如何“防篡改” php中的$_SERVER变量是什么?
通过信任 $_SERVER 变量数组的内容来使用 $_SERVER['PHP_SELF'] 获取 php 文件的名称,我会冒很大的安全风险吗?
Would I be taking a big security risk by trusting the content of the $_SERVER variable array to get the name of php file using $_SERVER['PHP_SELF']?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
许多但并非全部 $_SERVER 变量都受到攻击者控制。例如,
$_SERVER['SCRIPT_NAME']
是安全的,而$_SEVER['PHP_SELF']
是一个不同的危险变量,并且通常是 xss 的来源:PoC:
它通过查看 phpinfo。
Many but not all of the $_SERVER variables are attacker controlled. For instance
$_SERVER['SCRIPT_NAME']
is safe where as$_SEVER['PHP_SELF']
is a vary dangerous variable and is often the source of xss:PoC:
It is easy to see this vulnerability in action by looking at phpinfo.
没有有效的特殊机制来保护该变量。您可以像写入任何其他变量一样写入它。因此,您必须像任何其他变量一样保护它免遭篡改(禁用 register_globals、避免变量变量等)。那么你就可以相信它。
作为一种解决方法,您可以在程序的早期定义自己的常量:
并在可用的情况下使用预定义常量,例如
__FILE__
。There is no special mechanism in effect to protect this variable. You can write to it as you can to any other variable. So you have to protect it against tampering like any other variable (disable register_globals, avoid variable variables, etc.). Then you can trust it.
As a workaround to be sure, you can define your own constants early in your program:
and use predefined constants where available, e.g.
__FILE__
.来自 php.net 手册:
因此,如果您了解有权更改服务器配置的所有用户(以及会话中可能修改变量内容的所有脚本),您就可以合理地确定
$_SERVER
变量的数据。From the php.net manual:
So, if you are aware of all users who have access to change server configuration, (and all scripts in your session that may modify the contents of the variable) you can be reasonably sure of the
$_SERVER
variable's data.完全不,只要您不使用用户的数据,这实际上根本就不会构成风险。也就是说,使用以下之一:
Not at all, this can not actually be a risk at all as long as you don't use data from user. That is, use one of these: