RealPath 安全吗?

发布于 2024-07-16 04:10:34 字数 304 浏览 9 评论 0原文

<?php
if (preg_match('/^[a-z0-9]+$/', $_GET['p'])) {
$page = realpath('pages/'.$_GET['p'].'.php');
$tpl = realpath('templates/'.$_GET['p'].'.html');
if ($page && $tpl) {
    include $page;
    include $tpl;
} else {
    include('error.php');
}
}
?>

你说这有多安全?

<?php
if (preg_match('/^[a-z0-9]+$/', $_GET['p'])) {
$page = realpath('pages/'.$_GET['p'].'.php');
$tpl = realpath('templates/'.$_GET['p'].'.html');
if ($page && $tpl) {
    include $page;
    include $tpl;
} else {
    include('error.php');
}
}
?>

How safe would you say this is?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(7

日记撕了你也走了 2024-07-23 04:10:34

我将其用于模板文件,因此它可以包含“页面”,而不必使用大量函数/字符串/switch-cases/elseifs(任您选择)来混乱单个文件或创建大量具有相同布局的文件。

它检查包含目录的真实路径以及要包含的文件的真实路径,如果文件的真实路径以包含目录开头,则允许包含该文件。

<?
#If you're worried about funky characters messing with stuff, use this
#preg_replace("/[^A-Za-z0-9_\-]+/","",$str);

if (isset($_REQUEST['page'])) {
    $path=realpath("../inc/page").DIRECTORY_SEPARATOR;
    $full_page=realpath($path.$_REQUEST['page'].".php");
    if (file_exists($full_page)&&(strpos($full_page,$path)===0)) {
        include($full_page);
    } else {
        echo "FAILED";
    }
}
?>

I use this for a template file, so it can include "pages" instead of having to clutter a single file with tons of functions/strings/switch-cases/elseifs (take your pick) or create tons of files with the same layout.

It checks the realpath of the directory includes should be in and realpath of the file that is to be included, if the realpath of the file starts with the include directory, it is allowed to be included.

<?
#If you're worried about funky characters messing with stuff, use this
#preg_replace("/[^A-Za-z0-9_\-]+/","",$str);

if (isset($_REQUEST['page'])) {
    $path=realpath("../inc/page").DIRECTORY_SEPARATOR;
    $full_page=realpath($path.$_REQUEST['page'].".php");
    if (file_exists($full_page)&&(strpos($full_page,$path)===0)) {
        include($full_page);
    } else {
        echo "FAILED";
    }
}
?>
痴意少年 2024-07-23 04:10:34

好吧,实际上它是 realpath 在此案例不提供任何安全性。 实际上,在这种情况下,它根本没有任何作用,因为 include 内部会扩展路径。 您在这里的安全实际上取决于 preg_match。 但请注意,您使用的正则表达式不允许您使用带有大写字母、下划线或破折号的任何页面。

无论如何,我认为包含基于请求中传递的参数的文件不是一个好主意。 如果你需要的话,你的设计有问题。

Well, actually it realpath in this case doesn't provide any security. Actually it that case it serves no purpose at all, as include internally will expand the path. Your security here actually depends on preg_match. Note however, that regex you're using won't allow you to use an any page with upper case letter, with underscore or dash.

Anyhow, I don't think that including files based on parameters passed in request is good idea. There is something wrong with your design if you need that.

卖梦商人 2024-07-23 04:10:34

realpath 在这种情况下无法帮助您,因为 include 可以解析该页面同一文件的路径,无论它是真实路径还是原始相对路径。 它“似乎”是有效的,但我个人不相信这段代码。 我确信有人想出了一种巧妙的方法来向输入注入空字符,从而对字符串终止造成严重破坏。

为了安全起见,您需要做的是保留所有允许的输入/页面的白名单(或黑名单,如果它恰好更适合,但更喜欢白名单)。

realpath doesn't help you at in this instance, as include can resolve the page path to the same file, no matter whether it is realpath'd or the original relative. It 'seems' to be valid, but I wouldn't trust that piece of code personally. I'm sure someone figures a neat way to inject a null-character to the input, wreaking havoc to the string termination.

What you need to do instead, to be safe, is keep a whitelist (or blacklist, if it happens to suit better, but prefer whitelists) of all allowed inputs/pages.

冷︶言冷语的世界 2024-07-23 04:10:34

看起来很安全……

但效率不高。
在 MVC 中,您拥有预设和已知的控制器和视图目录。 进行统计来检查视图/控制器是否存在是没有意义的。

It seems to be safe....

But not efficient.
In MVC you have the controller and view dirs preset and pre known. No point in doing a stat to check if view/controller exists.

浅唱々樱花落 2024-07-23 04:10:34

realpath() 在这种情况下实际上会产生一些效果,因为它会如果目标文件不存在,则返回FALSE。 但正如其他发帖者已经说过的那样 - 这不会增加代码的任何安全性。

这是一种错误处理方法,以防指定的文件不存在。

realpath() will actually have some effect in this case as it'll return FALSE if the target file does not exits. But as the other posters already said - this will not add any security to the code.

It's rather a way of error-handling in case the designated files do not exist.

懵少女 2024-07-23 04:10:34

最好在 $_GET['p'] 上运行 basename()。 肯定没有目录遍历攻击。

Better run basename() on $_GET['p']. No directory traversal attacks for sure.

星星的軌跡 2024-07-23 04:10:34

我无法评论 PHP realpath,但如果它只是系统 realpath 函数的包装器,那么需要注意一件事:在某些系统(例如 Solaris)上,如果进程在 realpath 执行时收到信号,它将返回空字符串...在这种情况下,您必须确保您的代码设置为处理这种类型的情况(除非 PHP 实现为您解决了这种特定的困境)

I cannot comment on the PHP realpath, but if it's just a wrapper for the system's realpath function then one thing to be aware of: on some systems (eg, Solaris), if the process receives a signal while realpath is executing it'll return the empty string ... in which case, you'd have to ensure your code is setup to handle that type of situation (unless the PHP implementation resolves that particular dilemma for you)

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文