是否需要验证或转义jsonp回调字符串 [英] Is it necessary to validate or escape the jsonp callback string
问题描述
我有一个名为action.php的文件,它将执行一些操作.我想将其公开为纯JSON或JSONP输出.用户将使用如下网址调用此网址:
I have a file called action.php that will do some action. I want to expose this as either a plain JSON or JSONP output. The user will call this using a URL like this:
action.php?jsonp=callback
在我的action.php中,我正在做类似的事情
In my action.php I am doing something like this
$jsonp = isset $_GET["jsonp"] ? $_GET["jsonp"] : false;
$output = execute_action();
if ($jsonp) {
header('Content-Type: application/javascript');
printf("%s(%s)", $jsonp, json_encode($output));
} else {
header('Content-Type: application/json');
echo json_encode($output);
}
但这对我来说似乎是不安全的.如果传入jsonp回调参数,是否应该对其进行验证或转义?如果是这样,那么在什么情况下可以防止这种情况发生,我该如何在PHP中实现呢?
But this seems unsafe to me. Should I validate or escape the jsonp callback parameter if it is passed in? If so, what situation would this protect against, and how should I do it in PHP?
让我们假设将此action.php作为任何网站(包括我自己的网站)使用的服务都已暴露在互联网上.
Let's assume that this action.php is exposed to the internet as a service for any website to use (including my own).
为清楚起见,我的问题分为两部分:
-
您对保护假想的第三方网站免受有害jsonp注入的重要性的看法
Your opinion on the importance of protecting a hypothetical 3rd party site from harmful jsonp injections
现在假设我想使用我的服务来保护第三者站点,我应该验证jsonp参数(即也许只允许某些字符吗?),还是应该转义jsonp输出(如果可以的话,php函数是什么)我应该使用吗?)
Now supposing I wanted to protect 3rd party sites using my service, should I validate the jsonp parameter (i.e. maybe only allow certain characters?), or should I escape the jsonp output (if so what php function should I use?)
为了让我将答案标记为已接受,我希望在这两个问题上提供更多信息.
For me to mark the answer as accepted, I would like some more input on both of these questions.
推荐答案
-
由于用户仅接收他们自己发送的数据,因此不存在持久注入的真正风险.但是,攻击者仍然可以创建恶意链接,并使客户端单击它,以在客户端计算机上执行代码.为了避免攻击者创建那些恶意链接(例如,允许从您的域中窃取Cookie)的可能性,您必须转义或验证回调参数.
Since users only receive data they have sent themselves, there is not real risk of persistent injection. However, an attacker could still create a malicious link and make a client click on it, to execute code on client machine. To avoid the possibility for an attacker to create those malicious links (that would permit for example to steal cookies from your domain), you have to escape or validate the callback parameter.
您必须选择是否只是对其进行验证还是对其进行转义.我认为,转义没有真正意义.通常,我们会转义HTML实体,以防止受到攻击并允许诸如'<'之类的HTML字符. 或'>'才能正确显示.但是在这种情况下,诚实用户没有理由发送需要转义的字符...因此,验证就足够了并且更有意义.
You have to chose if you just validate it or escape it. In my opinion, escaping does not make real sense. Usually we escape HTML entities in order to protect from attacks and to allow HTML characters like '<' or '>' to be displayed correctly. But in this case, there is no reason a honest user would send characters needing to be escaped... So validation is enough and makes more sense.
该怎么办?
如果您不想考虑注入问题,更安全的方法是为函数设置一个固定的名称,然后让用户实现它.只要避免名称冲突即可.
A safer way to proceed if you do not want to have to think about injection problem would be to set a fixed name for the function and let the user implement it. Just try to avoid name conflict.
您还可以验证回调值.它必须是有效的javascript函数名称.您可以使用PHP函数
preg_match()http://de3.php.net/preg_match .You can also validate the callback value. It has to be a valid javascript function name. You can use PHP function
preg_match()http://de3.php.net/preg_match.$jsonp = preg_match('/^[$A-Z_][0-9A-Z_$]*$/', $_GET["jsonp"]) ? $_GET["jsonp"] : false; $output = execute_action(); if ($jsonp) { header('Content-Type: application/javascript'); printf("%s(%s)", $jsonp, json_encode($output)); } else { header('Content-Type: application/json'); echo json_encode($output); }我不是正则表达式方面的专家,因此我从验证JavaScript中获得了这种不完整的示例模式函数名称.在此处检查正确的正则表达式.
I am not an expert in regex, so I got this incomplete example pattern from Validate a JavaScript function name. Check there for the correct regex.
这篇关于是否需要验证或转义jsonp回调字符串的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
