aboutsummaryrefslogtreecommitdiffhomepage
path: root/doc/md/Security.md
diff options
context:
space:
mode:
authorVirtualTam <virtualtam@flibidi.net>2017-08-05 11:56:24 +0200
committerVirtualTam <virtualtam@flibidi.net>2017-08-05 11:56:24 +0200
commit43ad7c8e825057747ccf02049050b323878952a7 (patch)
tree3160fd640c42f41a38d6c1df2cd4e020f87942ae /doc/md/Security.md
parentb4ff0afb24db6e4cb3543bbd71f01bbb0716b144 (diff)
downloadShaarli-43ad7c8e825057747ccf02049050b323878952a7.tar.gz
Shaarli-43ad7c8e825057747ccf02049050b323878952a7.tar.zst
Shaarli-43ad7c8e825057747ccf02049050b323878952a7.zip
documentation: fix rendering and internal references
This is mainly cleanup after switching from Github-flavoured Markdown rendered by Github Pages, to standard Markdown rendered by MkDocs. Changed: - rephrase some section titles Fixed: - list rendering (items, sub-items)) - code rendering - quotes - dead links Removed: - extraneous navigational elements Signed-off-by: VirtualTam <virtualtam@flibidi.net>
Diffstat (limited to 'doc/md/Security.md')
-rw-r--r--doc/md/Security.md31
1 files changed, 16 insertions, 15 deletions
diff --git a/doc/md/Security.md b/doc/md/Security.md
index aec37fa0..36f629af 100644
--- a/doc/md/Security.md
+++ b/doc/md/Security.md
@@ -1,27 +1,28 @@
1## Client browser 1## Client browser
2* Shaarli relies on `HTTP_REFERER` for some functions (like redirects and clicking on tags). If you have disabled or masqueraded `HTTP_REFERER` in your browser, some features of Shaarli may not work 2- Shaarli relies on `HTTP_REFERER` for some functions (like redirects and clicking on tags). If you have disabled or masqueraded `HTTP_REFERER` in your browser, some features of Shaarli may not work
3 3
4## PHP 4## PHP
5* `magic_quotes` is an horrible option of PHP which is often activated on servers. No serious developer should rely on this horror to secure their code against SQL injections. You should disable it (and Shaarli expects this option to be disabled). Nevertheless, I have added code to cope with `magic_quotes` on, so you should not be bothered even on crappy hosts. 5- `magic_quotes` is an horrible option of PHP which is often activated on servers. No serious developer should rely on this horror to secure their code against SQL injections. You should disable it (and Shaarli expects this option to be disabled). Nevertheless, I have added code to cope with `magic_quotes` on, so you should not be bothered even on crappy hosts.
6 6
7## Server and sessions 7## Server and sessions
8* Directories are protected using `.htaccess` files 8- Directories are protected using `.htaccess` files
9* Forms are protected against XSRF (Cross-site requests forgery): 9- Forms are protected against XSRF (Cross-site requests forgery):
10 * Forms which act on data (save,delete…) contain a token generated by the server. 10 - Forms which act on data (save,delete…) contain a token generated by the server.
11 * Any posted form which does not contain a valid token is rejected. 11 - Any posted form which does not contain a valid token is rejected.
12 * Any token can only be used once. 12 - Any token can only be used once.
13 * Tokens are attached to the session and cannot be reused in another session. 13 - Tokens are attached to the session and cannot be reused in another session.
14* Sessions automatically expire after 60 minutes. 14- Sessions automatically expire after 60 minutes.
15* Sessions are protected against hijacking: the session ID cannot be used from a different IP address. 15- Sessions are protected against hijacking: the session ID cannot be used from a different IP address.
16 16
17## Shaarli datastore and configuration 17## Shaarli datastore and configuration
18* The password is salted, hashed and stored in the data subdirectory, in a PHP file, and protected by htaccess. Even if the webserver does not support htaccess, the hash is not readable by URL. Even if the .php file is stolen, the password cannot deduced from the hash. The salt prevents rainbow-tables attacks. 18- The password is salted, hashed and stored in the data subdirectory, in a PHP file, and protected by htaccess. Even if the webserver does not support htaccess, the hash is not readable by URL. Even if the .php file is stolen, the password cannot deduced from the hash. The salt prevents rainbow-tables attacks.
19* Links are stored as an associative array which is serialized, compressed (with deflate), base64-encoded and saved as a comment in a `.php` file. 19- Links are stored as an associative array which is serialized, compressed (with deflate), base64-encoded and saved as a comment in a `.php` file.
20* Even if the server does not support `.htaccess` files, the data file will still not be readable by URL. 20- Even if the server does not support `.htaccess` files, the data file will still not be readable by URL.
21* The database looks like this: 21- The database looks like this:
22
22```php 23```php
23<?php /* zP1ZjxxJtiYIvvevEPJ2lDOaLrZv7o... 24<?php /* zP1ZjxxJtiYIvvevEPJ2lDOaLrZv7o...
24...ka7gaco/Z+TFXM2i7BlfMf8qxpaSSYfKlvqv/x8= */ ?> 25...ka7gaco/Z+TFXM2i7BlfMf8qxpaSSYfKlvqv/x8= */ ?>
25``` 26```
26 27
27* Small hashes are used to make a link to an entry in Shaarli. They are unique. In fact, the date of the items (eg. `20110923_150523`) is hashed with CRC32, then converted to base64 and some characters are replaced. They are always 6 characters longs and use only `A-Z a-z 0-9 - _` and `@`. 28- Small hashes are used to make a link to an entry in Shaarli. They are unique. In fact, the date of the items (eg. `20110923_150523`) is hashed with CRC32, then converted to base64 and some characters are replaced. They are always 6 characters longs and use only `A-Z a-z 0-9 - _` and `@`.