在 PHP 中防止目录遍历但允许路径 [英] Preventing Directory Traversal in PHP but allowing paths

问题描述

我有一个基本路径/whatever/foo/

I have a base path /whatever/foo/

和$_GET['path'] 应该是相对于它的.

and $_GET['path'] should be relative to it.

但是如何在不允许目录遍历的情况下完成此操作(读取目录)?

However how do I accomplish this (reading the directory), without allowing directory traversal?

例如

/..|../

无法正确过滤.

推荐答案

嗯，一种选择是比较真实路径:

Well, one option would be to compare the real paths:

$basepath = '/foo/bar/baz/';
$realBase = realpath($basepath);

$userpath = $basepath . $_GET['path'];
$realUserPath = realpath($userpath);

if ($realUserPath === false || strpos($realUserPath, $realBase) !== 0) {
    //Directory Traversal!
} else {
    //Good path!
}

基本上，realpath() 将解析提供的实际硬物理路径的路径(解析符号链接、..、.、/、//等)...所以如果真正的用户路径不是从真正的基本路径开始，它正在尝试进行遍历.请注意，realpath 的输出将没有任何虚拟目录"，例如 . 或 .....

Basically, realpath() will resolve the provided path to an actual hard physical path (resolving symlinks, .., ., /, //, etc)... So if the real user path does not start with the real base path, it is trying to do a traversal. Note that the output of realpath will not have any "virtual directories" such as . or .....

这篇关于在 PHP 中防止目录遍历但允许路径的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！