You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+52-13Lines changed: 52 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,10 +18,9 @@ __Highlights__:
18
18
- Can handle millions of pages per month (~500 pages per second in real environment, up to 3000 requests per second on tests, basic server ).
19
19
- Available under the liberal MIT license.
20
20
21
-
Xamboo is the result of over 15 years of manufacturing engineering frameworks, originally written for PHP 7+ and now ported to GO 1.16+
21
+
Xamboo is the result of over 17 years of manufacturing engineering frameworks, originally written for PHP 7+ and now ported to GO 1.16.3+
22
22
23
-
24
-
It is a very high quality framework for CMS, made in GO 1.16 or higher, fully object-oriented and strong to distribute code into Web portals with heavy load and REST APIs optimization.
23
+
It is a very high quality framework for CMS, made in GO 1.16.3 or higher, fully object-oriented and strong to distribute code into Web portals with heavy load and REST APIs optimization.
25
24
26
25
Xamboo is freeware, and uses several other freeware components (XConfig, XCore, XDominion, WAJAF)
27
26
@@ -334,7 +333,7 @@ Example of a working real listeners for HTTP and HTTPS:
334
333
A Host is the equivalent to a site responding to requests on a Listener. The site is named with a (sub) domain name.
335
334
Any host can listen on any listener, and respond to any domain in the configuration.
336
335
337
-
A Host may have components activated, like compressed response, minify HTML/CSS/JS response, Basic Auth, Redirect, etc.
336
+
A Host may have components activated, like compressed response, minify HTML/CSS/JS response, Basic Auth, Prot, Redirect, etc.
338
337
339
338
The components can be built-in or programmed.
340
339
@@ -376,6 +375,7 @@ The available built-in components are:
376
375
- stat: will store all the system statistics and also the requests (used by log).
377
376
- redirect: will control the called domain and port, and redirect to the correct one if it is any other variant.
378
377
- auth: will control the access with a username and password for basic realm authorization to access site.
378
+
- prot: will protect the get, post, put variables against SQL injection.
379
379
- compress: will compress the content as asked by the client (gzip or deflate) based on mime content
380
380
- minify: will minify the html, css, javascript, json, xml text files if authorized type of file or mime.
381
381
- origin: will set authorized headers for cros origin APIs based on rules.
@@ -399,6 +399,7 @@ The main components section follow the following structure:
399
399
{ "name": "stat", "source": "built-in" },
400
400
{ "name": "redirect", "source": "built-in" },
401
401
{ "name": "auth", "source": "built-in" },
402
+
{ "name": "prot", "source": "built-in" },
402
403
{ "name": "compress", "source": "built-in" },
403
404
{ "name": "minify", "source": "built-in" },
404
405
{ "name": "origin", "source": "built-in" },
@@ -556,8 +557,42 @@ User and pass are the expected data to be captured to authorized the use of the
556
557
557
558
If the user and pass are wrong, the system returns a 401 unauthorized status.
558
559
560
+
#### 4.2.5. Prot
561
+
562
+
The protection component intend to protect the system from SQL injection.
563
+
The heuristic is based on counting the quantity of SQL sentence keywords into the get and post variables, and if a certain quantity is found the security is triggered.
564
+
This is a basic protection system that can be enhanced on a more personalized component.
565
+
566
+
The prot configuration parameters are
567
+
```
568
+
"hosts": [
569
+
{
570
+
...
571
+
"prot": {
572
+
"enabled": true,
573
+
"sql": true,
574
+
"ignore": ["var1", "var2"],
575
+
"threshold": 3
576
+
}
577
+
},
578
+
...
579
+
]
580
+
```
559
581
560
-
#### 4.2.5. compress
582
+
enabled: true/false, to activate or de-activate the protection component.
583
+
584
+
sql: enable or disable the sql injection verification of entry variables.
585
+
586
+
ignore: is the list of the entry variables that will be ignored in the verification.
587
+
588
+
threshold: is the score of sql injection to activate the protection. A score of 3 is normally a good score to protect the code. 1 is very sensible, 5 is hard to trigger.
589
+
590
+
It will serve a 500 error if a sql injection is detected.
591
+
592
+
The activation of the protection is logged into the error log of the host with information about the injection.
593
+
594
+
595
+
#### 4.2.6. compress
561
596
562
597
The compress configuration parameters are
563
598
```
@@ -596,7 +631,7 @@ mimes is the list of authorized mimes to compress. If the information is any oth
596
631
files is the list of filters on file names to compress. They are normal file names, with files joker (* and ?)
597
632
598
633
599
-
#### 4.2.6. minify
634
+
#### 4.2.7. minify
600
635
601
636
The minify configuration parameters are
602
637
```
@@ -623,7 +658,7 @@ The component will minify the type of generated code (based on mime).
623
658
Activate or deactivate each type of information.
624
659
625
660
626
-
#### 4.2.7. origin
661
+
#### 4.2.8. origin
627
662
628
663
The origin configuration parameters are
629
664
```
@@ -650,7 +685,7 @@ The component will identify an OPTIONS or HEAD request and distribute the correc
650
685
You should use this component only when you program some REST API or so.
651
686
652
687
653
-
#### 4.2.8. fileserver
688
+
#### 4.2.9. fileserver
654
689
655
690
The fileserver configuration parameters are
656
691
```
@@ -676,7 +711,7 @@ If the takeover is false, when a file does not exists, the next handler will be
676
711
The static directy is where the static files are.
677
712
678
713
679
-
#### 4.2.9. cms
714
+
#### 4.2.10. cms
680
715
681
716
The CMS is a full content mamagement system with meta language, to build powerfull dynamic sites, with business rules implemented directly into pages and code.
682
717
@@ -765,7 +800,7 @@ The base template is used if the type of browser is unknown.
765
800
Then CMS makes a full takeover on the handlers, so none of the following handlers will be called.
766
801
767
802
768
-
#### 4.2.10. error
803
+
#### 4.2.11. error
769
804
770
805
The error component will only returns a 404 errors. You may want to build your own error component to personalize the returned data.
771
806
@@ -867,11 +902,10 @@ When you want to add a hand made external engine, the syntax is:
You may need to developp a new components for instance to replace a built-in one, or add new components.
905
+
You may need to develop a new engine for instance to replace a built-in one, or add new engines.
871
906
872
-
For instance if you need a "auth" component based on a database for users, you may copy the library to your own directory and modify it to your needs, then call it as a extern library instead of the built-in one.
907
+
For instance if you need a new page type engine based on a new type of templates for instance, you may copy the library to your own directory and modify it to your needs, then call it as a extern library instead of the built-in one.
873
908
874
-
Another example would be a component to verify security and SQL injection and reject the request if it does not pass though the security system. This component could be inserted before the redirect component.
875
909
876
910
### 5.2. List of build-in engines
877
911
@@ -1443,6 +1477,11 @@ Extras:
1443
1477
1444
1478
# Version Changes Control
1445
1479
1480
+
v1.6.2 - 2021-05-18
1481
+
-----------------------
1482
+
- New component "prot" added, to protect the code and query variables against SQL injection.
1483
+
- In the CMS engines, the cached xtemplate is now cloned before injection into the engines to avoid racing problems between pages.
1484
+
1446
1485
v1.6.1 - 2021-04-27
1447
1486
-----------------------
1448
1487
- The device resolution can now be replaced with the version of the programmer choice to call the correct templates. Add version=newversion into the cms configuration file.
0 commit comments