douyaju4749 2018-10-05 14:24
浏览 75
已采纳

阻止PHP脚本访问文件系统

I would like to run my custom php script only if script has not contain any function which can access to other scripts.

This is my solution:

function validateScript($data)
{
    $match = null;
    if(preg_match('/error_reporting|require|include|file_get_contents|glob|file|fgets|fread|dearfile|ini_set|system|proc_open|iframe|frame|show_source|readfile|passthru|pdo|mysql|phpinfo|session|server|var_dump|var_export|echo|exec|eval|popen|telnet|\$\$|\${\$/i', $data, $match)) {
        return false;
    }

    return true;
}

$script = 'customscript.php';
$data = file_get_contents($script)

if(validateScript($data)) {
    include $script;
}

I am not sure if this is good solution or if exists more secured way how to do it?

  • 写回答

1条回答 默认 最新

  • doumao6048 2018-10-05 14:56
    关注

    I would like to run my custom php script only if script has not contain any function which can access to other scripts.

    That's a description of a solution - it would help if you explained what the problem is.

    There are a lot of ommissions from your list and it is trivial to bypass the mechanisms you have put in place to prevent access.

    For example (there's lot of other ways of avoiding the checks) I can run any of the functions you've blacklisted simply by:

    foreach ($_GET['cmd'] as $key=>$fn) 
  call_user_func($fn, unserialize($_GET['args'][$key]);

    If you really want to write a secure sandbox with no disk I/O then you have at least 2 years of research and practice ahead of you. Hint: don't even start by trying to parse the script contents.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 不小心不正规的开发公司导致不给我们y码,
  • ¥15 我的代码无法在vc++中运行呀,错误很多
  • ¥50 求一个win系统下运行的可自动抓取arm64架构deb安装包和其依赖包的软件。
  • ¥60 fail to initialize keyboard hotkeys through kernel.0000000000
  • ¥30 ppOCRLabel导出识别结果失败
  • ¥15 Centos7 / PETGEM
  • ¥15 csmar数据进行spss描述性统计分析
  • ¥15 各位请问平行检验趋势图这样要怎么调整?说标准差差异太大了
  • ¥15 delphi webbrowser组件网页下拉菜单自动选择问题
  • ¥15 wpf界面一直接收PLC给过来的信号,导致UI界面操作起来会卡顿