douyaju4749 2018-10-05 14:24
浏览 75
已采纳

阻止PHP脚本访问文件系统

I would like to run my custom php script only if script has not contain any function which can access to other scripts.

This is my solution:

function validateScript($data)
{
    $match = null;
    if(preg_match('/error_reporting|require|include|file_get_contents|glob|file|fgets|fread|dearfile|ini_set|system|proc_open|iframe|frame|show_source|readfile|passthru|pdo|mysql|phpinfo|session|server|var_dump|var_export|echo|exec|eval|popen|telnet|\$\$|\${\$/i', $data, $match)) {
        return false;
    }

    return true;
}

$script = 'customscript.php';
$data = file_get_contents($script)

if(validateScript($data)) {
    include $script;
}

I am not sure if this is good solution or if exists more secured way how to do it?

  • 写回答

1条回答 默认 最新

  • doumao6048 2018-10-05 14:56
    关注

    I would like to run my custom php script only if script has not contain any function which can access to other scripts.

    That's a description of a solution - it would help if you explained what the problem is.

    There are a lot of ommissions from your list and it is trivial to bypass the mechanisms you have put in place to prevent access.

    For example (there's lot of other ways of avoiding the checks) I can run any of the functions you've blacklisted simply by:

    foreach ($_GET['cmd'] as $key=>$fn) 
  call_user_func($fn, unserialize($_GET['args'][$key]);

    If you really want to write a secure sandbox with no disk I/O then you have at least 2 years of research and practice ahead of you. Hint: don't even start by trying to parse the script contents.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 基于卷积神经网络的声纹识别
  • ¥15 Python中的request,如何使用ssr节点,通过代理requests网页。本人在泰国,需要用大陆ip才能玩网页游戏,合法合规。
  • ¥100 为什么这个恒流源电路不能恒流?
  • ¥15 有偿求跨组件数据流路径图
  • ¥15 写一个方法checkPerson,入参实体类Person,出参布尔值
  • ¥15 我想咨询一下路面纹理三维点云数据处理的一些问题,上传的坐标文件里是怎么对无序点进行编号的,以及xy坐标在处理的时候是进行整体模型分片处理的吗
  • ¥15 CSAPPattacklab
  • ¥15 一直显示正在等待HID—ISP
  • ¥15 Python turtle 画图
  • ¥15 stm32开发clion时遇到的编译问题