doujugu1722 2011-09-15 18:28
浏览 50
已采纳

使用CURL发送和接收有关wp主题安全的信息?

I'm working on a WordPress theme that includes an actual installation script of its own. So this is what happens;

1.) Users download theme.zip from mysite.

theme.zip does NOT contain the theme itself, it contains the installation script and all the required files to make the installation successful.

2.) Now the user will upload theme.zip to their server (using the WP dashboard)

3.) One they've uploaded theme.zip, they will run the installation script which requires a username and password, which is stored on MY sql db.

//the dodgy bit

Now here's what happens in the installation script.

Once the user has entered their username and password, some variables (the user's username, password and unique id number) will be sent to a php file on my server (using curl). Then my server will look into the sql db and select a certain row (using the unique id number sent earlier on) and check if the user's details are correct. If the details are correct, my server will then send some variables back (using JSON encode/decode) with a value of TRUE. once the users server has received the TRUE value it will continue. And if it receives a value of FALSE, it will then stop and throw an error

Once the users has logged in successfully (my server sends back TRUE) then another CURL function will run.

This function will send a unique id to another php file on my server. The php file will then make a copy of a folder which is placed on my server and name the file with the unique id number so the duplicate folder will be called "265851654" (which contains all the themes content) then the php script (on my server) will then compress that folder into a .zip. Once the compression is complete, it will send some info(information on where the newly produced .zip is placed on the server, ready for download.) back to to users server.

The users server will then use the info it received from my server to generate the download link and begin downloading the .zip file. once the download has finished, another curl function will be ran. this function will do the same as the one just explained but instead of building the .zip ready for download, it deletes the .zip.

Now it does a load of other stuff too but thats all on the users side.

Is this safe? As this theme will be available to EVERYONE which means they will be able to see the curl functions and all the other source code which they can edit them as they please.

If it's not safe, could you give me some advice to help prevent those evil people from messing around?

Thanks!

  • 写回答

1条回答 默认 最新

  • dqroktbn005028 2011-09-15 18:58
    关注

    A few things you should keep in mind:

    • Make sure the request within the script calling cUrl with certain arguments stops or it's blocked by the server (let's say, for 1hr) if the identification fails for 5 consecutive times.
    • Make sure your cUrl script contains also proxy variables like ip, username and password. There a lot of configurations out there requiring these.
    • Create a md5sum file for each downloaded script and save it on your disk. Compare the md5sum from the file on disk with the one newly created. Make sure the next user asking for the same file will download the already created one and not create a new one, since it won't load the server.
    • Try to secure your php script on the server with 2 distinct identification (like username/password works). This will make less easy for evil ppl to find a path into your server.

    I'm sure there are a lot of other stuff, but that's all what's in my mind now.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 如何在scanpy上做差异基因和通路富集?
  • ¥20 关于#硬件工程#的问题,请各位专家解答!
  • ¥15 关于#matlab#的问题:期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707,使系统具有较小的超调量
  • ¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
  • ¥30 截图中的mathematics程序转换成matlab
  • ¥15 动力学代码报错,维度不匹配
  • ¥15 Power query添加列问题
  • ¥50 Kubernetes&Fission&Eleasticsearch
  • ¥15 報錯:Person is not mapped,如何解決?
  • ¥15 c++头文件不能识别CDialog