Home > Backend Development > PHP Tutorial > apache中对非站点索引的访问限制

apache中对非站点索引的访问限制

WBOY
Release: 2016-06-13 12:48:21
Original
883 people have browsed it

apache中对非站点目录的访问限制
apache设置中有一段
Alias /test "/var/www/web2/test"

    Options FollowSymLinks Indexes MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all




如果此时 /var/www/web2/test 目录中有一个php下载的页面
down.php大概是这样:

$filename=$_GET["file"];<br />
 <br />
ob_end_clean();<br />
header("Expires: 0");<br />
if(!$file = @fopen($filename,'r')){<br />
        echo 'read error';<br />
        exit();<br />
}<br />
 <br />
flock($file,LOCK_SH);<br />
$filesize=filesize($filename);<br />
 <br />
Header("Content-type: application/octet-stream");<br />
Header("Accept-Ranges: bytes");<br />
Header("Accept-Length: ".$filesize);<br />
Header("Content-Disposition: attachment; filename=" . $file_name);<br />
if($filesize>0)<br />
{<br />
        echo fread($file,$filesize);<br />
}<br />
fclose($file);<br />
ob_get_contents();<br />
ob_end_clean();<br />
exit;
Copy after login




这个页面测试有很大的漏洞, 客户在浏览器输入down.php?file=../../../etc/xxx
类似的就能下载系统的文件。
请问如何配置apache让站点只能访问自身目录以及子目录,不能访问其他目录?


------解决方案--------------------
apache 本身没有这个功能,也不需要这个功能
因为 apache 只是个二传手

你可以在 php.ini 中配置
open_basedir = 允许访问的路径列表

也可以将 open_basedir 放在 apache 的 httpd.conf 或 .htaccess 中
php_admin_value open_basedir 允许访问的路径列表
Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template