哪些 $_SERVER 变量是安全的? [英] Which $_SERVER variables are safe?

查看:30
本文介绍了哪些 $_SERVER 变量是安全的?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

用户可以控制的任何变量,攻击者也可以控制,因此是攻击的来源.这称为受污染"变量,是不安全的.

Any variable that a user can control, an attacker can also control and is therefore a source of an attack. This is called a "tainted" variable, and is unsafe.

当使用 $_SERVER 时,许多变量是可以控制的.PHP_SELFHTTP_USER_AGENTHTTP_X_FORWARDED_FORHTTP_ACCEPT_LANGUAGE等都是客户端发送的HTTP请求头的一部分.

When using $_SERVER, many of the variables can be controlled. PHP_SELF, HTTP_USER_AGENT, HTTP_X_FORWARDED_FOR, HTTP_ACCEPT_LANGUAGE and many others are a part of the HTTP request header sent by the client.

有谁知道安全列表"或 $_SERVER 变量的未污染列表?

Does anyone know of a "safe list" or untainted list of $_SERVER variables?

推荐答案

没有安全"或不安全"值之类的东西.只有服务器控制的值和用户控制的值,您需要了解值的来源以及是否可以出于特定目的信任它.例如,$_SERVER['HTTP_FOOBAR'] 存储在数据库中是完全安全的,但我肯定不会eval 它.

There's no such thing as "safe" or "unsafe" values as such. There are only values that the server controls and values that the user controls and you need to be aware of where a value comes from and hence whether it can be trusted for a certain purpose. $_SERVER['HTTP_FOOBAR'] for example is entirely safe to store in a database, but I most certainly wouldn't eval it.

因此,让我们将这些值分为三类:

As such, let's divide those values into three categories:

这些变量由服务器环境设置,完全取决于服务器配置.

These variables are set by the server environment and depend entirely on the server configuration.

  • 'GATEWAY_INTERFACE'
  • 'SERVER_ADDR'
  • 'SERVER_SOFTWARE'
  • 'DOCUMENT_ROOT'
  • 'SERVER_ADMIN'
  • 'SERVER_SIGNATURE'

这些变量取决于客户端发送的特定请求,但只能取有限数量的有效值,因为所有无效值都应被 Web 服务器拒绝,并且不会导致脚本的调用开始.因此,它们可以被认为可靠.

These variables depend on the specific request the client sent, but can only take a limited number of valid values, since all invalid values should be rejected by the web server and not cause the invocation of the script to begin with. Hence they can be considered reliable.

  • 'HTTPS'
  • 'REQUEST_TIME'
  • 'REMOTE_ADDR' *
  • 'REMOTE_HOST' *
  • 'REMOTE_PORT' *
  • 'SERVER_PROTOCOL'
  • 'HTTP_HOST'
  • 'SERVER_NAME'
  • 'SCRIPT_FILENAME'
  • 'SERVER_PORT'
  • 'SCRIPT_NAME'
  • 'HTTPS'
  • 'REQUEST_TIME'
  • 'REMOTE_ADDR' *
  • 'REMOTE_HOST' *
  • 'REMOTE_PORT' *
  • 'SERVER_PROTOCOL'
  • 'HTTP_HOST'
  • 'SERVER_NAME'
  • 'SCRIPT_FILENAME'
  • 'SERVER_PORT'
  • 'SCRIPT_NAME'

* REMOTE_ 值保证是客户端的有效地址,通过 TCP/IP 握手验证.这是任何响应将发送到的地址.REMOTE_HOST 依赖于反向 DNS 查找,因此可能会被针对您的服务器的 DNS 攻击所欺骗(在这种情况下,无论如何您都会遇到更大的问题).这个值可能是一个代理,这是TCP/IP协议的一个简单现实,你无能为力.

* The REMOTE_ values are guaranteed to be the valid address of the client, as verified by a TCP/IP handshake. This is the address where any response will be sent to. REMOTE_HOST relies on reverse DNS lookups though and may hence be spoofed by DNS attacks against your server (in which case you have bigger problems anyway). This value may be a proxy, which is a simple reality of the TCP/IP protocol and nothing you can do anything about.

† 如果您的 Web 服务器响应 any 请求而不管 HOST 标头如何,这也应该被认为是不安全的.请参阅$_SERVER[HTTP_HOST"] 的安全性如何?.
另见 http://shiflett.org/blog/2006/mar/server-name-versus-http-host.

† If your web server responds to any request regardless of HOST header, this should be considered unsafe as well. See How safe is $_SERVER["HTTP_HOST"]?.
Also see http://shiflett.org/blog/2006/mar/server-name-versus-http-host.

‡ 参见 https://bugs.php.net/bug.php?id=64457, http://httpd.apache.org/docs/current/mod/core.html#usecanonicalphysicalport, http://httpd.apache.org/docs/2.4/mod/core.html#comment_999

这些值根本没有被检查,也不依赖于任何服务器配置,它们完全是客户端发送的任意信息.

These values are not checked at all and do not depend on any server configuration, they are entirely arbitrary information sent by the client.

  • 'argv', 'argc'(仅适用于 CLI 调用,Web 服务器通常不关心)
  • 'REQUEST_METHOD' §
  • 'QUERY_STRING'
  • 'HTTP_ACCEPT'
  • 'HTTP_ACCEPT_CHARSET'
  • 'HTTP_ACCEPT_ENCODING'
  • 'HTTP_ACCEPT_LANGUAGE'
  • 'HTTP_CONNECTION'
  • 'HTTP_REFERER'
  • 'HTTP_USER_AGENT'
  • 'AUTH_TYPE'
  • 'PHP_AUTH_DIGEST'
  • 'PHP_AUTH_USER'
  • 'PHP_AUTH_PW'
  • 'PATH_INFO'
  • 'ORIG_PATH_INFO'
  • 'REQUEST_URI'(可能包含污染数据)
  • 'PHP_SELF'(可能包含污染数据)
  • 'PATH_TRANSLATED'
  • 任何其他 'HTTP_'
  • 'argv', 'argc' (only applicable to CLI invocation, not usually a concern for web servers)
  • 'REQUEST_METHOD' §
  • 'QUERY_STRING'
  • 'HTTP_ACCEPT'
  • 'HTTP_ACCEPT_CHARSET'
  • 'HTTP_ACCEPT_ENCODING'
  • 'HTTP_ACCEPT_LANGUAGE'
  • 'HTTP_CONNECTION'
  • 'HTTP_REFERER'
  • 'HTTP_USER_AGENT'
  • 'AUTH_TYPE'
  • 'PHP_AUTH_DIGEST'
  • 'PHP_AUTH_USER'
  • 'PHP_AUTH_PW'
  • 'PATH_INFO'
  • 'ORIG_PATH_INFO'
  • 'REQUEST_URI' (may contain tainted data)
  • 'PHP_SELF' (may contain tainted data)
  • 'PATH_TRANSLATED'
  • any other 'HTTP_' value

§ 可以被认为可靠,只要网络服务器只允许某些请求方法.

§ May be considered reliable as long as the web server allows only certain request methods.

‖ 如果身份验证完全由 Web 服务器处理,则可能被认为可靠.

‖ May be considered reliable if authentication is handled entirely by the web server.

超全局 $_SERVER 还包括几个环境变量.这些是否安全"取决于如何(以及在​​哪里)定义它们.它们的范围可以从完全由服务器控制到完全由用户控制.

The superglobal $_SERVER also includes several environment variables. Whether these are "safe" or not depend on how (and where) they are defined. They can range from completely server controlled to completely user controlled.

这篇关于哪些 $_SERVER 变量是安全的?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
PHP最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆