Skip to content
This repository has been archived by the owner on Oct 17, 2024. It is now read-only.

Checklist For Safety

Jump to bottom
scil edited this page Sep 16, 2018 · 49 revisions
  • size of GET request's header is smaller than 8KB, restricted by Swoole, the big Cookie will lead to parse $_COOKIE fail.

non-allowed functions

  • exit()

  • die()

  • header() , use Laravel API: $response->header

  • setcookie(), use Laravel API: $response->cookie

  • session_start/session_create_id ... , so Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage is not allowed. use Laravel API.

  • http_response_code(), use Laravel API like setStatusCode(404); or abort(404);

#!/usr/bin/env bash

# simple bash script to check out related functions

package_dir=vendor/mcamara/laravel-localization/src

# find out: exit( die( header( setcookie( setrawcookie( session_start http_response_code
# but ignore: >header // e.g. $request->header('Accept-Language')
grep  -H -n -r -E "\bexit\(|\bdie\(|[^>]header\(|\bsetcookie\(|\bsetrawcookie\(|\bsession_start\(|\bhttp_response_code\("  $package_dir

non-allowed functions in some cases

  • flush()/ob_flush()/ob_end_flush()/ob_implicit_flush() for Laravel response, only use Laravel API
  • include_once/require_once when including php code files which are not about class/interface/trait/function, see [include_once/require_once](To include the files about class/interface/trait/function)
grep  -H -n -r -E "\bflush\(|\bob_flush\("  $package_dir 
grep  -H -n -r -E "\binclude_once\(|\brequire_once\("  $package_dir

Constants

  • constants should keep same in all requests.

Coroutine

  • decide whether to use coroutine

A. no coroutine

  • const LARAVELFLY_COROUTINE = false; in fly.conf.php

  • Restore maybe needed if ini_set(), setlocale(), set_include_path(), set_exception_handler() or set_error_handler() is used in a request.
    Restore is not always necessary, for example mcamara/laravel-localization run setlocale(LC_TIME, $regional . $suffix); in each request and do not need restore.

grep  -H -n -r -E "\bini_set\(|\bsetlocale\(|\bset_include_path\(|\bset_exception_handler\(|\bset_error_handler\("  $package_dir

B. using coroutine

  • const LARAVELFLY_COROUTINE = true; in fly.conf.php

  • do not use $_GET or $_POST

  • $_SERVER can only be used to fetch server info, not client info

  • ini_set(), setlocale(), set_include_path(), set_exception_handler() and set_error_handler() can be only used on worker (before any requests), not in any requests.

Third-party or you own service providers

Across service providers

by default, a third-party service provider would be treated as an across ps, registered on worker and booted in each request.

  • if your routes defined in web.php or api.php use third-party service, ensure App\Providers\RouteServiceProvider::class => 'across', in 'providers_on_worker' in config/laravelfly.php.
  • ensure App\Providers\EventServiceProvider::class => 'across', if this service provider uses third-party service in method boot(). set 'request' instead of 'acrossif methodregister()` uses third-party service.
  • same rules for other providers like AuthServiceProvider , AppServiceProvider and so on.

Make worker service providers for speed?

Like a service provider to be registered and booted before any request? see checklist for speed

Other

Clone this wiki locally