-
Notifications
You must be signed in to change notification settings - Fork 41
Checklist For Safety
- size of
GETrequest's header is smaller than8KB, restricted by Swoole, big cookies will make cookies parsing fail.
-
header(), use Laravel API: $response->header -
setcookie(), use Laravel API: $response->cookie -
session_start()/session_create_id()... , so Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage is not allowed. use Laravel API. -
http_response_code(), use Laravel API like setStatusCode(404); or abort(404);
#!/usr/bin/env bash
# simple bash script to check out related functions
package_dir=vendor/mcamara/laravel-localization/src
# find out: exit( die( header( setcookie( setrawcookie( session_start http_response_code
# but ignore: >header // e.g. $request->header('Accept-Language')
grep -H -n -r -E "\bexit\(|\bdie\(|[^>]header\(|\bsetcookie\(|\bsetrawcookie\(|\bsession_start\(|\bhttp_response_code\(" $package_dir
-
flush()/ob_flush()/ob_end_flush()/ob_implicit_flush()for Laravel response, please only use Laravel API -
include_once/require_oncewhen including php code files which are not about class/interface/trait/function. See [include_once/require_once](To include the files about class/interface/trait/function)
#!/usr/bin/env bash
# simple bash script to check out related functions
grep -H -n -r -E "\bflush\(|\bob_flush\(" $package_dir
grep -H -n -r -E "\binclude_once\(|\brequire_once\(" $package_dir
- constants should keep same in all requests.
- decide whether to use coroutine. If you'd like coroutine http client, coroutine db, connections pool, select A.
-
const LARAVELFLY_COROUTINE = true;in fly.conf.php -
do not use $_GET or $_POST. Working with coroutines, cpu would jump from one request to another, $_GET is useless and harmful. So are $_POST, $_FILES, $_COOKIE, $_REQUEST, $_SESSION.
-
$_SERVER can only be used to fetch server info, not client info
-
ini_set(),setlocale(),set_include_path(),set_exception_handler()andset_error_handler()may be very dangerous if they are used in a request. Take care, avoid crash.
Woud you like to usesetlocle()in requests for users from different region? I think you'd better provide this snack on front end, using javascript, like JsWorld Moment.js. If you really want to use it, make sure there is no coroutine jump with it and its usage likeCarbon::now()->formatLocalized('%A %d %B %Y');(By the way, feel free to useapp()->setLocale,app('translator')->setLocale) -
- Coroutine does not coexist with route definition in route files
grep -H -n -r -E "\bini_set\(|\bsetlocale\(|\bset_include_path\(|\bset_exception_handler\(|\bset_error_handler\(" $package_dir
-
const LARAVELFLY_COROUTINE = false;in fly.conf.php -
Restore maybe needed if
ini_set(),setlocale(),set_include_path(),set_exception_handler()orset_error_handler()is used in a request.
Restore is not always necessary, for example mcamara/laravel-localization runsetlocale(LC_TIME, $regional . $suffix);in each request, so restore not necessary.
grep -H -n -r -E "\bini_set\(|\bsetlocale\(|\bset_include_path\(|\bset_exception_handler\(|\bset_error_handler\(" $package_dir
[ ] decide when it's registered and booted. By default, a third-party service provider would be treated as an across service provider, registered on worker and booted in each request.
-
Ensure
App\Providers\RouteServiceProvider::class => 'across',in 'providers_on_worker' in config/laravelfly.php if your routes defined in web.php or api.php use your new service. -
Ensure
App\Providers\EventServiceProvider::class => 'across',if this event service provider uses your new service in methodboot(). set 'request' instead of 'acrossif methodregister()` uses new service. -
Same rules for other providers like
AuthServiceProvider,AppServiceProviderand so on.
Be registered and booted in each request.
- put your new service provider into
'providers_in_request'
Like a service provider to be registered and booted before any request? see checklist for speed
- Ref in controllers must be WORKER SERVICE. see controller and Stale Reference