Methods, risks and solutions for opening remote files in PHP_PHP tutorial

WBOY
Release: 2016-07-13 10:25:20
Original
838 people have browsed it

PHP has a configuration option called allow_url_fopen, which is enabled by default. It allows you to point to many types of resources and treat them like local files. For example, by reading the URL you can get the content (HTML) of a page, look at the code below

Copy the code The code is as follows:

$contents = file_get_contents('http://www.jb51.net/');
?>

When used with contaminated data Serious vulnerabilities will occur when the include and require files are pointed at. In fact, I consider this vulnerability to be one of the most dangerous in PHP applications because it allows an attacker to execute arbitrary code. Although slightly less severe, a similar vulnerability can result from using tainted data in a standard file system function:
Copy Code The code is as follows:

$contents = file_get_contents($_GET['filename']);
?>

This example enables the user to manipulate the behavior of file_get_contents() so that it obtains the contents of a remote resource. Consider a request similar to the following:
http://example.org/file.php?file ... mple.org%2Fxss.html
This leads to a situation where the value of $content is contaminated, because This value is obtained indirectly, so it is possible to ignore this fact. This is why the defense-in-depth principle treats the file system as a remote data source and the value of $content as input, so that your filtering mechanism can potentially turn things around.
Since the $content value is tainted, it may lead to multiple security vulnerabilities, including cross-site scripting vulnerabilities and SQL injection vulnerabilities. For example, here is an example of a cross-site scripting vulnerability:
Copy the code The code is as follows:

$contents = file_get_contents($_GET['filename']);
echo $contents;
?>

The solution is to never use tainted The data points to a file name. To insist on filtering the input, make sure the data is filtered before it points to a file name:
Copy the code The code is as follows:

$clean = array();
/* Filter Input ($_GET['filename']) */
$contents = file_get_contents($clean['filename']);
?>

Although there is no guarantee that the data in $content is completely flawless, this still gives a reasonable guarantee that the file you are reading is exactly what you intended. fetched files rather than those specified by the attacker. To enhance the security of this process, you also need to treat $content as input and filter it before use.
Copy code The code is as follows:

$clean = array();
$ html = array();
/* Filter Input ($_GET['filename']) */
$contents = file_get_contents($clean['filename']);
/* Filter Input ($ contents) */
$html['contents'] = htmlentities($clean['contents'], ENT_QUOTES, 'UTF-8');
echo $html['contents'];
? >

The above process provides a powerful method to prevent various attacks, and is recommended for use in actual programming.

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/825132.htmlTechArticlePHP has a configuration option called allow_url_fopen, which is valid by default. It allows you to point to many types of resources and treat them like local files. For example, by reading the URL you can...
Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template
About us Disclaimer Sitemap
php.cn:Public welfare online PHP training,Help PHP learners grow quickly!