
108
109 <a class="" href="../Docker-resources/">Docker resources</a>
110 </li>
111 </ul>
112 </li>
113
114 <li class="toctree-l1">
115
116 <span class="caption-text">Usage</span>
117 <ul class="subnav">
118 <li class="">
119
120 <a class="" href="../Features/">Features</a>
121 </li>
122 <li class="">
123
124 <a class="" href="../Bookmarklet/">Bookmarklet</a>
125 </li>
126 <li class="">
127
128 <a class="" href="../Browsing-and-searching/">Browsing and searching</a>
129 </li>
130 <li class="">
131
132 <a class="" href="../Firefox-share/">Firefox share</a>
133 </li>
134 <li class="">
135
136 <a class="" href="../RSS-feeds/">RSS feeds</a>
137 </li>
138 <li class="">
139
140 <a class="" href="../REST-API/">REST API</a>
141 </li>
142 </ul>
143 </li>
144
145 <li class="toctree-l1">
146
147 <span class="caption-text">How To</span>
148 <ul class="subnav">
149 <li class="">
150
151 <a class="" href="../Backup,-restore,-import-and-export/">Backup, restore, import and export</a>
152 </li>
153 <li class="">
154
155 <a class="" href="../Copy-an-existing-installation-over-SSH-and-serve-it-locally/">Copy an existing installation over SSH and serve it locally</a>
156 </li>
157 <li class="">
158
159 <a class="" href="../Create-and-serve-multiple-Shaarlis-(farm)/">Create and serve multiple Shaarlis (farm)</a>
160 </li>
161 <li class="">
162
163 <a class="" href="../Download-CSS-styles-from-an-OPML-list/">Download CSS styles from an OPML list</a>
164 </li>
165 <li class="">
166
167 <a class="" href="../Datastore-hacks/">Datastore hacks</a>
168 </li>
169 </ul>
170 </li>
171
172 <li class="toctree-l1">
173
174 <a class="" href="../Troubleshooting/">Troubleshooting</a>
175 </li>
176
177 <li class="toctree-l1">
178
179 <span class="caption-text">Development</span>
180 <ul class="subnav">
181 <li class="">
182
183 <a class="" href="../Development-guidelines/">Development guidelines</a>
184 </li>
185 <li class="">
186
187 <a class="" href="../Continuous-integration-tools/">Continuous integration tools</a>
188 </li>
189 <li class="">
190
191 <a class="" href="../GnuPG-signature/">GnuPG signature</a>
192 </li>
193 <li class="">
194
195 <a class="" href="../Coding-guidelines/">Coding guidelines</a>
196 </li>
197 <li class="">
198
199 <a class="" href="../Directory-structure/">Directory structure</a>
200 </li>
201 <li class="">
202
203 <a class="" href="../3rd-party-libraries/">3rd party libraries</a>
204 </li>
205 <li class="">
206
207 <a class="" href="../Plugin-System/">Plugin System</a>
208 </li>
209 <li class="">
210
211 <a class="" href="../Release-Shaarli/">Release Shaarli</a>
212 </li>
213 <li class="">
214
215 <a class="" href="../Versioning-and-Branches/">Versioning and Branches</a>
216 </li>
217 <li class=" current">
218
219 <a class="current" href="./">Security</a>
220 <ul class="subnav">
221
222 <li class="toctree-l3"><a href="#client-browser">Client browser</a></li>
223
224
225 <li class="toctree-l3"><a href="#php">PHP</a></li>
226
227
228 <li class="toctree-l3"><a href="#server-and-sessions">Server and sessions</a></li>
229
230
231 <li class="toctree-l3"><a href="#shaarli-datastore-and-configuration">Shaarli datastore and configuration</a></li>
232
233
234 </ul>
235 </li>
236 <li class="">
237
238 <a class="" href="../Static-analysis/">Static analysis</a>
239 </li>
240 <li class="">
241
242 <a class="" href="../Theming/">Theming</a>
243 </li>
244 <li class="">
245
246 <a class="" href="../Unit-tests/">Unit tests</a>
247 </li>
248 </ul>
249 </li>
250
251 <li class="toctree-l1">
252
253 <span class="caption-text">About</span>
254 <ul class="subnav">
255 <li class="">
256
257 <a class="" href="../FAQ/">FAQ</a>
258 </li>
259 <li class="">
260
261 <a class="" href="../Community-&-Related-software/">Community & Related software</a>
262 </li>
263 </ul>
264 </li>
265
266 </ul>
267 </div>
268 &nbsp;
269 </nav>
270
271 <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">
272
273
274 <nav class="wy-nav-top" role="navigation" aria-label="top navigation">
275 <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
276 <a href="..">Shaarli Documentation</a>
277 </nav>
278
279
280 <div class="wy-nav-content">
281 <div class="rst-content">
282 <div role="navigation" aria-label="breadcrumbs navigation">
283 <ul class="wy-breadcrumbs">
284 <li><a href="..">Docs</a> &raquo;</li>
285
286
287
288 <li>Development &raquo;</li>
289
290
291
292 <li>Security</li>
293 <li class="wy-breadcrumbs-aside">
294
295 <a href="https://github.com/shaarli/Shaarli/edit/master/docs/Security.md"
296 class="icon icon-github"> Edit on GitHub</a>
297
298 </li>
299 </ul>
300 <hr/>
301</div>
302 <div role="main">
303 <div class="section">
304
305 <h2 id="client-browser">Client browser</h2>
306<ul>
307<li>Shaarli relies on <code>HTTP_REFERER</code> for some functions (like redirects and clicking on tags). If you have disabled or masqueraded <code>HTTP_REFERER</code> in your browser, some features of Shaarli may not work</li>
308</ul>
309<h2 id="php">PHP</h2>
310<ul>
311<li><code>magic_quotes</code> is an horrible option of PHP which is often activated on servers. No serious developer should rely on this horror to secure their code against SQL injections. You should disable it (and Shaarli expects this option to be disabled). Nevertheless, I have added code to cope with <code>magic_quotes</code> on, so you should not be bothered even on crappy hosts.</li>
312</ul>
313<h2 id="server-and-sessions">Server and sessions</h2>
314<ul>
315<li>Directories are protected using <code>.htaccess</code> files</li>
316<li>Forms are protected against XSRF (Cross-site requests forgery):</li>
317<li>Forms which act on data (save,deleteā€¦) contain a token generated by the server.</li>
318<li>Any posted form which does not contain a valid token is rejected.</li>
319<li>Any token can only be used once.</li>
320<li>Tokens are attached to the session and cannot be reused in another session.</li>
321<li>Sessions automatically expire after 60 minutes.</li>
322<li>Sessions are protected against hijacking: the session ID cannot be used from a different IP address.</li>
323</ul>
324<h2 id="shaarli-datastore-and-configuration">Shaarli datastore and configuration</h2>
325<ul>
326<li>The password is salted, hashed and stored in the data subdirectory, in a PHP file, and protected by htaccess. Even if the webserver does not support htaccess, the hash is not readable by URL. Even if the .php file is stolen, the password cannot deduced from the hash. The salt prevents rainbow-tables attacks.</li>
327<li>Links are stored as an associative array which is serialized, compressed (with deflate), base64-encoded and saved as a comment in a <code>.php</code> file.</li>
328<li>Even if the server does not support <code>.htaccess</code> files, the data file will still not be readable by URL.</li>
329<li>The database looks like this:</li>
330</ul>
331<pre><code class="php">&lt;?php /* zP1ZjxxJtiYIvvevEPJ2lDOaLrZv7o...
332...ka7gaco/Z+TFXM2i7BlfMf8qxpaSSYfKlvqv/x8= */ ?&gt;
333</code></pre>
334
335<ul>
336<li>Small hashes are used to make a link to an entry in Shaarli. They are unique. In fact, the date of the items (eg. <code>20110923_150523</code>) is hashed with CRC32, then converted to base64 and some characters are replaced. They are always 6 characters longs and use only <code>A-Z a-z 0-9 - _</code> and <code>@</code>.</li>
337</ul>
338
339 </div>
340 </div>
341 <footer>
342
343 <div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
344
345 <a href="../Static-analysis/" class="btn btn-neutral float-right" title="Static analysis">Next <span class="icon icon-circle-arrow-right"></span></a>
346
347
348 <a href="../Versioning-and-Branches/" class="btn btn-neutral" title="Versioning and Branches"><span class="icon icon-circle-arrow-left"></span> Previous</a>
349
350 </div>
351
352
353 <hr/>
354
355 <div role="contentinfo">
356 <!-- Copyright etc -->
357
358 </div>
359
360 Built with <a href="http://www.mkdocs.org">MkDocs</a> using a <a href="https://github.com/snide/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>.
361</footer>
362
363 </div>
364 </div>
365
366 </section>
367
368 </div>
369
370 <div class="rst-versions" role="note" style="cursor: pointer">
371 <span class="rst-current-version" data-toggle="rst-current-version">
372
373 <a href="https://github.com/shaarli/Shaarli" class="fa fa-github" style="float: left; color: #fcfcfc"> GitHub</a>
374
375
376 <span><a href="../Versioning-and-Branches/" style="color: #fcfcfc;">&laquo; Previous</a></span>
377
378
379 <span style="margin-left: 15px"><a href="../Static-analysis/" style="color: #fcfcfc">Next &raquo;</a></span>
380
381 </span>
382</div>
383 <script src="../js/theme.js"></script>
384
385</body>
386</html>