stackoom
  简体   繁体   中英

Security Issues with HTTP_RAW_POST_DATA

 原文  2012-05-28 11:30:04       php/ security/ http

Question

I'm currently taking HTTP_RAW_POST_DATA and saving it to an image file. Are there any exploitable security issues that I need to be aware of?

2 answers

solution1
 2  2012-05-28 11:37:07

The security implications are the same as with any other file upload mechanism. You might have semantic implications, as the POST body might not be raw data, eg if it is quoted-printable encoded or compressed.

solution2
 1  2012-05-28 11:31:49

Yes, if my POST body looks like... 

<?php

rmdir(__DIR__ . '/../');

...and I can access the file via a URL (only if your image extension is set to run PHP, not likely but possible), or you run it (accidentally include it, for example), you will be in trouble.

If you wanted to be safe , store the file above the document root and use an image processing library such as GD to write the image from string and save that output. If it's a malicious file, you should only end up with a garbage outputted image.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Undefined variable: HTTP_RAW_POST_DATA input validation on HTTP_RAW_POST_DATA Usage of $HTTP_RAW_POST_DATA $GLOBALS['HTTP_RAW_POST_DATA'] POST File Name $HTTP_RAW_POST_DATA Error - Not posting data How to use HTTP_RAW_POST_DATA properly What to replace $GLOBALS['HTTP_RAW_POST_DATA'] in php 7? PHP resize HTTP_RAW_POST_DATA to save image CURL + $GLOBALS[“HTTP_RAW_POST_DATA”] in PHP Can user send HTTP_RAW_POST_DATA to my site?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM