Home Backend Development PHP Tutorial php函数伪静态、MVC单一入口与文件下传安全漏洞

php函数伪静态、MVC单一入口与文件下传安全漏洞

Jun 13, 2016 pm 01:07 PM
application httpd path pathinfo php

php函数伪静态、MVC单一入口与文件上传安全漏洞

php的函数伪静态也是这样做出来的。
以下是函数伪静态所用的函数:

?

function MakeUrl($arr){ 
         foreach($arr as $key=>$value){ 
                 $url[]=$key."_".$value; 
         } 
         $tmpurl=implode("_",$url); 
         return $tmpurl.".htm"; 
} 

function ParseUrl(){ 
    if($_SERVER['PATH_INFO']!=""){ 
         $pathinfo=substr($_SERVER['PATH_INFO'],1); 
         $pathinfo=str_replace(".htm","",$pathinfo); 
         $path=explode("_",$pathinfo); 
         $count=count($path); 
         for($i=0;$i2,'page'=>1)); 
以上两行代码生成页面中的URL。
//浏览页面,调用函数ParseUrl();直接可以使用变量$_GET 

Copy after login

?

?

当然,很多MVC框架中,均支持这样的功能,但在MVC框架中,并不一定是用上面两个函数实现的了。
其实,它不仅是伪静态所需。同时也是MVC所必须要的功能。这是因为,MVC中的所谓的单一入口,也是凭此功能实现的。
我们可以见到很多网站,链接象? http://www.tiaotiaola.com/s/2/3/4/5.html
实际是经过.htaccess,或者是UrlRewrite处理过的。未处理之前是:http://www.tiaotiaola.com/s.php/2/3/4/5.html
s.php一定是MVC的入口文件。
这就是说,s.php/2/3/4/5.html这样的文件,均会当成PHP文件被执行。

关于文件上传漏洞问题。本文首发时,讲到的 some.php.png 会被当成PHP执行,实际是因某一类设置错误造成的。

而对于 some.php%3Fpng,即便存在这样的文件,相对于APACHE服务器的安全性,此文件也是禁止访问的。

当然:some.png.php肯定是不能上传到服务器上的。

但这也并不是说,上传就是完全安全。仍然存在通过上传文件名实现的URL的嵌入攻击。解决?URL的嵌入攻击的办法则是:
对所有的上传文件均进行改名。即不保存原始文件名。如果要保存,则必须去掉文件名中的"."以及其它可能有攻击性的语法。
我们推荐的做法是不保存原始文件名,即对原始文件名用md5或sha进行hash,如果要区分上传时间,可以加上时间戳,即生成的是纯a-z0-9文字的文件名。最后加上原始扩展名即可。
另一个方面:假如黑客能够攻击到操纵你的SHELL,那么,some.php.png则是可以被执行的。从这一点来说,关键不是在上传这一边控制,而是如何禁止服务器的远程脚本运行的安全配置问题了。

?

――――――――――――――――――――――――――――――――――――――――

后记:感谢1 楼 aweber?指出文中的错误。 此文发布时,有些问题,未经完全测试确认。?

?

?

1 楼 aweber 2011-06-08  
"php中有一个让人不解的特性,那就是,如果文件名中有".php",则会自动调用PHP引擎,当成PHP脚本处理。"
这句话是错误的。用什么样的程序来处理什么样后缀名的请求,是根据web服务器(apahce,nginx)设置的。
举个例子 apache 可以使用action命令来设置
actioin application/x-httpd-php "/php/php-cgi.exe" 这条命令是表明当请求application/x-httpd-php媒体类型的请求时,使用/php/php-cgi.exe来处理这个请求
同时,可以使用addType来建立后缀名和媒体类型的映射关系
addType application/x-httpd-php .php  这样,当请求是以.php为后缀名,则认为是application/x-httpd-php类题类型的,
这样,如果你愿意,也可以设置成
addType application/x-httpd-php .example,那么当你请求xxx.example的时候,这个文件也会被当成php文件来解析 
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

AI Hentai Generator

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)
2 weeks ago By 尊渡假赌尊渡假赌尊渡假赌
Repo: How To Revive Teammates
4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌
Hello Kitty Island Adventure: How To Get Giant Seeds
4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Notepad++7.3.1

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

SublimeText3 Mac version

God-level code editing software (SublimeText3)

CakePHP Project Configuration CakePHP Project Configuration Sep 10, 2024 pm 05:25 PM

In this chapter, we will understand the Environment Variables, General Configuration, Database Configuration and Email Configuration in CakePHP.

PHP 8.4 Installation and Upgrade guide for Ubuntu and Debian PHP 8.4 Installation and Upgrade guide for Ubuntu and Debian Dec 24, 2024 pm 04:42 PM

PHP 8.4 brings several new features, security improvements, and performance improvements with healthy amounts of feature deprecations and removals. This guide explains how to install PHP 8.4 or upgrade to PHP 8.4 on Ubuntu, Debian, or their derivati

CakePHP Date and Time CakePHP Date and Time Sep 10, 2024 pm 05:27 PM

To work with date and time in cakephp4, we are going to make use of the available FrozenTime class.

CakePHP File upload CakePHP File upload Sep 10, 2024 pm 05:27 PM

To work on file upload we are going to use the form helper. Here, is an example for file upload.

CakePHP Routing CakePHP Routing Sep 10, 2024 pm 05:25 PM

In this chapter, we are going to learn the following topics related to routing ?

Discuss CakePHP Discuss CakePHP Sep 10, 2024 pm 05:28 PM

CakePHP is an open-source framework for PHP. It is intended to make developing, deploying and maintaining applications much easier. CakePHP is based on a MVC-like architecture that is both powerful and easy to grasp. Models, Views, and Controllers gu

How To Set Up Visual Studio Code (VS Code) for PHP Development How To Set Up Visual Studio Code (VS Code) for PHP Development Dec 20, 2024 am 11:31 AM

Visual Studio Code, also known as VS Code, is a free source code editor — or integrated development environment (IDE) — available for all major operating systems. With a large collection of extensions for many programming languages, VS Code can be c

CakePHP Creating Validators CakePHP Creating Validators Sep 10, 2024 pm 05:26 PM

Validator can be created by adding the following two lines in the controller.

See all articles