用PHP清理用户提供的正则表达式 [英] Sanitization of User-Supplied Regular Expressions in PHP
问题描述
我想创建一个用户可以在其中测试正则表达式的网站(已经有很多这样的网站了……例如:
I want to create a website where users can test regular expressions (there are many out there already...such as this one: http://www.pagecolumn.com/tool/pregtest.htm). Basically, the user provides a regular expression and some sample text, and the results of the regex evaluation will be spit back.
我想使用PHP"preg_ *"函数在服务器端评估正则表达式.有没有办法清理提供的正则表达式?我应该关注哪些安全漏洞?
I want to evaluate the regex on the server side with the PHP "preg_*" functions. Is there a way to sanitize the supplied regex? What are the security vulnerabilities that I should be concerned about?
推荐答案
我认为PHP本身会检查正则表达式. 这是我制作的示例脚本:
I think PHP itself will check the regex. Here's a sample script I made :
// check for input, and set max size of input
if(@!empty($_POST['regex'])
&& @!empty($_POST['text'])
&& strlen($_POST['regex'])<1000
&& strlen($_POST['text'])<2000
){
// set script timeout in case something goes wrong (SAFE MODE must be OFF)
$old_time=ini_get('max_execution_time');
if(!set_time_limit(1)) die('SAFE MODE MUST BE OFF'); // 1 sec is more then enough
// trim input, it's up to you to do more checks
$regex=trim($_POST['regex']);
// don't trim the text, it can be needed
$input=$_POST['text'];
// escape slashes
$regex=preg_replace('/([\\/]+)?//', '\/', $regex);
// go for the regex
if(false===$matched=@preg_match('/'.$regex.'/', $input, $matches)){
// regex was tested, show results
echo 'Matches: '.$matched.'<br />';
if($matched>0){
echo 'matches: <br />';
foreach($matches as $i => $match){
echo $i.' = '.$match.'<br />';
}
}
}
// set back original execution time
set_time_limit($old_time);
}
无论如何,永远不要将eval()与用户提交的字符串一起使用.
此外,您可以进行一些简单的简约消毒,但这取决于您. ;)
Additionally, you can do some simple minimalistic sanitizing, but that's up to you. ;)
这篇关于用PHP清理用户提供的正则表达式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!