尽管在 .htaccess 中使用了“ForceType image/jpeg”,但 PHP 文件仍在执行
[英]PHP file executing despite using 'ForceType image/jpeg' in .htaccess
问题描述
To prevent any PHP files from executing if uploaded to my image directory, I have created a .htaccess file solely containing ForceType image/jpeg , placed within this directory.
为了防止任何 PHP 文件在上传到我的图像目录时执行,我创建了一个仅包含ForceType image/jpeg的.htaccess文件,放置在此目录中。
While this successfully causes evil.txt to be interpreted as an image file when opened by a browser, evil.php executes just fine (it echoes text to the browser).虽然这成功地导致evil.txt在浏览器打开时被解释为图像文件,但evil.php执行得很好(它将文本回显到浏览器)。 I have even tried directly targeting it:我什至尝试过直接针对它:
<FilesMatch "evil.php">
ForceType image/jpeg
</FilesMatch>
But this doesn't work either.但这也行不通。
1 个解决方案
解决方案1
1 已采纳 2020-01-29 05:15:58
Those are two completely unrelated things.这是完全不相关的两件事。 ForceType is for the client, not the web server. ForceType用于客户端,而不是 Web 服务器。 The thing that's interpreting the PHP is your apache httpd web server.解释 PHP 的是您的 apache httpd Web 服务器。 The way it knows to interpret a file as PHP or not is based on your FilesMatch directive containing a SetHandler which lets httpd know to let these files go to mod_php .它知道将文件解释为 PHP 与否的方式基于包含SetHandler FilesMatch指令,该指令让 httpd 知道让这些文件转到mod_php 。 These two things are completely unrelated to each other.这两件事完全没有关系。
In other words, you're probably thinking (very cleverly) that you're doing something that's going to make your apache httpd configuration more safe.换句话说,您可能(非常聪明地)认为您正在做一些可以使您的 apache httpd 配置更安全的事情。 I assure you that you aren't.我向你保证你不是。 Files that don't end in .php won't go through php in that configuration scenario.在该配置方案中,不以.php结尾的.php不会通过 php。 And since you control what files are named in your webroot, this should not be a concern.并且由于您控制在 webroot 中命名的文件,因此这不应该是一个问题。 Simply don't allow the user to control the naming of files on your server.只是不允许用户控制服务器上文件的命名。 It's that simple就这么简单
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.