恶意用户如何利用输入密钥? [英] How are input keys exploitable by malicious users?
问题描述
在 CodeIgniter PHP框架中,有一个功能可自动在每个请求上运行除其他外,过滤GET/POST/COOKIE数组键,并杀死如果遇到字符,则认为它是不安全的.
In the CodeIgniter PHP framework, there is a function that automatically runs on each request that, among other things, filters the GET/POST/COOKIE array keys, and kills the application if it encounters characters it deems unsafe.
为防止恶意用户尝试利用密钥,我们确保仅使用字母数字文本和其他一些项来命名密钥.
To prevent malicious users from trying to exploit keys we make sure that keys are only named with alpha-numeric text and a few other items.
类似的东西:
// foreach GET/POST/COOKIE keys as $str...
if ( ! preg_match("/^[a-z0-9:_\/-]+$/i", $str))
{
exit('Disallowed Key Characters.');
}
例如,如果您不小心发布了诸如<input name="TE$T">之类的内容或具有诸如?name|first=1之类的查询字符串,则会触发此操作.
For example, this will trigger if you accidentally post something like <input name="TE$T"> or have a query string like ?name|first=1.
我可以看到这是一种增强常识性键名或在开发应用程序时捕获错误的好方法,但是我不明白:例如,恶意用户怎么可能在$_POST数据中利用密钥" ?尤其是由于(我认为)输入的值同样具有可利用性,因此这实际上在阻止什么呢?
I can see this being a good way to enforce common sense key names, or catch mistakes while developing an application, but I don't understand: How can a malicious user possibly "exploit keys" in $_POST data for instance? Especially since (I would assume) input values are just as exploitable, what is this actually preventing?
推荐答案
您的问题本身就有一个优点:不清楚您将受到什么保护.但是有一些受欢迎的项目可能会解决:
Your question, in itself, brings up a good point: it's unclear what exactly you're being protected against. But there are some popular items it could be addressing:
- magic quotes
- things that could eventually lead to SQL injection
- strings that could be executed by way of shell commands
- things that could conflict with your URL
- things that could conflict with HTML
- things that resemble a directory traversal attack
- cross site scripting (XSS) attacks
除了这些之外,我真的想不出为什么总是要使用preg_match("/^[a-z0-9:_\/-]+$/i", $str)保护.
But other than those, I really can't think of why you'd always why you'd want to generally protect via preg_match("/^[a-z0-9:_\/-]+$/i", $str).
我觉得他们过度保护仅仅是因为CodeIgniter的使用如此广泛,以至于他们需要保护自己免受那些他们自己尚未想到的东西的侵害,以便用户使用.可能比CodeIgniter的开发人员对这种攻击的意识更弱.
I've got the feeling that they're overprotecting simply because CodeIgniter is so widely used that they need to protect against things they themselves haven't thought of yet for the sake of their users who may be even less-aware of such attacks than CodeIgniter's developers.
这篇关于恶意用户如何利用输入密钥?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
