security

问题 Is there any way I can tell PHP to NOT display full path of file having any error in Error, warning or notice messages. I know I can disable errors; But, just to avoid any risk. For example: My script returns an error which is displayed like: Fatal error: Call to undefined function shell_exec1() in /home/[user]/public_html/index.php on line 1 I want to display it like Fatal error: Call to undefined function shell_exec1() in ~/index.php on line 1 This way, It'll be safer way to display error

问题 As a follow-up to this question I am hoping someone can help with the CredEnumerate API. As I understand from the documentation the PCREDENTIALS out parameter is a "pointer to an array of pointers to credentials". I am able to successfully call the CredEnumerate API using C# but I am not sure of how to convert the PCREDENTIALS into something useful (like a list of credentials). Edit: Here's the code I am using: int count = 0; IntPtr pCredentials = IntPtr.Zero; bool ret = false; ret =

问题 I can obtain the Weblogic InitialContext from a JNDI Client using the following properties as the Environment parameters for InitialContext Hashtable jndiProps = new Hashtable(); jndiProps.put("java.naming.factory.initial", "t3://localhost:7001"); jndiProps.put("java.naming.provider.url", "weblogic.jndi.WLInitialContextFactory"); jndiProps.put("java.naming.security.principal", "weblogic"); jndiProps.put("java.naming.security.credentials", "weblogic"); InitialContext ctx = new InitialContext

问题 Facebook now allows us to upload arbitrary types of files to Facebook groups, which is great. I am writing a single-sign-on iOS app, which accesses such a private group the user belongs to, and download those files. I was able to acquire the URL to those files using Graph API, which look like this: http://www.facebook.com/download/444555666777888/foo.bar (If I type this URL to a browser, the browser downloads it as long as I have logged in to Facebook as me from that browser, but will fail

问题 I'm securing my page using a csp headers. I set both X-Content-Security-Policy and X-Webkit-CSP . to the following value: default-src 'self'; object-src 'none'; frame-src 'self' *.youtube.com; style-src 'self' https://ajax.googleapis.com; script-src 'self' https://ajax.googleapis.com; report-uri /csp_report Everything loads fine, but I get tHe following error in chrome. I have yet to test it in other browsers. Refused to apply inline style because it violates the following Content Security

问题 I'm getting the below on trying to submit a login form. Does anyone know what causes this? Thanks. 2012-10-13 13:11:46.300:INFO:oejpjs.LdapLoginModule:Searching for users with filter: '(&(objectClass={0})({1}={2}))' from base dn: ou=people,dc=my-domain,dc=com 2012-10-13 13:11:46.307:INFO:oejpjs.LdapLoginModule:Found user?: true 2012-10-13 13:11:46.311:WARN:oejpj.JAASLoginService: javax.security.auth.login.LoginException: Login Failure: all modules ignored at javax.security.auth.login

问题 Email providers like Gmail,yahoo,hotmail do not load images in the email directly. These services require you to allow the images to be laoded. Why do they do this? Is it to prevent XSS/CSRF? 回答1: Two reasons - Privacy and CSRF. Privacy It allows the sender to figure out whether I have opened the email or not, without my knowledge . Spammers can figure out whether their "marketing" campaigns have had any impact or not. CSRF For CSRF to work, the victim has to click a link or visit the

问题 I am using Ruby on Rails 4.1.1 and I am thinking to accept parameters (through URL query strings) that are passed directly to the url_for method, this way: # URL in the browser http://www.myapp.com?redirect_to[controller]=users&redirect_to[action]=show&redirect_to[id]=1 # Controller ... redirect_to url_for(params[:redirect_to].merge(:only_path => true)) Adopting the above approach users can be redirected after performing an action. However, I think people can enter arbitrary params that can

问题 I have been asked to look at how to restrict read access on certain VOBs in ClearCase, for compliance reasons (so this needs to be auditable, etc, etc...). I have found a solution so far, that I will post here, but I still have questions, so any help would be appreciated. Especially as the devil is in the details, I think. For ease of argument, let say we have 3 VOBs, and 3 groups: gA and gB are two special group, all other CC users are in gC, which is the default CC group VOB vA, is read

问题 I've started a new MVC 5 application in VS2013 (with Authentication = Individual User Accounts in the wizard). I'm looking at my web.config file and it says: <authentication mode="None" /> However, I can clearly create an account and login to my site. So this is a little bit of a mystery. I have read that if I were using forms authentication, that I would need to mark my cookies SSL-only for my site to be secure (just got SSL working yesterday). Is there an analogous step if my authentication