resin3.1.10和3.0.25的比较
公司对充值类项目进行重构,之前选择的是resin3.0.25的容器。
之前已经做过几个项目的重构了,选择了resin3.1.10的版本,遂建议充值项目选用此版本。
以版本越高,性能越好,越稳定为理由进行游说,遭到充值小同学的拒绝。期望提供具体优化点和评估报告。
查阅了resin的官网,摘选了一些resin3.1.10在web app容器方面的提升,如下:(挑了些重点,分属于各个小版本的优化)
?session: boundary issues over 4M session (rep by Chris Pratt)
?server: stack trace incorrectly displaed for bad request response (rep by Vinod Mehra, #3359)
?servlet: run-at race condition on web-app restart (rep by stbu, #3342)
?mod_caucho: socket drop issue (rep by Mathias Jansson)
?jms: btree split off-by-one issue (#3287, rep by tyson weihs)
?jms: file missing primary declaration (#3287, rep by tyson weihs)
?server: cron syntax not properly handling day of week (#3248, rep by mate)
?jsp: backport of JspCompileResource parallel compile (#2987, rep by stbu)
?memory: DispatchRequest._invocation needs to be cleared (rep by Mattias Jiderhamn)
?(2008-11-17) thread: thread pool load smoothing (rep by Martin Thompson)
?jsp: content after forward should be ignored (#2748, rep by Vinod Mehra)
?database: after connection error in XA, the returned connection must still be the same object (#2708, rep by Takahiro Fukuda)
?security: custom ip-constraint extension IoC configuration issues (#2718, rep by Alex Victoria)
提交给CUT部门,期望提供resin3.1.10和3.0.25在安全方面的对比,如下:
VersionVulnerability TypeContentRiskAdvice"Resin 3.1.10(2010.2.23)" 1、xss(跨站)2、Directory Traversal(目录遍历)3、Bypass(文件扩展名创建绕过)1、Resin-admin/digest.php 跨站漏洞2、Resin中的PHP5引擎Quercus可以遍历目录3、Caucho Quercu PHP 引擎中利用%00空字节绕过文件扩展名创建Medium1.1、改掉后台管理地址为不常用地址1.2、同时对管理后台进行访问控制2、不解析PHP应用没有问题3、不解析PHP应用没有问题"Resin 3.1.12(2011.8.29)"1、Directory Traversal(目录遍历)2、Bypass(文件扩展名创建绕过)1、Resin中的PHP5引擎Quercus可以遍历目录2、Caucho Quercu PHP 引擎中利用%00空字节绕过文件扩展名创建Medium1、不解析PHP应用没有问题2、不解析PHP应用没有问题
