douyaju4749 2018-10-05 14:24
浏览 75
已采纳

阻止PHP脚本访问文件系统

I would like to run my custom php script only if script has not contain any function which can access to other scripts.

This is my solution:

function validateScript($data)
{
    $match = null;
    if(preg_match('/error_reporting|require|include|file_get_contents|glob|file|fgets|fread|dearfile|ini_set|system|proc_open|iframe|frame|show_source|readfile|passthru|pdo|mysql|phpinfo|session|server|var_dump|var_export|echo|exec|eval|popen|telnet|\$\$|\${\$/i', $data, $match)) {
        return false;
    }

    return true;
}

$script = 'customscript.php';
$data = file_get_contents($script)

if(validateScript($data)) {
    include $script;
}

I am not sure if this is good solution or if exists more secured way how to do it?

  • 写回答

1条回答 默认 最新

  • doumao6048 2018-10-05 14:56
    关注

    I would like to run my custom php script only if script has not contain any function which can access to other scripts.

    That's a description of a solution - it would help if you explained what the problem is.

    There are a lot of ommissions from your list and it is trivial to bypass the mechanisms you have put in place to prevent access.

    For example (there's lot of other ways of avoiding the checks) I can run any of the functions you've blacklisted simply by:

    foreach ($_GET['cmd'] as $key=>$fn) 
      call_user_func($fn, unserialize($_GET['args'][$key]);
    

    If you really want to write a secure sandbox with no disk I/O then you have at least 2 years of research and practice ahead of you. Hint: don't even start by trying to parse the script contents.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?