安全可靠地将文件路径转换为 url
我正在使用 php,并且有以下代码将绝对路径转换为 url。
function make_url($path, $secure = false){
return (!$secure ? 'http://' : 'https://').str_replace($_SERVER['DOCUMENT_ROOT'], $_SERVER['HTTP_HOST'], $path);
}
我的问题基本上是,就安全性/可靠性而言,是否有更好的方法可以在位置和服务器之间移植?
I'm using php and I have the following code to convert an absolute path to a url.
function make_url($path, $secure = false){
return (!$secure ? 'http://' : 'https://').str_replace($_SERVER['DOCUMENT_ROOT'], $_SERVER['HTTP_HOST'], $path);
}
My question is basically, is there a better way to do this in terms of security / reliability that is portable between locations and servers?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
HTTP_HOST 变量不是可靠或安全的值因为它也是由客户端发送的。 所以在使用之前一定要验证它的价值。
The HTTP_HOST variable is not a reliable or secure value as it is also being sent by the client. So be sure to validate its value before using it.
我不认为安全性会受到影响,仅仅因为这是一个 URL,被打印到浏览器......最糟糕的情况是暴露文件的完整目录路径,并可能创建一个损坏的链接。
作为一个小旁注,如果这是在 HTML 文档中打印,我假设您正在通过诸如 htmlentities 之类的东西传递输出...以防万一输入 $path 包含诸如 [script] 标记 (XSS) 之类的东西。
不过,为了使其更可靠,我不建议在“DOCUMENT_ROOT”上进行匹配,因为有时它要么未设置,要么不会匹配(例如,当 Apache 重写规则开始妨碍时)。
如果我要重写它,我只需确保始终打印“HTTP_HOST”......
并且如果可能的话,更新调用代码,使其仅传递路径,所以我什至不需要考虑删除“DOCUMENT_ROOT”(即,如果路径与“DOCUMENT_ROOT”不匹配会发生什么)...
这确实留下了问题...为什么有这个功能?
在我的网站上,我只是在脚本执行开始时定义了一个变量,该变量设置:
我使用 GLOBALS 的地方,以便可以在任何地方访问它(例如在函数中)...但您可能还想考虑制作一个常量(定义) ,如果您知道该值不会更改(我有时会稍后在站点范围的配置文件中更改这些值,例如,如果我有网站的 HTTPS/SSL 证书)。
I don't think security is going to be effected, simply because this is a url, being printed to a browser... the worst that can happen is exposing the full directory path to the file, and potentially creating a broken link.
As a little side note, if this is being printed in a HTML document, I presume you are passing the output though something like htmlentities... just in-case the input $path contains something like a [script] tag (XSS).
To make this a little more reliable though, I wouldn't recommend matching on 'DOCUMENT_ROOT', as sometimes its either not set, or won't match (e.g. when Apache rewrite rules start getting in the way).
If I was to re-write it, I would simply ensure that 'HTTP_HOST' is always printed...
... and if possible, update the calling code so that it just passes the path, so I don't need to even consider removing the 'DOCUMENT_ROOT' (i.e. what happens if the path does not match the 'DOCUMENT_ROOT')...
Which does leave the question... why have this function?
On my websites, I simply have a variable defined at the beggining of script execution which sets:
Where I use GLOBALS so it can be accessed anywhere (e.g. in functions)... but you may also want to consider making a constant (define), if you know this value won't change (I sometimes change these values later in a site wide configuration file, for example, if I have an HTTPS/SSL certificate for the website).
我认为这是错误的做法。
HTML 中的 URL 支持相对位置。 也就是说,您可以执行
link来引用其 URL 中的路径与当前页面相同的页面。 您还可以执行link来提供同一网站的完整路径。 这两个技巧意味着您的网站代码实际上不需要知道在哪里提供工作 URL。也就是说,您可能需要一些技巧,以便您可以在
http://www.example.com/dev/site.php上拥有一个网站,在http://www.example 上拥有另一个网站.com/testing/site.php。 您需要一些代码来确定正在使用哪个目录前缀,但您可以使用配置值来执行此操作。 我的意思是属于该(子)站点配置的值,而不是版本控制代码!I think this is the wrong approach.
URLs in a HTML support relative locations. That is, you can do
<A href="filename.php">link</a>to refer to a page that has the same path in its URL as the corrent page. You can also do<a href="/dir/filename.php">link</a>to provide a full path to the same website. These two tricks mean your website code doesn't really need to know where it is to provide working URLs.That said, you might need some tricks so you can have one website on
http://www.example.com/dev/site.phpand another onhttp://www.example.com/testing/site.php. You'll need some code to figure out which directory prefix is being used, but you can use a configuration value to do that. By which I mean a value that belongs to that (sub-)site's configuration, not the version-controlled code!