导致500内部服务器错误的脚本
[英]Script causing 500 Internal Server Error
问题描述
My site has been suffering "500 Internal Server Error" often of late, and host has advised that this bundle.css.php script might be the reason why ... 
我的网站最近经常遭受“ 500 Internal Server Error”的困扰,主持人建议该bundle.css.php脚本可能是导致...
<?php
ob_start('ob_gzhandler');
header('Content-Type: text/css');
$files = split(",",$_GET['files']);
foreach($files as $key=>$val){
if(file_exists($val.'.css')){
include_once($val.'.css');
}else{
echo "\n\n/*** File \"$val\" does not exist. ***/\n\n";
}
}
?>
In the words of my host ... 用我的主人的话说...
"It is trying to buffer all of output into ob_gzhandler. It is taking a very insecure list of parameters passed in GET variable 'files', and is then trying to include those files into the output. I'm not sure exactly what list of parameters is being passed, but I suspect there is a bug somewhere in your scripts that is passing a large array of file names to this script, and thus trying to build a buffered object that is too large." “它正在尝试将所有输出缓冲到ob_gzhandler中。它获取了在GET变量'files'中传递的参数非常不安全的列表,然后试图将这些文件包含在输出中。我不确定确切的列表是什么参数正在传递,但我怀疑您的脚本中某处存在一个错误,该错误将大量文件名传递给此脚本,从而试图构建一个太大的缓冲对象。”
This is well beyond my expertise, so any advice to fix the problem would be much appreciated. 这远远超出了我的专业知识,因此,解决该问题的任何建议将不胜感激。 Many thanks. 非常感谢。
UPDATE 更新
The error log is full of lines such as ... 错误日志充满了诸如...的行
[Mon Apr 23 15:44:41 2012] [error] [client xx.xx.xx.xx] (12)Cannot allocate memory: couldn't create child process: /opt/suphp/sbin/suphp for /home/xxxxxy/public_html/xxxx.php, referer: http://www.xxxxxxx.com/wp-content/themes/xxx/style.css [2012年4月23日星期一15:44:41] [错误] [客户端xx.xx.xx.xx](12)无法分配内存:无法创建子进程:/ home /的/ opt / suphp / sbin / suphp xxxxxy / public_html / xxxx.php,引荐网址 : http ://www.xxxxxxx.com/wp-content/themes/xxx/style.css
2 个解决方案
解决方案1
0 2012-04-23 16:57:51
Multiple points to take into account here, starting with an explanation of the code: 从代码解释开始,这里要考虑多个方面:
You're starting the gzip output buffering handler, emitting a Content-Type: text/css header, splitting the contents of the GET form parameter by comma, looping through each element in the resulting array, including each file as necessary or emitting a CSS comment as a logging string. 您正在启动gzip输出缓冲处理程序,发出Content-Type: text/css标头,用逗号分割GET表单参数的内容,遍历结果数组中的每个元素,包括必要时包括每个文件的内容,或发出CSS注释为日志字符串。
It's most likely that your PHP process doesn't have enough memory to handle the output buffering and the compression all at once. 您的PHP进程很可能没有足够的内存来一次处理输出缓冲和压缩。 It's also possible that your host could have an application-layer firewall preventing this (something like mod_security for good reason) or it's also possible that your PHP doesn't support the GZIP output buffering. 您的主机也可能具有阻止此情况的应用程序层防火墙(出于充分的原因,例如mod_security),或者您的PHP也可能不支持GZIP输出缓冲。
This script is a massive security hole! 该脚本是一个巨大的安全漏洞! You can make the web server running this code dump arbitrary files from the server it's running on by altering a form parameter! 您可以通过更改form参数,使运行此代码的Web服务器从运行它的服务器中转储任意文件! Don't use this in production! 不要在生产中使用它! Ever! 曾经! If you don't understand what you're doing or it's "outside of your expertise" you should stop coding now and find a new job. 如果您不了解自己的工作或“专业知识之外”,则应立即停止编码并找到新工作。
解决方案2
0 2013-03-12 16:07:23
为了使这个脚本更轻松一些,您应该检查是否通过isset函数设置了$ _GET变量,第二,您绝对不应让用户访问您正在使用的变量,因为很容易向其中注入恶意代码,如果可以的话请改用$ _POST或至少检查$ _GET变量中传递的值是否为字母数字。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.