resin3.1.10和3.0.25的比较 servletjspweb
程序员文章站
2024-03-15 10:00:35
...
公司对充值类项目进行重构,之前选择的是resin3.0.25的容器。
之前已经做过几个项目的重构了,选择了resin3.1.10的版本,遂建议充值项目选用此版本。
以版本越高,性能越好,越稳定为理由进行游说,遭到充值小同学的拒绝。期望提供具体优化点和评估报告。
查阅了resin的官网,摘选了一些resin3.1.10在web app容器方面的提升,如下:(挑了些重点,分属于各个小版本的优化)
• session: boundary issues over 4M session (rep by Chris Pratt)
• server: stack trace incorrectly displaed for bad request response (rep by Vinod Mehra, #3359)
• servlet: run-at race condition on web-app restart (rep by stbu, #3342)
• mod_caucho: socket drop issue (rep by Mathias Jansson)
• jms: btree split off-by-one issue (#3287, rep by tyson weihs)
• jms: file missing primary declaration (#3287, rep by tyson weihs)
• server: cron syntax not properly handling day of week (#3248, rep by mate)
• jsp: backport of JspCompileResource parallel compile (#2987, rep by stbu)
• memory: DispatchRequest._invocation needs to be cleared (rep by Mattias Jiderhamn)
• (2008-11-17) thread: thread pool load smoothing (rep by Martin Thompson)
• jsp: content after forward should be ignored (#2748, rep by Vinod Mehra)
• database: after connection error in XA, the returned connection must still be the same object (#2708, rep by Takahiro Fukuda)
• security: custom ip-constraint extension IoC configuration issues (#2718, rep by Alex Victoria)
提交给CUT部门,期望提供resin3.1.10和3.0.25在安全方面的对比,如下:
之前已经做过几个项目的重构了,选择了resin3.1.10的版本,遂建议充值项目选用此版本。
以版本越高,性能越好,越稳定为理由进行游说,遭到充值小同学的拒绝。期望提供具体优化点和评估报告。
查阅了resin的官网,摘选了一些resin3.1.10在web app容器方面的提升,如下:(挑了些重点,分属于各个小版本的优化)
• session: boundary issues over 4M session (rep by Chris Pratt)
• server: stack trace incorrectly displaed for bad request response (rep by Vinod Mehra, #3359)
• servlet: run-at race condition on web-app restart (rep by stbu, #3342)
• mod_caucho: socket drop issue (rep by Mathias Jansson)
• jms: btree split off-by-one issue (#3287, rep by tyson weihs)
• jms: file missing primary declaration (#3287, rep by tyson weihs)
• server: cron syntax not properly handling day of week (#3248, rep by mate)
• jsp: backport of JspCompileResource parallel compile (#2987, rep by stbu)
• memory: DispatchRequest._invocation needs to be cleared (rep by Mattias Jiderhamn)
• (2008-11-17) thread: thread pool load smoothing (rep by Martin Thompson)
• jsp: content after forward should be ignored (#2748, rep by Vinod Mehra)
• database: after connection error in XA, the returned connection must still be the same object (#2708, rep by Takahiro Fukuda)
• security: custom ip-constraint extension IoC configuration issues (#2718, rep by Alex Victoria)
提交给CUT部门,期望提供resin3.1.10和3.0.25在安全方面的对比,如下:
Version | Vulnerability Type | Content | Risk | Advice |
"Resin 3.1.10(2010.2.23)" | 1、xss(跨站)2、Directory Traversal(目录遍历)3、Bypass(文件扩展名创建绕过) | 1、Resin-admin/digest.php 跨站漏洞2、Resin中的PHP5引擎Quercus可以遍历目录3、Caucho Quercu PHP 引擎中利用%00空字节绕过文件扩展名创建 | Medium | 1.1、改掉后台管理地址为不常用地址1.2、同时对管理后台进行访问控制2、不解析PHP应用没有问题3、不解析PHP应用没有问题 |
"Resin 3.1.12(2011.8.29)" | 1、Directory Traversal(目录遍历)2、Bypass(文件扩展名创建绕过) | 1、Resin中的PHP5引擎Quercus可以遍历目录2、Caucho Quercu PHP 引擎中利用%00空字节绕过文件扩展名创建 | Medium | 1、不解析PHP应用没有问题2、不解析PHP应用没有问题 |