简体繁体 English

PHP筛选器和安全风险

[英]PHP filter and security risks

原文 2013-02-28 11:15:44 6 2 php/ security/ filter/ drupal-7

I want to create a couple of PHP blocks with me as admin only have the ability to edit 我想和我一起创建几个PHP块，因为只有管理员才能编辑

From http://drupal.org/node/1046700 : 从http://drupal.org/node/1046700 ：

Important note: There are security considerations in enabling the PHP filter module. 重要说明：启用PHP过滤器模块时需要考虑安全性。 The PHP input filter introduces the possibility for malicious users to attack your website with malicious scripts. PHP输入过滤器引入了恶意用户使用恶意脚本攻击您的网站的可能性。 You should only grant permission to use the PHP filter to people you trust. 您只应向您信任的人授予使用PHP过滤器的权限。 Also, make sure those you grant permission to are competent PHP coders as malformed code can break your website and stop it functioning altogether. 另外，请确保您授予权限的人都是合格的PHP程序员，因为格式错误的代码可能会破坏您的网站并使其完全无法正常运行。 It is a good idea to create a separate role for this module (and other potentially dangerous ones) like 'developer' or 'webmaster', distinct from 'administrator' who may be a Drupal expert but not an expert coder, so you can grant it only to those who fulfill such criteria. 最好为此模块（以及其他潜在危险的模块）（例如“开发人员”或“网站管理员”）创建一个单独的角色，以不同于可能是Drupal专家但不是专家编码者的“管理员”角色，因此您可以授予仅适用于那些满足此类条件的人。

Does this mean there are risks from external attacks, or am I good to add PHP blocks for my use only? 这是否意味着存在来自外部攻击的风险，还是我可以添加PHP块仅供我使用？

2 个解决方案

The relevant part for you is the following one: 与您相关的部分是以下部分：

You should only grant permission to use the PHP filter to people you trust. 您只应向您信任的人授予使用PHP过滤器的权限。

There are always risk of exposing a site to possible attacks when writing code, and in fact the Drupal security team's task is to report security holes to the module maintainers to fix them. 编写代码时，总是存在使站点遭受可能的攻击的风险，实际上Drupal安全团队的任务是向模块维护者报告安全漏洞，以修复漏洞。
With the PHP filter, the more immediate risk is that users who use it have access to any database table. 使用PHP筛选器，更直接的风险是使用它的用户可以访问任何数据库表。 It would be easy for somebody to change the user account's password, change the ownership of a node, etc. 某人更改用户帐户的密码，更改节点的所有权等很容易。

They are just making sure you know you can get yourself in trouble if you give just anyone permission to the PHP code text format. 他们只是确保您知道，如果您只授予任何人对PHP代码文本格式的许可，便会惹上麻烦。 They are also warning that if you mess up the PHP, it could mess up the site, no different than if you uploaded a PHP script that wasn't proper. 他们还警告说，如果您搞砸了PHP，可能会弄乱网站，这与上载不合适的PHP脚本没有什么不同。

In people -> permissions, there is a permission "Use the PHP code text format". 在人员->权限中，有一个权限“使用PHP代码文本格式”。 Make sure only roles you trust to use PHP have access to that. 确保只有您信任的使用PHP的角色才能访问它。 If you are using user 1 to manage your blocks, just leave it with no other roles having that permission. 如果您正在使用用户1来管理您的块，只需将其保留没有其他具有该权限的角色即可。 User 1 has permission to everything. 用户1拥有所有权限。

I'd also recommend having a different admin theme to mitigate the potential of a block with bad PHP preventing you from accessing your admin panel. 我还建议您使用其他管理主题，以减少因PHP错误而阻止访问您的管理面板的可能性。