为什么它是一个安全隐患,让EN codeD的URI斜杠? [英] Why is it a security risk to allow encoded slashes in a URI?
问题描述
我有一个URI(%2F )的情况,我想带codeD斜线,但我的的.htaccess 当我提出请求的规则被忽略了,送我而不是一个404页。我很快就找到了Apache指令<一个href=\"http://httpd.apache.org/docs/2.2/mod/core.html#allowen$c$cdslashes\"><$c$c>AllowEn$c$cdSlashes,我打算启用,但我还是不明白为什么它摆在首位存在安全隐患。难道没有人手工改造EN codeD斜杠真正的斜线,如果他们想成为邪恶? (虽然我不能看到他们可以做些什么危害......)
I have a situation where I want encoded slashes in a URI (%2F), but my .htaccess rules are ignored when I make the request, sending me instead to a 404 page. I quickly found the Apache directive AllowEncodedSlashes, which I plan to turn on, but I still don't understand why it's a security risk in the first place. Couldn't anyone manually transform the encoded slashes to real slashes, if they were trying to be nefarious? (Although I can't see what harm they could do...)
我的测试是用PHP编写的应用程序,并与它连接mod_rewrite的规则如下:
The application I'm testing is written in PHP, and the mod_rewrite rule that interfaces with it looks like:
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^test/(.*)$ /test.php?_escaped_fragment_=$1 [NE,QSA,L]
我只是想确保我在继续之前了解风险。
I just want to make sure I understand the risks before proceeding.
要澄清:阿帕奇不允许带codeD斜线在路径的,但他们被允许在查询字符串。查询字符串是一样容易受到基督教的下面(远程code执行,本地文件访问和目录遍历)。
To clarify: Apache does not allow encoded slashes in the path, but they are allowed in the query string. The query string is just as susceptible to the exploits listed by Christian below ("Remote Code Execution, Local File Access and Directory Traversal").
那么,为什么在ASF走那么远,只是创建一个特殊的指令,允许这种行为?我并不想是困难的,我真的不明白。我想这不用说,任何用户输入(包括URI)需要在任何数据库或文件系统功能,在使用前进行验证。
So why did the ASF go so far as to create a special directive just to allow this behavior? I'm not trying to be difficult, I just really don't understand. I think it goes without saying that any user input (including the URI) needs to be verified before using it in any database or file system function.
推荐答案
我觉得这是很好在一个URL的任何位置使用转义斜杠,如果是必要逃跑。例如,该实施例在下面的(相关)问题引是一个非常合理的:
I would think it is fine to use escaped slashes anywhere in a URL if escaping is warranted. For instance, the example cited in the following (relevant) question is a very reasonable one:
<一个href=\"http://stackoverflow.com/questions/1957115/is-a-slash-equivalent-to-an-en$c$cd-slash-2f-in-the-path-portion-of-an\">Is在HTTP URL的路径部分
至于为什么它会被默认禁用...从早在2003年这个博客条目表明,它是为了保护跛脚CGI脚本从自身做起:
As for why it would be disabled by default...this blog entry from back in 2003 suggests it is to "protect lame CGI scripts from themselves":
<一个href=\"http://ken.coar.org/burrow/Apache_2f_encoding_decoding_and_security\">http://ken.coar.org/burrow/Apache_2f_encoding_decoding_and_security
某些粗心的做法,可能会导致一些人发现自己与他们不确定是否要取消转义或不是一个字符串codeBase的。所以他们取消转义为为了安全起见。但是,这可能是假定有没有路径字符点之后发生......它被传递到上一些可执行背景下,相信它已经做了所有它需要的检查。
Certain careless practices probably lead some people to find themselves in a codebase with a string they're unsure whether to unescape or not. So they unescape it "just to be safe". But this may occur after a point that assumed there were no path characters... and it gets passed on into some executable context that believed it had done all the checking it needed to.
所以,如果你正在使用最现代的Web框架的建议的方法,我怀疑这是一个显著的问题,你可以使用AllowEn codedSlashes没有太多的关注。
So if you're using the recommended methods of most modern web frameworks, I doubt this is a significant issue and you can use AllowEncodedSlashes without much concern.
这篇关于为什么它是一个安全隐患,让EN codeD的URI斜杠?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
