为什么在 IIS 上使用 open_basedir 和 PHP 作为 FastCGI?
[英]Why use open_basedir with PHP as FastCGI on IIS?
问题描述
I've seen several tutorials explaining PHP installation under IIS as FastCGI recommending to set open_basedir to point to the folder or network path where the content of the Web site(s) is located.
我看过几个教程,解释了 IIS 下的 PHP 安装,因为 FastCGI 建议将 open_basedir 设置为指向网站内容所在的文件夹或网络路径。
When I set open_basedir on my application server, the following error showed up when managing files: Warning: open_basedir restriction in effect.当我在应用程序服务器上设置 open_basedir 时,管理文件时出现以下错误:警告:open_basedir 限制生效。 File(C:\\Windows\\Temp\\php92E7.tmp) is not within the allowed path(s): (C:\\inetpub\\wwwroot)文件(C:\\Windows\\Temp\\php92E7.tmp)不在允许的路径内:(C:\\inetpub\\wwwroot)
I understand I can set a temp directory under inetpub, but I don't see why is it a problem to use windows\\temp.我知道我可以在 inetpub 下设置一个临时目录,但我不明白为什么使用 windows\\temp 会出现问题。
Is there any safety flaw with PHP as FastCGI on IIS the demands open_basedir restrictions? PHP作为FastCGI在IIS上是否有任何安全缺陷需要open_basedir限制? If not, why is it recommended?如果没有,为什么推荐? Or is it not necessary?还是没有必要? Is it possible to get open_basedir advantages using AppPool Identity with correct Permissions?是否可以使用具有正确权限的 AppPool Identity 获得 open_basedir 优势?
1 个解决方案
解决方案1
2 已采纳 2014-10-12 17:57:55
Setting open_basedir (not only on Windows with IIS but with any platform on any web server) is a security measure to restrict what files your application can read, write, and include .设置 open_basedir(不仅在使用 IIS 的 Windows 上,而且在任何 Web 服务器上的任何平台上)是一种安全措施,用于限制您的应用程序可以读取、写入和包含的文件。
It is not really a security flaw that PHP can include any file with PHP code from anywhere in the file system, but it is a feature. PHP 可以在文件系统的任何位置包含任何带有 PHP 代码的文件,这并不是真正的安全缺陷,但它是一个功能。 You may, for example, have some files on the web root, and other files out of the web root (they won't be accessible by the web server but they will be accessible by PHP).例如,您可能在 web 根目录中有一些文件,而在 web 根目录外有其他文件(它们不能被 web 服务器访问,但它们可以被 PHP 访问)。
However, if you have a flaw in your program, your users may be able to read or include (or even write) files which are not part of your application.但是,如果您的程序存在缺陷,您的用户可能能够读取或包含(甚至写入)不属于您的应用程序的文件。 Those may be system files, user-uploaded files or other application's files.这些可能是系统文件、用户上传的文件或其他应用程序的文件。 That's why open_basedir is important.这就是 open_basedir 很重要的原因。
As a note, after setting open_basedir, set also the paths for other PHP functions (for example, upload_tmp_dir) as they should be also under the open_basedir path.需要注意的是,在设置 open_basedir 之后,还要设置其他 PHP 函数的路径(例如,upload_tmp_dir),因为它们也应该在 open_basedir 路径下。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.