PHP 的 ZipArchive 的潜在安全问题
[英]Potential Security Issues with PHP's ZipArchive
问题描述
I want to allow members the option of uploading content using a zip file.
我想允许成员选择使用 zip 文件上传内容。 Once uploaded, I want to use PHP's ZipArchive class to decompress the zip file contents to a directory, and then move the files into our system.上传后,我想使用 PHP 的 ZipArchive class 将 zip 文件内容解压到一个目录,然后将文件移动到我们的系统中。
I'm concerned about the potential security risks though, and I can't find any documentation on php.net.我担心潜在的安全风险,但我在 php.net 上找不到任何文档。 The first (Well, the only) risk that comes to mind, is someone creating a zip file with relative paths like "../../etc/passwd" (If they assume I decompress the file in /tmp/somedir).想到的第一个(嗯,唯一的)风险是有人创建了一个 zip 文件,其相对路径为“../../etc/passwd”(如果他们假设我在 /tmp/somedir 中解压缩文件)。
I'm actually having a hard time creating a relative path in a zip file, so I can't test if such a thing would be possible.我实际上很难在 zip 文件中创建相对路径,所以我无法测试这样的事情是否可能。 I also can't find any way to extract the contents of the zip file using ZipArchive, and have it ignore directories (Decompress all the files, but don't create the directory structure inside the zip).我也找不到任何方法来使用 ZipArchive 提取 zip 文件的内容,并让它忽略目录(解压缩所有文件,但不要在 zip 中创建目录结构)。
Can anyone tell me if such an exploit is possible, and/or how to ignore the directory structure in a zip file using ZipArchive?谁能告诉我这样的利用是否可能,和/或如何使用 ZipArchive 忽略 zip 文件中的目录结构?
4 个解决方案
解决方案1
3 2014-01-03 00:54:01
I had the same concerns and had a look at the PHP 5.3 source code where I found this:我也有同样的担忧,并查看了 PHP 5.3 源代码,我在其中找到了这个:
/* Clean/normlize the path and then transform any path (absolute or relative)
to a path relative to cwd (../../mydir/foo.txt > mydir/foo.txt)
*/
virtual_file_ex(&new_state, file, NULL, CWD_EXPAND TSRMLS_CC);
path_cleaned = php_zip_make_relative_path(new_state.cwd, new_state.cwd_length);
if(!path_cleaned) {
return 0;
}
Looks fine to me.在我看来很好。 Checkout PHP and see./ext/zip/php_zip.c for details.查看 PHP 并查看 ./ext/zip/php_zip.c 了解详细信息。
解决方案2
2 2011-07-12 17:59:47
Interesting question, but I urge you to go about this a different way.有趣的问题,但我敦促您以不同的方式讨论 go。 I would highly recommend you run your web process with least privileges in a chroot jail.我强烈建议您在 chroot 监狱中以最低权限运行 web 进程。 Assuming you do that, the WORST thing that can happen is your website get's defaced, and then you restore a backup and do some forensics to plug that specific hole.假设您这样做,可能发生的最糟糕的事情是您的网站被污损,然后您恢复备份并进行一些取证以填补该特定漏洞。 New holes are discovered constantly, you will have a very difficult time completely securing your website going after hunches like these.不断发现新漏洞,您将很难完全保护您的网站,以寻求这些预感。 Minimizing the attacker's sandbox really goes a long way.最小化攻击者的沙箱确实有很长的路要走。
解决方案3
1 2011-07-12 15:53:22
You need to make sure that the extracted contents are not served directly by your application server.您需要确保提取的内容不是由您的应用程序服务器直接提供的。 So if someone has a php file in his archive that he cant execute it via your webserver.因此,如果有人在他的档案中有 php 文件,他无法通过您的网络服务器执行它。
Another thing is you should keep things safe from being included in user generated content.另一件事是您应该确保内容不会被包含在用户生成的内容中。 But this should be considered also without having zip archives in place.但这也应该在没有 zip 存档的情况下考虑。
解决方案4
0 已采纳 2011-07-12 18:42:48
In the end I'm going with Pekka's solution, of using the command line unzip utility.最后,我将使用 Pekka 的解决方案,即使用命令行解压缩实用程序。 It provides switches to ignore directories in the zip file.它提供了忽略 zip 文件中的目录的开关。 The concerns others have pointed out aren't an issue here.其他人指出的担忧在这里不是问题。 Once the files are unzipped, we add them to the system using the same process as our regular uploads, which means each file is scrutinized using the security measures we already have in place.文件解压缩后,我们会使用与常规上传相同的过程将它们添加到系统中,这意味着使用我们已有的安全措施对每个文件进行审查。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.