一些字符在POST期间编码,而其他字符不是 [英] Some chars encoded during POST while others are not
问题描述
TL; DR
CodeIgniters' Security 类直接操作您的Globals,如 $ _ POST
,它会找到 file()
和 file()
成为一个威胁,所以它对其进行HTML编码。
// config.php从我的apps文件夹是罪魁祸首
$ config ['global_xss_filtering'] = TRUE;
自己动手(少数,勇敢) p>
在CodeIgniter 2.1.4中,转到 system / core / security.php
和行号430-442:
/ *
*清除淘气的脚本元素
*
*与上面类似,对于
*标签,它会查找不允许的PHP和JavaScript命令
*。而不是删除
*代码,它只是将括号转换为实体
*使代码不可执行。
*
*例如:eval('some code')
* Becomes:eval('some code')
* /
$ str = preg_replace('#(alert | cmd | passthru | eval | exec | expression | system | fopen | fsockopen | file | file_get_contents | readfile | unlink) \\ s *)\((。*?)\)#si',\\1\\2( \\3),$ str);
观察/问题
似乎PHP或Apache将 file()
或 file()
视为威胁。
有没有人经历过这个或有文档资源为什么会发生这种情况?
任何人都可以在他们的服务器上测试这个他们经历相同的行为吗?我在我的开发和测试机上测试了这个。我没有机会在生产机器上测试,因为我们的客户连接到它。
代码
HTML
< input name =q1type =textvalue = 61)(D)>
< input name =q2type =textvalue =(61)(D)>
< input name =q3type =textvalue =file(61)>
< input name =q4type =textvalue =fil(61)>
< input name =q5type =textvalue =file()>
< input name =q6type =textvalue =file()>
JS - 可能不相关
$。ajax({
url:'/ test_post'
,async:true
,cache:false
,类型:'POST'
,数据:{
q1:$('input [name =q1]' q2]')。val(),
q3:$('input [name =q3]' ]')。val(),
q5:$('input [name =q5]' ').val()
}
,dataType:'json'
,success:function(data){
console.log('irrelevant');
}
});
网络 - Chrome中的标题标签 - 表单数据部分
q1:档案(61)(D)
q2:(61)(D)
q3:档案)
q4:fil(61)
q5:file()
q6:file()
$ b b
PHP - CodeIgniter 2.1.4框架
echo'< pre>'。$ _ POST ['q1']。'< / pre> // produce:Profile&#40; 61&#41; (D)
echo'< pre>'。$ _ POST ['q2']。'< / pre>'; // produce:(61)(D)
echo'< pre>'。$ _ POST ['q3']。'< / pre> // produce:file&#40; 61&#41;
echo'< pre>'。$ _ POST ['q4']。< / pre>'; // produce:fil(61)
echo'< pre>'。$ _ POST ['q5']。< / pre>'; // produce:file&#40;&#41;
echo'< pre>'。$ _ POST ['q6']。'< / pre>'; // produce:file&#40;&#41;
echo'< pre>'。html_entity_decode($ _ POST ['q1'])。< / pre>'; // produce:Profile(61)(D)
echo'< pre>'。html_entity_decode($ _ POST ['q2'])。'< / pre>'; // produce:(61)(D)
echo'< pre>'。html_entity_decode($ _ POST ['q3'])。'< / pre>'; // produce:file(61)
echo'< pre>'。html_entity_decode($ _ POST ['q4'])。< / pre>'; // produce:fil(61)
echo'< pre>'。html_entity_decode($ _ POST ['q5'])。< / pre>'; // produce:file()
echo'< pre>'。html_entity_decode($ _ POST ['q6'])。< / pre>'; // produce:file()
//这两个都产生相同的精确结果
echo'< pre>'。print_r($ _ POST,true)。< / pre> ';
echo'< pre>'。print_r($ this-> input-> post(),true)。'< / pre>';
测试的浏览器
- Chrome 31.0.1650.57 m
- IE 8
- FF 25.0
服务器信息
Dev
- Widnows 7 x64
- Apache 2.2.17
- PHP 5.3.5
测试
- Windows Server 2008 R2 x64
- Apache 2.2.21
- PHP 5.3.8
根据用户指南 ,您可以通过设置
来消除这一点。 $ config ['global_xss_filtering'] = FALSE;
或者只需删除此行即可。
IMHO,它是一个设计失败修改 $ _ POST
数组,但你去。
TL;DR
CodeIgniters' Security Class directly manipulates your Globals such as $_POST
and it finds file()
and file ()
to be a threat so it HTML encodes it.
// config.php from my apps folder is the culprit
$config['global_xss_filtering'] = TRUE;
Do-It-Yourself (the few, the brave)
In CodeIgniter 2.1.4 go to system/core/security.php
and line #430-442:
/*
* Sanitize naughty scripting elements
*
* Similar to above, only instead of looking for
* tags it looks for PHP and JavaScript commands
* that are disallowed. Rather than removing the
* code, it simply converts the parenthesis to entities
* rendering the code un-executable.
*
* For example: eval('some code')
* Becomes: eval('some code')
*/
$str = preg_replace('#(alert|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si', "\\1\\2(\\3)", $str);
Observation/question
Basically, it seems as though either PHP or Apache sees file ()
or file()
as a threat.
Has anyone experienced this before or have documentation resources as to why this occurs?
Can anyone test this on their server to see if they experience the same behavior? I have tested this on both my Development and Testing machines. I have not had a chance to test on the Production machine because our clients connect to it.
Code
HTML
<input name="q1" type="text" value="Profile (61) (D)">
<input name="q2" type="text" value="(61) (D)">
<input name="q3" type="text" value="file (61)">
<input name="q4" type="text" value="fil (61)">
<input name="q5" type="text" value="file ()">
<input name="q6" type="text" value="file()">
JS - probably irrelevant
$.ajax({
url: '/test_post'
,async: true
,cache: false
,type: 'POST'
,data: {
q1: $('input[name="q1"]').val(),
q2: $('input[name="q2"]').val(),
q3: $('input[name="q3"]').val(),
q4: $('input[name="q4"]').val(),
q5: $('input[name="q5"]').val(),
q6: $('input[name="q6"]').val()
}
,dataType: 'json'
,success: function(data){
console.log('irrelevant');
}
});
Network - Headers tab in Chrome - Form Data section
q1: Profile (61) (D)
q2: (61) (D)
q3: file (61)
q4: fil (61)
q5: file ()
q6: file()
PHP - CodeIgniter 2.1.4 Framework
echo '<pre>'.$_POST['q1'].'</pre>'; // produces: Profile (61) (D)
echo '<pre>'.$_POST['q2'].'</pre>'; // produces: (61) (D)
echo '<pre>'.$_POST['q3'].'</pre>'; // produces: file (61)
echo '<pre>'.$_POST['q4'].'</pre>'; // produces: fil (61)
echo '<pre>'.$_POST['q5'].'</pre>'; // produces: file ()
echo '<pre>'.$_POST['q6'].'</pre>'; // produces: file()
echo '<pre>'.html_entity_decode($_POST['q1']).'</pre>'; // produces: Profile (61) (D)
echo '<pre>'.html_entity_decode($_POST['q2']).'</pre>'; // produces: (61) (D)
echo '<pre>'.html_entity_decode($_POST['q3']).'</pre>'; // produces: file (61)
echo '<pre>'.html_entity_decode($_POST['q4']).'</pre>'; // produces: fil (61)
echo '<pre>'.html_entity_decode($_POST['q5']).'</pre>'; // produces: file ()
echo '<pre>'.html_entity_decode($_POST['q6']).'</pre>'; // produces: file()
// Both of these produce same exact result
echo '<pre>'.print_r($_POST, true).'</pre>';
echo '<pre>'.print_r($this->input->post(), true).'</pre>';
Browsers tested
- Chrome 31.0.1650.57 m
- IE 8
- FF 25.0
Server Information
Dev
- Widnows 7 x64
- Apache 2.2.17
- PHP 5.3.5
Testing
- Windows Server 2008 R2 x64
- Apache 2.2.21
- PHP 5.3.8
According to the user guide, you can get rid of this by setting
$config['global_xss_filtering'] = FALSE;
Or just remove this line.
IMHO, it's a design failure to modify the $_POST
array, but there you go.
这篇关于一些字符在POST期间编码,而其他字符不是的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!