Common security vulnerabilities in parsing web file operations (directory and file name detection vulnerabilities)_PHP tutorial

When doing web development, we often do code inspections. Many times, we will randomly check some core functions or logic where loopholes often appear. As the technical team grows, the team members’ skills become increasingly mature. Common fool-type SQL injection vulnerabilities and XSS vulnerabilities. There will be fewer and fewer, but we will also find some emerging covert vulnerabilities that occasionally appear. These vulnerabilities mostly come from developers' insufficient design of a function or common module functions, leaving problems left behind. In the past, we were able to complete some functional modules, but now the requirement is to complete the modules in a safe and correct way. Next, I will share some common functional modules that cause vulnerabilities due to design reasons. Next, let’s first look at the file-reading function vulnerability.
Let’s first look at the following piece of code, which contains different files through the user’s input of different directories

Copy the code The code is as follows:

///Read module name
$mod = isset($_GET['m'])?trim($_GET['m']):'index';
///Filter the directory name to prevent jumping to the upper-level directory
$mod = str_replace("..",".",$mod);
///Get the file
$file = " /home/www/blog/".$mod.".php";
///Include file
@include($file);

This code may be in Many friends have encountered this in their programs, and it is very easy for newcomers to have such problems. I remember when I encountered this code during a walkthrough, I asked, what can you do in terms of security of this code?
Answer: 1. The ".." directory is replaced, so any .. directory in the module name passed in by the user will be replaced.
2. Construct the spliced ​​file name. There are restrictions on the front directory and restrictions on the extension at the back. The included files will be limited to that directory.
Does this code really achieve directory security detection?
Let’s test what the result will be if $mod passes this value in.

$mod enters ?mod=…%2F…%2F…%2F…%2Fetc%2Fpasswd%00 through construction, we see that the result will be:

Actually include("/etc/passwd") file.
How did you escape my parameter restrictions?
First of all: It is not a good method to use parameter filtering type to limit user input. The general rule is: if it can be tested, do not replace it. As long as it fails the test, pass it directly. Lose! This is one of our principles. There are countless filtering failures. Let’s take a look at the actual process.
1. Enter "…/…/…/" by replacing ".." with "."
2. The result is "../../../" and it becomes Got this
Some friends will ask, would it be better if I just replace it with spaces? It can indeed be replaced in this one. But it doesn’t mean that you can replace everything with spaces in the future. Let’s take another example. For example: someone replaced the javascript in the string. The code is as follows:

Copy code The code is as follows:

......
$msg = str_replace("javascript"," ",$msg);

It seems that javascript will not appear. However, if you enter: jjavascriptavascript to replace, it will replace the middle one and become empty. The "j" in front and the following one will form a new javascript.

Secondly: Let’s see how to escape the .php restriction behind it. The parameters entered by the user are: "etc/passwd

1. What is whitelist restriction?

Copy code

The code is as follows:

For example:
$mod = isset($_GET['m'])?trim($_GET['m']):'index'; ///After reading the module name
If the mod variable value range is an enumeration type:
if(!in_array($mod,array('user','index','add','edit'))) exit('err! !!');
$mod is completely restricted and can only be in this array, so cruel! ! ! !

2. How to implement whitelist restrictions
Through the example just now, we know that if it is an enumeration type, just put the value directly into the list. However, sometimes, this is not enough. We have another whitelist restriction method. It is to limit the character range

Copy code The code is as follows:

For example:
$mod = isset($_GET ['m'])?trim($_GET['m']):'index'; ///After reading the module name
I know that $mod is a directory name. For general sites, it is a letter Underline numbers and the like.
if(!preg_match(“/^w+$/”,$mod)) exit(‘err!!!’);
The characters can only be: [A-Za-z0-9_] these. Cruel enough! ! !

Summary: Have you discovered that the whitelist restriction method is actually very simple to do? If you know what is needed in that place, input detection is necessary It's those. Moreover, it is much simpler to detect what you already know than to replace those unknown characters. Okay, let’s stop here first. The correct way to solve the problem will make the file simpler and safer! !

http://www.bkjia.com/PHPjc/327917.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/327917.htmlTechArticleIn web development, we often do code walkthroughs. Many times, we will randomly check some core functions, or have regular meetings There is a loophole in the logic. As the technical team grows, the team members’ technical days...