检查推荐人?
我遇到问题了。我有这样的代码:
$theUrl = $_GET["url"];
include("$theUrl.php");
这获取了 url,例如: http://mywebsite.com/index.php?url=test
但是如果有人输入:
http://mywebsite.com/index.php?url=http://theirwebsite.com/someEvilscript
如何避免这种情况呢?我只希望执行服务器上的脚本,而不是来自其他网站的脚本。感谢您的帮助。
I am having a problem. I have this code:
$theUrl = $_GET["url"];
include("$theUrl.php");
This gets the url, for example: http://mywebsite.com/index.php?url=test
But what if someone puts in:
http://mywebsite.com/index.php?url=http://theirwebsite.com/someEvilscript
How to avoid this? I want only scripts that i have on my server to be executed and not from other websites. Thanks for help.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
处理此问题的好方法之一是定义可包含的文件白名单。如果有任何东西不在该列表中,则应将其视为邪恶的并且永远不要包括在内。
例如:
注意:正如评论中所建议的,可以通过扫描允许的目录来动态填充允许的列表。
One of the good way to handle this is to define a white list of file that can be included. If anything isn't in that list, it should be considered evil and never included.
For example :
Note : As suggested in the comment, the allowed list can be populated dynamically by scanning allowed directory.
你真的不应该有任何看起来像这样的代码。我的意思是真的。你想用这个实现什么目的?我确信还有另一种方法可以达到同样的效果,而且没有风险(比如说一般的丑陋)。
正如 HoLyVieR 所建议的,将可包含的内容列入白名单是确保当前代码安全的关键。
You really shouldn't have any code that looks like that. And I mean really. What are you trying to achieve with this? I'm sure there's another way to the same without the risks (and let's say general uglyness).
Like HoLyVieR suggests, whitelisting what can be included is the key to making your current code safe.
为什么不在您的网站上创建
test.php并在链接中使用http://mywebsite.com/test.php呢?这样,如果需要,您可以将初始化脚本包含在test.php中(以及其他脚本中)。Why don't you just create
test.phpon your site, and usehttp://mywebsite.com/test.phpin the link? This way you can include your initialization script intest.php(and in the other scripts) if needed.