diff options
author | nodiscc <nodiscc@gmail.com> | 2017-01-26 18:52:54 +0100 |
---|---|---|
committer | nodiscc <nodiscc@gmail.com> | 2017-06-18 00:19:49 +0200 |
commit | 53ed6d7d1e678d7486337ce67a2f17b30bac21ac (patch) | |
tree | f8bef0164a70bd03d2b9781951c01bdd018f1842 /doc/Security.html | |
parent | d5d22a6d07917865c44148ad76f43c65a929a890 (diff) | |
download | Shaarli-53ed6d7d1e678d7486337ce67a2f17b30bac21ac.tar.gz Shaarli-53ed6d7d1e678d7486337ce67a2f17b30bac21ac.tar.zst Shaarli-53ed6d7d1e678d7486337ce67a2f17b30bac21ac.zip |
Generate HTML documentation using MkDocs (WIP)
MkDocs is a static site generator geared towards building project documentation.
Documentation source files are written in Markdown, and configured with a single YAML file.
* http://www.mkdocs.org/
* http://www.mkdocs.org/user-guide/configuration/
Ref. #312
* remove pandoc-generated HTML documentation
* move markdown doc to doc/md/,
* mkdocs.yml:
* generate HTML doc in doc/html
* add pages TOC/ordering
* use index.md as index page
* Makefile: remove execute permissions from generated files
* Makefile: rewrite htmlpages GFM to markdown conversion using sed:
awk expression aslo matched '][' which causes invalid output on complex links with images or code blocks
* Add mkdocs.yml to .gitattributes, exclude this file from release archives
* Makefile: rename: htmldoc -> doc_html target
* run make doc: pull latest markdown documentation from wiki
* run make htmlpages: update html documentation
Diffstat (limited to 'doc/Security.html')
-rw-r--r-- | doc/Security.html | 135 |
1 files changed, 0 insertions, 135 deletions
diff --git a/doc/Security.html b/doc/Security.html deleted file mode 100644 index 12b46fa9..00000000 --- a/doc/Security.html +++ /dev/null | |||
@@ -1,135 +0,0 @@ | |||
1 | <!DOCTYPE html> | ||
2 | <html> | ||
3 | <head> | ||
4 | <meta charset="utf-8"> | ||
5 | <meta name="generator" content="pandoc"> | ||
6 | <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes"> | ||
7 | <title>Shaarli – Security</title> | ||
8 | <style type="text/css">code{white-space: pre;}</style> | ||
9 | <style type="text/css"> | ||
10 | div.sourceCode { overflow-x: auto; } | ||
11 | table.sourceCode, tr.sourceCode, td.lineNumbers, td.sourceCode { | ||
12 | margin: 0; padding: 0; vertical-align: baseline; border: none; } | ||
13 | table.sourceCode { width: 100%; line-height: 100%; } | ||
14 | td.lineNumbers { text-align: right; padding-right: 4px; padding-left: 4px; color: #aaaaaa; border-right: 1px solid #aaaaaa; } | ||
15 | td.sourceCode { padding-left: 5px; } | ||
16 | code > span.kw { color: #007020; font-weight: bold; } /* Keyword */ | ||
17 | code > span.dt { color: #902000; } /* DataType */ | ||
18 | code > span.dv { color: #40a070; } /* DecVal */ | ||
19 | code > span.bn { color: #40a070; } /* BaseN */ | ||
20 | code > span.fl { color: #40a070; } /* Float */ | ||
21 | code > span.ch { color: #4070a0; } /* Char */ | ||
22 | code > span.st { color: #4070a0; } /* String */ | ||
23 | code > span.co { color: #60a0b0; font-style: italic; } /* Comment */ | ||
24 | code > span.ot { color: #007020; } /* Other */ | ||
25 | code > span.al { color: #ff0000; font-weight: bold; } /* Alert */ | ||
26 | code > span.fu { color: #06287e; } /* Function */ | ||
27 | code > span.er { color: #ff0000; font-weight: bold; } /* Error */ | ||
28 | code > span.wa { color: #60a0b0; font-weight: bold; font-style: italic; } /* Warning */ | ||
29 | code > span.cn { color: #880000; } /* Constant */ | ||
30 | code > span.sc { color: #4070a0; } /* SpecialChar */ | ||
31 | code > span.vs { color: #4070a0; } /* VerbatimString */ | ||
32 | code > span.ss { color: #bb6688; } /* SpecialString */ | ||
33 | code > span.im { } /* Import */ | ||
34 | code > span.va { color: #19177c; } /* Variable */ | ||
35 | code > span.cf { color: #007020; font-weight: bold; } /* ControlFlow */ | ||
36 | code > span.op { color: #666666; } /* Operator */ | ||
37 | code > span.bu { } /* BuiltIn */ | ||
38 | code > span.ex { } /* Extension */ | ||
39 | code > span.pp { color: #bc7a00; } /* Preprocessor */ | ||
40 | code > span.at { color: #7d9029; } /* Attribute */ | ||
41 | code > span.do { color: #ba2121; font-style: italic; } /* Documentation */ | ||
42 | code > span.an { color: #60a0b0; font-weight: bold; font-style: italic; } /* Annotation */ | ||
43 | code > span.cv { color: #60a0b0; font-weight: bold; font-style: italic; } /* CommentVar */ | ||
44 | code > span.in { color: #60a0b0; font-weight: bold; font-style: italic; } /* Information */ | ||
45 | </style> | ||
46 | <link rel="stylesheet" href="github-markdown.css"> | ||
47 | <!--[if lt IE 9]> | ||
48 | <script src="//cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv-printshiv.min.js"></script> | ||
49 | <![endif]--> | ||
50 | </head> | ||
51 | <body> | ||
52 | <div id="local-sidebar"> | ||
53 | <ul> | ||
54 | <li><a href="Home.html">Home</a></li> | ||
55 | <li>Setup | ||
56 | <ul> | ||
57 | <li><a href="Download-and-Installation.html">Download and Installation</a></li> | ||
58 | <li><a href="Upgrade-and-migration.html">Upgrade and migration</a></li> | ||
59 | <li><a href="Server-requirements.html">Server requirements</a></li> | ||
60 | <li><a href="Server-configuration.html">Server configuration</a></li> | ||
61 | <li><a href="Server-security.html">Server security</a></li> | ||
62 | <li><a href="Shaarli-configuration.html">Shaarli configuration</a></li> | ||
63 | <li><a href="Plugins.html">Plugins</a></li> | ||
64 | </ul></li> | ||
65 | <li><a href="Docker.html">Docker</a></li> | ||
66 | <li><a href="Usage.html">Usage</a> | ||
67 | <ul> | ||
68 | <li><a href="Sharing-button.html">Sharing button</a> (bookmarklet)</li> | ||
69 | <li><a href="Browsing-and-Searching.html">Browsing and Searching</a></li> | ||
70 | <li><a href="Firefox-share.html">Firefox share</a></li> | ||
71 | <li><a href="RSS-feeds.html">RSS feeds</a></li> | ||
72 | <li><a href="REST-API.html">REST API</a></li> | ||
73 | </ul></li> | ||
74 | <li>How To | ||
75 | <ul> | ||
76 | <li><a href="Backup,-restore,-import-and-export.html">Backup, restore, import and export</a></li> | ||
77 | <li><a href="Copy-an-existing-installation-over-SSH-and-serve-it-locally.html">Copy an existing installation over SSH and serve it locally</a></li> | ||
78 | <li><a href="Create-and-serve-multiple-Shaarlis-(farm).html">Create and serve multiple Shaarlis (farm)</a></li> | ||
79 | <li><a href="Download-CSS-styles-from-an-OPML-list.html">Download CSS styles from an OPML list</a></li> | ||
80 | <li><a href="Datastore-hacks.html">Datastore hacks</a></li> | ||
81 | </ul></li> | ||
82 | <li><a href="Troubleshooting.html">Troubleshooting</a></li> | ||
83 | <li><a href="Development.html">Development</a> | ||
84 | <ul> | ||
85 | <li><a href="GnuPG-signature.html">GnuPG signature</a></li> | ||
86 | <li><a href="Coding-guidelines.html">Coding guidelines</a></li> | ||
87 | <li><a href="Directory-structure.html">Directory structure</a></li> | ||
88 | <li><a href="3rd-party-libraries.html">3rd party libraries</a></li> | ||
89 | <li><a href="Plugin-System.html">Plugin System</a></li> | ||
90 | <li><a href="Release-Shaarli.html">Release Shaarli</a></li> | ||
91 | <li><a href="Versioning-and-Branches.html">Versioning and Branches</a></li> | ||
92 | <li><a href="Security.html">Security</a></li> | ||
93 | <li><a href="Static-analysis.html">Static analysis</a></li> | ||
94 | <li><a href="Theming.html">Theming</a></li> | ||
95 | <li><a href="Unit-tests.html">Unit tests</a></li> | ||
96 | </ul></li> | ||
97 | <li>About | ||
98 | <ul> | ||
99 | <li><a href="FAQ.html">FAQ</a></li> | ||
100 | <li><a href="Community-&-Related-software.html">Community & Related software</a></li> | ||
101 | </ul></li> | ||
102 | </ul> | ||
103 | </div> | ||
104 | <h1 id="security">Security</h1> | ||
105 | <h2 id="client-browser">Client browser</h2> | ||
106 | <ul> | ||
107 | <li>Shaarli relies on <code>HTTP_REFERER</code> for some functions (like redirects and clicking on tags). If you have disabled or masqueraded <code>HTTP_REFERER</code> in your browser, some features of Shaarli may not work</li> | ||
108 | </ul> | ||
109 | <h2 id="php">PHP</h2> | ||
110 | <ul> | ||
111 | <li><code>magic_quotes</code> is an horrible option of PHP which is often activated on servers. No serious developer should rely on this horror to secure their code against SQL injections. You should disable it (and Shaarli expects this option to be disabled). Nevertheless, I have added code to cope with <code>magic_quotes</code> on, so you should not be bothered even on crappy hosts.</li> | ||
112 | </ul> | ||
113 | <h2 id="server-and-sessions">Server and sessions</h2> | ||
114 | <ul> | ||
115 | <li>Directories are protected using <code>.htaccess</code> files</li> | ||
116 | <li>Forms are protected against XSRF (Cross-site requests forgery):</li> | ||
117 | <li>Forms which act on data (save,delete…) contain a token generated by the server.</li> | ||
118 | <li>Any posted form which does not contain a valid token is rejected.</li> | ||
119 | <li>Any token can only be used once.</li> | ||
120 | <li>Tokens are attached to the session and cannot be reused in another session.</li> | ||
121 | <li>Sessions automatically expire after 60 minutes.</li> | ||
122 | <li>Sessions are protected against hijacking: the session ID cannot be used from a different IP address.</li> | ||
123 | </ul> | ||
124 | <h2 id="shaarli-datastore-and-configuration">Shaarli datastore and configuration</h2> | ||
125 | <ul> | ||
126 | <li>The password is salted, hashed and stored in the data subdirectory, in a PHP file, and protected by htaccess. Even if the webserver does not support htaccess, the hash is not readable by URL. Even if the .php file is stolen, the password cannot deduced from the hash. The salt prevents rainbow-tables attacks.</li> | ||
127 | <li>Links are stored as an associative array which is serialized, compressed (with deflate), base64-encoded and saved as a comment in a <code>.php</code> file.</li> | ||
128 | <li>Even if the server does not support <code>.htaccess</code> files, the data file will still not be readable by URL.</li> | ||
129 | <li><p>The database looks like this:</p> | ||
130 | <div class="sourceCode"><pre class="sourceCode php"><code class="sourceCode php"><span class="kw"><?php</span> <span class="co">/* zP1ZjxxJtiYIvvevEPJ2lDOaLrZv7o...</span> | ||
131 | <span class="co">...ka7gaco/Z+TFXM2i7BlfMf8qxpaSSYfKlvqv/x8= */</span> <span class="kw">?></span></code></pre></div></li> | ||
132 | <li><p>Small hashes are used to make a link to an entry in Shaarli. They are unique. In fact, the date of the items (eg. <code>20110923_150523</code>) is hashed with CRC32, then converted to base64 and some characters are replaced. They are always 6 characters longs and use only <code>A-Z a-z 0-9 - _</code> and <code>@</code>.</p></li> | ||
133 | </ul> | ||
134 | </body> | ||
135 | </html> | ||