大量文件策略存在目录遍历安全问题?
如果我选择大量文件策略,
然后我就有了目录
遍历安全问题?
我需要编写登录系统,
大量的文件策略意味着
制作大量的 id 文件并使用 扫描目录。
所以该目录将有
aaa.txt (内容是 aaa_pass)
bbb.txt(内容为bbb_pass)
ccc.txt(内容是ccc_pass)
,当有人输入他的ID时,
系统scandir目录,
然后找到id文件。
但是,嘿,如果他输入
“../../important.txt”怎么办?
那么他可以访问 ../../important.txt 吗?
If I choose lots of files tactics,
then I become to have directory
traversal security problem?
I need to write login system,
and lots of file tactics means
make lots of id files and use
scandir.
so the directory would have
aaa.txt (contents is aaa_pass)
bbb.txt (contents is bbb_pass)
ccc.txt (contents is ccc_pass)
and when someone enter his id,
the system scandir the directory,
then find the id files.
but hey, what if he enters as
"../../important.txt" ?
then he could access to the ../../important.txt ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
乍一看,您似乎正在走一条有点奇怪的编写登录系统的道路。 我不确定文件系统上的目录中的纯文本文件是否是明智的选择,如果没有其他原因,除了它是异常的,并且您很可能会忽略在更常见的身份验证中已经考虑到的许多微妙之处系统。 例如,如果您想存储散列和加盐的密码,您需要考虑如何在您的方案中实现这一点,并且您可能会犯一个导致安全问题的错误。 不过,使用一个好的 PEAR 库,甚至是 Zend Framework 中的 Zend_Auth 组件,将为您提供一个清晰且有据可查的起点。
无论如何,假设您对问题中描述的安排有自己的理由,那么在这种情况下, basename() 函数可能就是您想要的。 它将删除除文件名本身之外的所有内容,以便他们无法像您在问题中描述的那样进行目录遍历攻击。
因此,如果用户的输入是:
../../important
您可以运行:
有意义吗?
At first glance, it seems like you are going down a somewhat strange path for writing a login system. I'm not sure plain text files in a directory on the filesystem is a wise path to take if for no other other reason than that it's abnormal and you'rer likely to overlook many of the subtleties that are already thought through in more common authentication systems. If you wanted to store the passwords hashed and salted, for instance, you'd need to think through how to implement that in your scheme and you could make a mistake that would lead to a security problem. Using a good PEAR library or even the Zend_Auth component from Zend Framework, though, would give you a clear and well-documented starting point.
Anyway, assuming you have your reasons for the arrangement you describe in your question, the basename() function is likely what you want in this case. It will strip everything but the filename itself so that they can't do a directory traversal attack like you describe in your question.
So if the input from the user is:
../../important
You can run:
Make sense?
您可以在将用户名用作路径的一部分之前对其进行一些验证 - 例如,仅允许字母和数字,您可以使用正则表达式执行类似的操作:
另一种方法是在您之前对用户名进行哈希处理例如,读取或写入它:
这样,用户可以使用任何内容作为他们的用户名,并且他们不会有操纵文件查找行为的危险。 用户名
"../../important.txt"将为您提供一个哈希值"48fc9e70df592ccde3a0dc969ba159415c62658d",尽管源字符串很糟糕,但它是安全的。You could perform some validation of the username before you use it as part of a path - for example to only allow letters and numbers you could do something like this using a regular expression:
Another way you could do it is to hash the username before you read or write it, for example:
This way, the user can have anything as their username and there will be no danger of them manipulating the behaviour of your file lookup. A username of
"../../important.txt"would give you a hash of"48fc9e70df592ccde3a0dc969ba159415c62658d", which is safe despite the source string being nasty.如果您别无选择,只能使用此文件密码系统(假设您出于某种原因必须这样做),那么除了创建某种混淆的文件名之外,您可能还需要创建与服务器具有相同扩展名的文件-side 语言以防万一 - 例如,如果您使用 PHP,您的文件名将是 john.php (或混淆的“john”),内容可能如下所示:
当然,您的文件读取例程将需要解析评论块中的短语。
这样,如果有人确实以某种方式到达该文件,它就永远不会呈现。
If you have no other choice than to use this file-password system (assuming you have to for one reason or another), in addition to creating some kind of obfuscated file names, you may also want create files with the same extension as your server-side language just in case - for example, if you are using PHP, your file name would be john.php (or obfuscated 'john'), and contents might be something like this:
Of course your file-read routine will need to parse our the phrase inside the comment block.
This way, if someone DOES somehow arrive at that file, it will never render.