Mod重写查询参数验证和阻塞也请求url阻塞 [英] Mod rewrite query parameter validation and blocking also request url blocking
问题描述
在我的网站上,只允许几个查询查询参数,但是,一些扫描仪或黑客试图使用我的 php 应用程序不支持的唯一参数访问 url,我可以通过验证 在 php 应用程序级别阻止它们$_GET 参数,但我的服务器正在加载,所以如果参数无效,我想显示 403
On my site, only few query query parameters are allowed but, some scanners or hackers trying to access url with unique parameters which my php application doesn't support, I can block them in php application level, by validating $_GET parameters, but my server is getting loaded, so I want to show 403 if parameters are not valid
查询参数可以是任意顺序
到目前为止,我尝试的内容如下
So far what I tried is as follows
# IF there is query string
RewriteCond %{QUERY_STRING} ^.+$
# Then parameters can be only query|debug|lang
# block any extra parameter
RewriteCond %{QUERY_STRING} !(^|$)(query|debug|lang)=[^&]+(&|$) [NC]
RewriteRule ^(.*)$ - [F,L]
但问题是
http://example.com/search?query=test&debug=on&lang=en&foo=bar
即使黑客通过foo=bar,我也想显示404,在到达php应用程序之前严格参数检查.
its passing even if hacker pass foo=bar, I want to show 404, strict parameter checking before reaching php application.
这里是:重写测试员
它没有显示 404
带查询参数的有效 url 示例
Example of Valid url with query parameter
http://example.com/search?query=test&debug=on&lang=en
带有查询参数的 INVALID url 示例
Example of INVALID url with query parameter
(检查除了允许的查询参数之外是否还有其他查询参数???)
(Check Is there any query parameter other than allowed one ??? )
http://example.com/search?query=test&debug=on&lang=en&foo=bar
http://example.com/search?a=1
http://example.com/search?a=2
http://example.com/search?query=test&a=1
我可以在 php 中做同样的事情,但我想在到达我的 php 应用程序之前阻止请求.
Same I can do in php, But I want to block request before reaching my php application.
$allowed = array('query', 'lang', 'debug');
foreach($_GET as $key => $value)
{
if(!in_array($key, $allowed))
{
http_response_code(403)
die('Forbidden');
}
}
也在我的网站上,请求 uri 允许的字符是 [A-Za-z0-9_-]
Also on my website, request uri allowed chars are [A-Za-z0-9_-]
如果请求 uri 包含任何额外内容,我如何阻止
How can I block if request uri containing anything extra
也想知道,
- 是否也可以重写以检查 POST 变量?
- 我看到很多可疑的代理字符串,我该如何阻止他们
- 我还在推荐网址中看到黑客试图注入 xss 和 sqlinjection 字符串,我该如何阻止它们.
推荐答案
你可以用这个规则替换你现有的规则:
You may replace your existing rule with this rule:
# Then parameters can be only query|debug|lang
# block any extra parameter
RewriteCond %{QUERY_STRING} ^(?!(?:query|debug|lang)=[^&]+(?:&(?:query|debug|lang)=[^&]+)*$). [NC]
RewriteRule ^ - [F]
如果 URL 中存在除 query|debug|lang 之外的任何查询参数,则此规则将返回 403.
This rule will return 403 if any query parameter other than query|debug|lang is present in URL.
这里 (?!...) 是一个 负前瞻断言,如果查询字符串除了给定的参数之外有任何内容,则该断言将失败.
Here (?!...) is a negative lookahead assertion that will fail if query string has anything except given parameters.
正则表达式详情:
^:开始(?!:负前瞻的开始(?:query|debug|lang)=[^&]+:匹配 3 个允许的查询参数之一及其值(?:: 启动非捕获组&:匹配一个&(?:query|debug|lang)=[^&]+:匹配 3 个允许的查询参数之一及其值
^: Start(?!: Start of negative lookahead(?:query|debug|lang)=[^&]+: Match one of the 3 allowed query parameter and it's value(?:: Start non-capture group&: Match a&(?:query|debug|lang)=[^&]+: Match one of the 3 allowed query parameter and it's value
简单地说,当查询字符串具有除 3 个允许的参数之外的任何查询参数时,否定前瞻断言失败.
In simple words negative lookahead asserts failure when query string has any query parameter other than the 3 allowed parameters.
这篇关于Mod重写查询参数验证和阻塞也请求url阻塞的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
