可以欺骗$ _SERVER ['REMOTE_USER']吗? [英] Can $_SERVER['REMOTE_USER'] be spoofed?
本文介绍了可以欺骗$ _SERVER ['REMOTE_USER']吗?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我遇到一种情况,正在基于$ _SERVER [’REMOTE_USER']变量打开文件。我不认为这是欺骗性的,但只想确认一下。我不想让自己容易受到任意文件的读取:
I have a situation where I am opening a file based on the $_SERVER['REMOTE_USER'] variable. I don't think this is spoof-able but would just like to confirm. I do not want to make myself vulnerable to the reading of arbitrary files:
<?
$user = $_SERVER['REMOTE_USER'];
$fp = fopen("./$user.png","r");
?>
推荐答案
是的,该用户名是遥控器指定的名称用户。
Yes, that username is whatever is specified by the remote user.
您还需要验证密码。如果密码是由您的服务器而非应用程序验证的,那么您可能还可以。
You need to verify password as well. If password is verified by your server, and not your application, then you are probably okay.
这篇关于可以欺骗$ _SERVER ['REMOTE_USER']吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
