堆栈内存溢出
  简体   繁体   English

在网站中使用相对链接是否安全?

[英]Is it safe to use relative links in website?

 原文  2014-02-06 02:37:41       security/ web

问题描述

In building a website, I am referencing files (assets, js, css) from a parent folder via relative links. 在建立网站时,我是通过相对链接引用父文件夹中的文件(资产,js,css)。 Is this safe practice? 这是安全的做法吗? Or am I opening the site up to security issues/risks such as a Directory Traversal Attack? 还是我将网站开放给诸如目录遍历攻击之类的安全问题/风险? Would absolute links be safer or would this cause many more HTTP requests? 绝对链接会更安全还是会导致更多HTTP请求? What's the best practice? 最佳做法是什么?

2 个解决方案

解决方案1
 1  2014-02-06 02:39:38

You should be fine. 你应该没事的。 Either way, if the files get moved they won't be found. 无论哪种方式,如果文件被移动,都将找不到它们。 As far as security, I'm not 100% sure, but I'd doubt the type of link in HTML would cause a security issue. 就安全性而言,我不确定100%,但是我怀疑HTML中的链接类型会引起安全性问题。 That would be something I might wait to get another answer for. 我可能会等着得到另一个答案。

解决方案2
 0 已采纳  2014-02-07 09:47:09

There is no security risk. 没有安全风险。 Directory Traversal happens when a buggy web server implementation or a buggy script incorrectly allows path characters to be entered in the URL and the server directory structure is traversed. 目录遍历发生在一个有错误的Web服务器实现或马车脚本错误地允许在URL中输入路径中的字符和服务器的目录结构进行遍历。 For example, " .. " or " / " characters (or their encoded versions). 例如,“ .. ”或“ / ”字符(或其编码版本)。

An example is If you had the URL https//www.example.com/readFile.php?file=readme.txt and a malicious user could change this to https//www.example.com/readFile.php?file=/etc/passwd then if it this worked it would be vulnerable. 例如,如果您具有URL https//www.example.com/readFile.php?file=readme.txt并且恶意用户可以将其更改为https//www.example.com/readFile.php?file=/etc/passwd那么如果这样做有效,将很容易受到攻击。

A link in an HTML page is the same as the user directly entering that URL in the address bar in this case, so no extra risk is introduced. 在这种情况下,HTML页面中的链接与用户直接在地址栏中输入该URL相同,因此不会带来额外的风险。 Relative links are probably more secure in that there is less risk for bugs to be introduced to any URL parsing code that would generate absolute links. 相对链接可能更安全,因为将错误引入任何将生成绝对链接的URL解析代码的风险较小。 The latest versions of popular web servers are secure against this attack, and if you haven't introduced your own scripts that contain the vulnerability you should be safe. 流行的Web服务器的最新版本可以抵御这种攻击,并且,如果您没有引入自己的包含漏洞的脚本,则应该是安全的。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Brackets 网站和文本编辑器使用安全吗? - Is Brackets website and text editor safe to use? 共享安全链接时使用url缩短是否安全? - Is it safe to use url shortening while sharing secure links? 我如何确保我网站用户发布的链接安全可靠? - How do I make sure that links posted by the users of my website are safe and secure? Microsoft.Office.Interop是否可以安全地用于网站(文件转换)? - Is Microsoft.Office.Interop safe to use for (file-converting) for a website? 防止 Microsoft 安全链接扫描 - Prevent Microsoft Safe Links Scanning 允许以#(hash)开头的链接是否安全? - Is it safe to allow links that start with # (hash)? 在网站上注册用户的安全方式 - Safe Way To Register Users On Website 是否安全使用iframe进行付款? - Is it safe use an iframe for a payment? 这是python eval()的安全使用吗? - Is this a safe use of python eval()? 使用eval这样安全吗? - Is it safe to use eval such way?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM