[英]How to protect a CKEditor file upload PHP script against unauthorized access?
I'm using the following CKEditor file upload PHP script in a password-protected environment:我在受密码保护的环境中使用以下 CKEditor 文件上传 PHP 脚本:
$accepted_origins = array( 'http://localhost', 'http://192.168.1.1', 'http://example.com', 'http://www.example.com' );
$upload_folder = '../uploads/';
if ( isset( $_FILES['upload'] ) ) {
// Required: anonymous function reference number as explained above.
$funcNum = $_GET['CKEditorFuncNum'] ;
// Optional: instance name (might be used to load a specific configuration file or anything else).
$CKEditor = $_GET['CKEditor'] ;
// Optional: might be used to provide localized messages.
$langCode = $_GET['langCode'] ;
// Optional: compare it with the value of `ckCsrfToken` sent in a cookie to protect your server side uploader against CSRF.
// Available since CKEditor 4.5.6.
$token = $_POST['ckCsrfToken'] ;
if ( isset( $_SERVER['HTTP_ORIGIN'] ) ) {
// same-origin requests won't set an origin. If the origin is set, it must be valid.
if ( in_array( $_SERVER['HTTP_ORIGIN'], $accepted_origins ) ) {
header( 'Access-Control-Allow-Origin: ' . $_SERVER['HTTP_ORIGIN'] );
} else {
$error = 'Origin denied';
}
}
// Sanitize input
if ( preg_match( "/([^\w\s\d\-_~,;:\[\]\(\).])|([\.]{2,})/", $_FILES['upload']['name'] ) ) {
$error = 'Invalid file name';
}
// Verify extension
if ( !in_array( strtolower( pathinfo( $_FILES['upload']['name'], PATHINFO_EXTENSION ) ), array( 'gif', 'jpg', 'png', 'pdf' ) ) ) {
$error = 'Invalid extension';
}
// Check if filename already exists
$file_info = pathinfo( $_FILES['upload']['name'] );
$i = 0;
do {
$target_filename = $file_info['filename'] . ( $i ? "_$i" : '' ) . '.' . $file_info['extension'];
$i++;
$target_file = $upload_folder . $target_filename;
} while ( file_exists( $target_file ) );
// Process file upload
$tmp_file = $_FILES['upload']['tmp_name'];
move_uploaded_file( $tmp_file, $target_file );
$protocol = ( $_SERVER['HTTPS'] && $_SERVER['HTTPS'] != 'off' ) ? 'https://' : 'http://';
$url = 'uploads/' . basename( $target_file );
echo "<script type='text/javascript'>window.parent.CKEDITOR.tools.callFunction($funcNum, '$url', '$error');</script>";
}
This script is called from a the JS file ( config.js
) through the config.filebrowserUploadUrl
setting which is unaware of any PHP session.该脚本通过config.filebrowserUploadUrl
设置从 JS 文件 ( config.js
) 调用,该设置不知道任何 PHP session。 My question is, is it possible to protect it against unauthorized access?我的问题是,是否可以保护它免受未经授权的访问? If so, how?如果是这样,怎么做?
Thanks in advance提前致谢
Just change this statement from this:只需将此语句更改为:
if ( isset( $_FILES['upload'] ) ) {
To this:对此:
if ( isset( $_FILES['upload'] ) && isset( $_SESSION['user_id'] ) ) {
If you have indeed set the $_SESSION
variables.如果您确实设置了$_SESSION
变量。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.