[英]wamp server how to prevent access above root folder by dot dot slash
如何防止从根目录上方访问? (以点号斜线表示)
我可以看到分区中的所有文件。
为了测试访问权限,我编写了此脚本并添加了Go UP链接:
<?php
$PartialPath = @$_GET['p']; if(empty($PartialPath)){ $PartialPath = ''; }else{ $PartialPath = "\\".$PartialPath; }
$PartialPath_Root = dirname(__FILE__);
$ScanPath = $PartialPath_Root . $PartialPath;
echo 'Scan: ',$ScanPath,'<br><br>';
$Files_arr = scandir($ScanPath);
foreach ($Files_arr as $file) {
if ('.' === $file){}
else if ('..' === $file){ echo '<a href="?p=',$PartialPath,'../" target="_self">.. GO UP </a><br><br>'; }
else{ echo $file,'<br>'; }
}
?>
Unsing @Hamidreza Kalantari回答
我创建了一个过滤器来检测路径是否在根目录之外:
if(Func_AllowOnlyRootPath($PartialPath) == "1"){
// continue...
}else{
echo '<br>unsecure path - outside root<br>';
//die('Directory Traversal Prevented');
}
echo '<br>PartialPath: ',$PartialPath, '<br>';
function Func_AllowOnlyRootPath($VerifyPath){ if(empty($VerifyPath)){ return "1"; } $real_path=realpath($VerifyPath); if(strpos($real_path, ($_SERVER['DOCUMENT_ROOT']))!==0){ return "0"; } return "1"; }
function Func_AllowOnlyPhpScriptPath($VerifyPath){ if(empty($VerifyPath)){ return "1"; } $real_path=realpath($VerifyPath); if(strpos($real_path, (dirname(__FILE__)))!==0){ return "0"; } return "1"; }
使用realpath
函数获取实际路径(不包含任何..
),然后检查其是否以root开头:
$real_path=realpath($PartialPath);
if(strpos($real_path, $PartialPath_Root)!==0) die('Directory Traversal Prevented');
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.