前面加上“http://” PHP 的 fopen() 的文件名是否足够安全以防止读取本地文件?
我有一个 PHP 脚本,它通过 GET 接受文件 URL 并使用 fopen 打开它。
这个解决方案足够安全还是存在安全漏洞?
$filename = $_GET['file'];
if( substr( $filename, 0, 7 ) !== 'http://' )
$filename = 'http://'.$filename;
fopen( $filename, 'r' );
// etc...
这样您就无法强制读取脚本的本地路径。
I have a PHP script that accepts a file URL by GET and opens it with fopen.
Is this solution safe enough or is it a security breach?
$filename = $_GET['file'];
if( substr( $filename, 0, 7 ) !== 'http://' )
$filename = 'http://'.$filename;
fopen( $filename, 'r' );
// etc...
This way you can't force a local path to the script to read from it.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
应该可以工作,但是这里还有两件事需要考虑:
授予对其他服务器的访问权限。如果您的服务器位于防火墙后面,则有人可以使用 HTTP、FTP 等从防火墙后面的另一台服务器获取数据(或访问服务等)。
递归拒绝服务。确保没有人可以给你
以递归循环的方式获取脚本本身的 URL。
That should work, but here are two more things to think about:
Giving access to other servers. If your server is behind a firewall, someone could use this to fetch data from another server behind your firewall (or hit a service, etc.) using HTTP, FTP, etc.
Recursive denial of service. Make sure that there's not a way for someone to give you the
URL of the script itself to fetch in a way that makes a recursion loop.
不太确定,但为了安全起见,你可能也需要逃离它。
请参阅:http://php.net/manual/en/function.escapeshellarg.php
Not exactly sure, but you might need to escape it also to be safe.
See: http://php.net/manual/en/function.escapeshellarg.php
它有点脆弱,因为安全性取决于注册的
http处理程序。如果在 PHP 的未来版本中它将被删除或可选怎么办?问题就在这里。这实际上有效(警告后):
It's sort of fragile, as the security depends on the
httphandler being registered. What if in a future version of PHP it will be removed or optional?Here's the problem. This actually works (after a warning):
另一个安全措施/选项是使用 chroot() http:// /php.net/manual/en/function.chroot.php
another safety measure / option is to use
chroot()http://php.net/manual/en/function.chroot.php