允许网站网址中的所有字符的安全风险是什么? [英] What are the security risks of allowing all characters in the website URL?
问题描述
我正在使用 Codeigniter PHP框架。在其中一个配置文件中,您可以设置允许的网址字符:
$ config ['permitted_uri_chars'] ='az 0 -9〜%。:_ \-';
因此,如果我尝试转到此网址: website.com/controller/%22quotedString %22 ,除非我将引号附加到允许的字符,否则我将收到错误:
$ config [ allowed_uri_chars']。='';
我的应用程序实际上需要允许
<$> p $ p>/ *
| --------------------------------- -----------------------------------------
|允许的网址字符
| ---------------------------------------------- ----------------------------
|
|作为安全措施,您强烈建议您将网址限制为
|尽可能少的字符默认情况下只允许这些字符:az 0-9〜%。:_-
|
|留空以允许所有字符 - 是疯狂的。
|
|不要改变这一点,除非你完全理解报告!
|
* /
是允许所有字符的安全问题。那么问题是什么?
允许网址中所有可能的字符没有固有的安全风险。安全问题取决于您的应用程序与它们一起使用。
I'm using the Codeigniter PHP framework. In one of the config files, you can set the allowed URL characters:
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';
So if I attempt to go to this url: website.com/controller/%22quotedString%22, I will get an error unless I append a quote to the permitted characters:
$config['permitted_uri_chars'] .= '"';
My application actually needs to allow all weird characters in the URL, but I don't want have a huge hardcoded list of characters. Codeigniter warns against allowing all characters:
/* |-------------------------------------------------------------------------- | Allowed URL Characters |-------------------------------------------------------------------------- | | As a security measure you are STRONGLY encouraged to restrict URLs to | as few characters as possible. By default only these are allowed: a-z 0-9~%.:_- | | Leave blank to allow all characters -- but only if you are insane. | | DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!! | */
They don't say exactly what are security issues with allowing all characters. So what are the issues?
There are no inherent security risks to allowing all possible characters in your URL. Security issues depend on what your application does with them.
这篇关于允许网站网址中的所有字符的安全风险是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
