php目录遍历问题 [英] php directory traversal issue

问题描述

嗨我们有一些使用 file_get_contents() 函数的 php 代码，我知道这很容易受到直接遍历攻击.给定以下代码:

Hi We have some php code using the file_get_contents() function, and I understand this is vulnerable to direcoty traversel attacks. Given the following code:

$mydata=$_GET['thefile'];
$data = file_get_contents ('/var/html'.$file);
echo $data

如何进行一些简单的输入过滤，以便我可以阻止某人通过玩弄我的输入来进行目录遍历的可能性?

How can I do some simple input filtering so I can block the posibility that someone might do directory traversel by playing around with my input?

/先生

推荐答案

你想要 basename:

$mydata = basename(realpath($_GET['thefile']));

<小时>

附加到(稍微修改)您的示例:

---

Appended to (slight modifications of) your example:

$file=$_GET['thefile']; 
$mypath='/var/www/';
$location= basename(realpath($mypath.$file));
$data = file_get_contents($location);
echo $data;

注意...虽然这会进行某种程度的错误检查，但它不会进行错误处理.我会把它留给你.

Note... although this does some level of error checking, it does no error handling. I'll leave that up to you.

这篇关于php目录遍历问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！