公司对充值类项目进行重构,之前选择的是resin3.0.25的容器。
之前已经做过几个项目的重构了,选择了resin3.1.10的版本,遂建议充值项目选用此版本。
以版本越高,性能越好,越稳定为理由进行游说,遭到充值小同学的拒绝。期望提供具体优化点和评估报告。
查阅了resin的官网,摘选了一些resin3.1.10在web app容器方面的提升,如下:(挑了些重点,分属于各个小版本的优化)
• session: boundary issues over 4M session (rep by Chris Pratt)
• server: stack trace incorrectly displaed for bad request response (rep by Vinod Mehra, #3359)
• servlet: run-at race condition on web-app restart (rep by stbu, #3342)
• mod_caucho: socket drop issue (rep by Mathias Jansson)
• jms: btree split off-by-one issue (#3287, rep by tyson weihs)
• jms: file missing primary declaration (#3287, rep by tyson weihs)
• server: cron syntax not properly handling day of week (#3248, rep by mate)
• jsp: backport of JspCompileResource parallel compile (#2987, rep by stbu)
• memory: DispatchRequest._invocation needs to be cleared (rep by Mattias Jiderhamn)
• (2008-11-17) thread: thread pool load smoothing (rep by Martin Thompson)
• jsp: content after forward should be ignored (#2748, rep by Vinod Mehra)
• database: after connection error in XA, the returned connection must still be the same object (#2708, rep by Takahiro Fukuda)
• security: custom ip-constraint extension IoC configuration issues (#2718, rep by Alex Victoria)
提交给CUT部门,期望提供resin3.1.10和3.0.25在安全方面的对比,如下:
[table]
|Version |Vulnerability Type |Content |Risk |Advice
|"Resin 3.1.10
(2010.2.23)" |1、xss(跨站)2、Directory Traversal(目录遍历)3、Bypass(文件扩展名创建绕过)|1、Resin-admin/digest.php 跨站漏洞2、Resin中的PHP5引擎Quercus可以遍历目录3、Caucho Quercu PHP 引擎中利用%00空字节绕过文件扩展名创建|Medium|1.1、改掉后台管理地址为不常用地址1.2、同时对管理后台进行访问控制2、不解析PHP应用没有问题3、不解析PHP应用没有问题
|"Resin 3.1.12
(2011.8.29)"|1、Directory Traversal(目录遍历)2、Bypass(文件扩展名创建绕过)|1、Resin中的PHP5引擎Quercus可以遍历目录2、Caucho Quercu PHP 引擎中利用%00空字节绕过文件扩展名创建|Medium|1、不解析PHP应用没有问题2、不解析PHP应用没有问题
[/table]
之前已经做过几个项目的重构了,选择了resin3.1.10的版本,遂建议充值项目选用此版本。
以版本越高,性能越好,越稳定为理由进行游说,遭到充值小同学的拒绝。期望提供具体优化点和评估报告。
查阅了resin的官网,摘选了一些resin3.1.10在web app容器方面的提升,如下:(挑了些重点,分属于各个小版本的优化)
• session: boundary issues over 4M session (rep by Chris Pratt)
• server: stack trace incorrectly displaed for bad request response (rep by Vinod Mehra, #3359)
• servlet: run-at race condition on web-app restart (rep by stbu, #3342)
• mod_caucho: socket drop issue (rep by Mathias Jansson)
• jms: btree split off-by-one issue (#3287, rep by tyson weihs)
• jms: file missing primary declaration (#3287, rep by tyson weihs)
• server: cron syntax not properly handling day of week (#3248, rep by mate)
• jsp: backport of JspCompileResource parallel compile (#2987, rep by stbu)
• memory: DispatchRequest._invocation needs to be cleared (rep by Mattias Jiderhamn)
• (2008-11-17) thread: thread pool load smoothing (rep by Martin Thompson)
• jsp: content after forward should be ignored (#2748, rep by Vinod Mehra)
• database: after connection error in XA, the returned connection must still be the same object (#2708, rep by Takahiro Fukuda)
• security: custom ip-constraint extension IoC configuration issues (#2718, rep by Alex Victoria)
提交给CUT部门,期望提供resin3.1.10和3.0.25在安全方面的对比,如下:
[table]
|Version |Vulnerability Type |Content |Risk |Advice
|"Resin 3.1.10
(2010.2.23)" |1、xss(跨站)2、Directory Traversal(目录遍历)3、Bypass(文件扩展名创建绕过)|1、Resin-admin/digest.php 跨站漏洞2、Resin中的PHP5引擎Quercus可以遍历目录3、Caucho Quercu PHP 引擎中利用%00空字节绕过文件扩展名创建|Medium|1.1、改掉后台管理地址为不常用地址1.2、同时对管理后台进行访问控制2、不解析PHP应用没有问题3、不解析PHP应用没有问题
|"Resin 3.1.12
(2011.8.29)"|1、Directory Traversal(目录遍历)2、Bypass(文件扩展名创建绕过)|1、Resin中的PHP5引擎Quercus可以遍历目录2、Caucho Quercu PHP 引擎中利用%00空字节绕过文件扩展名创建|Medium|1、不解析PHP应用没有问题2、不解析PHP应用没有问题
[/table]
332
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
