在 exec() 之前保护字符串
我有一个 PHP 应用程序,它接受用户输入的 $imageurl 并执行以下操作:
exec('convert "'.$url.'" -thumbnail 80x500 "images/out.jpg"');
现在显然我必须采取一些预防措施来阻止用户执行任意代码。例如,如果用户将 $url 设置为 ";rm -rf *;" 则根本没有好处。
因此,对于初学者来说,我必须过滤掉 " ,这样无论他们输入什么,他们都无法逃避输入作为 convert 的参数。但是我应该过滤吗out ; 以及?我也看到过带有分号的网址...虽然分号确实很危险,但过滤掉 " 仍然可以保证我的安全?但是网址中可以有 " 吗?还有其他我应该注意的字符吗?
也许我不应该过滤掉字符,而应该尝试转义它们。所以我应该尝试转义由或者只是转义 " 因为其他所有内容都是“预转义”的,因为它位于双引号内?
抱歉我的胡言乱语,我是新手,希望保持安全!
谢谢,
马拉
I have a PHP app which takes a user-inputted $imageurl and does the following:
exec('convert "'.$url.'" -thumbnail 80x500 "images/out.jpg"');
Now obviously I have to take some precautions with this to stop users from executing arbitrary code. For example, if the user sets $url to";rm -rf *;" is no good at all.
So for starters I have to filter out " so that no matter what they type in, they can't escape from their input being a parameter to convert. But should I filter out ; as well? I've seen urls with semicolons in them... and while the semicolon is really the danger here, filtering out " would still keep me safe right? But can urls have " in them? And are there any other characters I should watch for?
Maybe instead of filtering characters out I should try to escape them. So should I try to escape every character interpreted specially by the shell? Or just escape " as everything else is sort of "pre-escaped" given that it's inside double-quotes?
Sorry for my rambling confusion, I'm just new at this and want to stay safe!
Thanks,
Mala
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
好吧,如果你想确保 URL 是一个 URL,请使用 filter_var
不过,这不会阻止人们提供像
example.com/foo?;rm -rf这样的 URL,这仍然是一个有效的 URL。我不确定这是否会导致 rm 执行,但您也可以使用parse_url()并省略查询部分。一般来说,最好也看看这些:
另请参阅 有关保护用户输入的 PHP 手册。
Well, if you want to make sure the URL is a URL, use filter_var
This will not prevent people from supplying a URL like
example.com/foo?;rm -rfthough, which is still a valid URL. I'm not sure if this would causermto execute, but you could also check the URL withparse_url()and omit the query part.Generally, it is a good idea to have a look at these as well:
Also see the PHP Manual on securing user input.
您可以使用 escapeshellarg 函数。
You can use the escapeshellarg function.
使用正则表达式确保$url 仅包含有效的文件名字符,例如“(\w\.\-/){1,256}”。另外,我想您正在将用户上传的文件重命名为随机文件名,或者至少是白名单文件名(即使用相同的正则表达式)。 sha1.ext 或 md5.ext 是易于使用的格式。
Use Regular Expressions to ensure that $url only contains valid filename characters, e.g. "(\w\.\-/){1,256}". Plus, I imagine you are renaming the file the user uploads to be a random filename, or at least a whitelisted filename (i.e. using the same regex). sha1.ext or md5.ext are easy formats to use.