如果 htaccess 将所有内容重定向到 index.php,将 lib 文件保存在公共目录中是否安全?
[英]Is it secure to keep lib files in a public directory if htaccess is redirecting everything to index.php?
问题描述
Is it secure to keep lib files in a public directory if htaccess is redirecting everything to index.php?
如果 htaccess 将所有内容重定向到 index.php,将 lib 文件保存在公共目录中是否安全?
Will htaccess ever fail to redirect? htaccess 会不会重定向失败?
Are there any loop holes that would allow you to get to the rest of the directory tree?是否有任何环路可以让您访问目录树的 rest?
3 个解决方案
解决方案1
2 已采纳 2011-06-09 22:05:19
.htaccess can fail if for whatever reason the webserver decides to stop parsing them.如果网络服务器出于某种原因决定停止解析它们,.htaccess 可能会失败。 Maybe AllowOverride is turned on via an Apache <Directory> directive, and your website gets moved somewhere else and the <Directory> isn't updated.也许AllowOverride是通过 Apache <Directory>指令打开的,并且您的网站被移动到其他地方并且<Directory>没有更新。 So now suddenly the .htaccess is off and all files are available.所以现在突然 .htaccess 关闭并且所有文件都可用。
If you don't want something served up by mistake, then don't place it within your site's document root.如果您不希望错误地提供某些内容,请不要将其放在您网站的文档根目录中。 PHP couldn't care less about the webserver's document root and can access files anywhere on the system that the web server has read permissions. PHP 不关心网络服务器的文档根目录,可以访问系统上 web 服务器具有读取权限的任何位置的文件。 So keep "important" files elsewhere, which minimizes the chances of them being served up by accident.因此,将“重要”文件保存在其他地方,这样可以最大限度地减少意外提供它们的机会。
解决方案2
1 2011-06-09 22:07:32
If htaccess is protecting the files, there is no such loophole, backdoor, or anything that could allow access.如果 htaccess 正在保护文件,则不存在此类漏洞、后门或任何可能允许访问的东西。 Try accessing the files yourself from the web if you are not sure if they are protected.如果您不确定它们是否受到保护,请尝试自己从 web 访问这些文件。 Redirecting people from a forbidden file is one way to do it, but I personally just 403 them right there, mainly because they are not suppose to be there.从被禁止的文件中重定向人们是一种方法,但我个人只是在那里 403 他们,主要是因为他们不应该在那里。
Typically lib files don't do anything on their own (usually they are just functions or classes) so they don't pose an immediate threat if they are designed properly.通常,lib 文件不会自行执行任何操作(通常它们只是函数或类),因此如果设计得当,它们不会立即构成威胁。 A way to gaurd against this on the PHP side is to define some constant, ie define('IN_APPLICATION', true);在 PHP 端防止这种情况的一种方法是定义一些常量,即define('IN_APPLICATION', true); , then at the top of all your lib files, do this check: if;defined('IN_APPLICATION) exit; ,然后在所有 lib 文件的顶部,执行以下检查: if;defined('IN_APPLICATION) exit; . .
解决方案3
0 2011-06-09 22:11:14
If the lib files only contain functions or classes and have a file extension (eg mylibrary.php) that will be parsed as a php file then in theory there is no security implication from keeping them in the public directory since if a client requests the file the webserver will parse it and output nothing back to the client.如果 lib 文件仅包含函数或类并且具有将被解析为 php 文件的文件扩展名(例如 mylibrary.php),那么理论上将它们保存在公共目录中没有安全隐患,因为如果客户端请求该文件网络服务器将解析它并且 output 什么都不会返回给客户端。
Example library file:示例库文件:
<?php
function myfunc() {
//do stuff
}
?>
Executing that file will not do anything at all.执行该文件根本不会做任何事情。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.