PHP：安全方式保存并显示CodeMirror中的用户代码

I'm setting up a simple web-based code editor using CodeMirror to help students learn basic HTML, CSS, and JavaScript.

I want the students to be able to save their code, so it is visible in a stand-alone browser window with its own link that can be shared with friends and family to show off their work (i.e. mydomain.com/users/their-username/test.html).

I currently have the following PHP, but I know my use of $content is not secure at all:

if ($_POST['type'] == 'save') {

  $content = stripslashes($_POST['code']);
  $username = addslashes(strip_tags($_POST['username']))); //i.e. markrummel
  $filename = addslashes(strip_tags($_POST['filename']))); //i.e. test, index
  $ext = addslashes(strip_tags($_POST['filetype']))); //i.e. html, css, js
  $path = '/users/' . $username . '/';
  $URL = $path . $filename . '.' . $ext;

  file_put_contents($URL, $content);

}

In most cases $content should be safe HTML, CSS, or JavaScript, like: <p>My name is Mark</p>, but I want to be prepared in case something malicious is put into the code editor to be saved.

Any suggestions on how I can securely save and display their code? Is there a way to quarantine/sandbox each user's folder from other user folders and the rest of the website?

Maybe there is no secure way to do this and I shouldn't allow anyone I don't trust to save code to my server, but if there is a safe way to do this...that would be great for this project! If not, I'll figure something else out.

Thank you for any help or insight you can offer! -Mark

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
dongyang0005 2012-04-14 17:31
关注
addslashes and stripslashes do nothing for you here at all. I'm not sure what you are trying to do with them but slashing a string is not a useful form of encoding for filename handling or really any context you are likely to meet in a webapp.

strip_tags is also of no use for anything to do with filenames; it removes HTML from a string (but even then not really in a good enough way to use as a guard properly against HTML injection).

$URL = $path . $filename . '.' . $ext; file_put_contents($URL, $content);

Yeah, this is seriously unsafe. By putting .. segments in the username or filename, an attacker can store files outside the root path. With complete control of the filename including extension that can include executable files like .php or other sensitive files like .htaccess. (Even if $ext were limited to known-good values, depending on OS your server is running under, it may also be possible to evade that extension appending.)

Whilst it is possible to sanitise filenames by limiting the characters that can be used in them, it's harder than you think to make that watertight when you might be running on eg. a Windows server. It's almost always better to generate filenames yourself (eg using a unique integer ID instead of an attacker-supplied filename) for storage on your local filesystem. You can always use rewrites to make the files appear to have a different address.

In most cases $content should be safe HTML, CSS, or JavaScript

Are you sure that's safe then?

If you serve some user-supplied scripting from inside your domain, it can control everything any of your users does within the site. It could override or fake any user-level security controls you have, upload files under other users' names and so on.

You can try to sanitise submitted HTML to make it use only safe tags, but that's hard to get right, and of no use if you want to permit users to run CSS/JS!

Is there a way to quarantine/sandbox each user's folder from other user folders and the rest of the website?

Yes. Serve each area from a different hostname. eg. put the main site on http://www.example.com/ with sandboxes at http://tom.users.example.com/, http://dick.users.example.com/ and so on.

This prevents direct cross-site scripting. To ensure sandbox sites cannot read cookies from the main site, make sure it is not also running on example.com (redirect it to www.example.com).

This isn't quite a complete sandbox. If you need to ensure sandbox sites cannot write cookies to other sites (potentially breaking them by stopping their own cookies working then you have no choice but to run each sandbox in its own full domain. And if you have to guard against Java plugin URL connections, each sandbox needs its own IP address. This gets costly quick! But these are less serious attacks.
解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

如何在没有“[”的情况下使用Codemirror代码折叠？ javascript php
2017-09-03 11:04

回答 1 已采纳 The OP code is just fine. According to comments the problem was coming from a cached version of t
在CodeMirror TextArea上设置默认语言 html javascript php
2013-08-13 19:03

回答 1 已采纳 I've solved it, you have to change the mode to mode: "text/x-php",
xdebug扩展无法安装php：5.6-apache php
2019-03-18 08:55

回答 1 已采纳 Dockerfile RUN git clone https://github.com/xdebug/xdebug.git \ && cd xdebug \ && git checkout ta
codemirror 执行PHP,php – CodeMirror有内容,但不会显示,直到按键
2021-04-10 13:50

琦心的博客我正在构建一个嵌入在我的webapp中的CodeMirror实例.它的效果非常好 – 除了在用户输入新字符之前初始内容不会显示.所以它是所有的,但隐藏,直到用户强制更改.这不好.有什么办法可以强制重绘或刷新模拟一个字符进入的...
Ubuntu 14.04：无法找到包php7.0-zip php ubuntu
2019-07-16 14:50

回答 1 已采纳 if you do sudo apt-cache search php7.0-* you should get a list of all packages. The zip module sh
php -v和php-fpm -v显示不同版本的php macos nginx php
2018-09-03 21:26

回答 2 已采纳 Okay I've now got both php -v and php-fpm -v returning the same value of php and i did it by runni
PHP / Laravel：如何在PHP中创建JSON时插入新的json字段？ json laravel php
2019-05-13 17:46

回答 2 已采纳 Without the dataset this may not be exactly accurate but the way to do this is either to perform a
『PHP代码审计』PHPOK5.7.140存在命令执行漏洞
2021-06-02 21:54

Ho1aAs的博客 //加载编辑器 $this->addcss("static/codemirror/lib/codemirror.css"); $this->addjs("static/codemirror/lib/codemirror.js"); $this->addjs('static/codemirror/mode/css/css.js'); $this->addjs('...
Composer更新：请求的PHP扩展名ext-http丢失 php symfony
2019-02-13 16:53

回答 5 已采纳 The solution is found. For some reason my composer.json contained "ext-http": "*". "require": {
js如何调用php文件内显示的数值到html？ ajax html5 javascript php
2018-02-03 04:46

回答 5 已采纳 ``` index.html ```
php配置：找不到PHP可执行文件 php
2018-05-11 14:01

回答 1 已采纳 You also need to set php.executablePath inside the settings.json, so that everything works as it
CodeMirror使用说明书
2018-05-09 21:11

Alex_________的博客本文介绍CodeMirror使用方法，以及内部常用属性和api的使用
HTML5 / PHP WebSocket连接失败：WebSocket握手期间出错：意外响应代码：200 html5 php websocket
2018-02-09 11:19

回答 1 已采纳 I found the issue and solved it. Here was the issue, in my ProxyPass I was passing wss to wss. It
interview-sandbox:编写代码，视频聊天，并与他人实时绘图
2021-05-12 17:07

特征实时同步的代码编辑器Javascript，Python，Ruby，Swift，Java，Go，Kotlin，PHP，R 实时同步白板代码评估视像通讯无需登录免费使用堆React，Firebase（实时数据库），用于文本编辑器的CodeMirror，用于视频聊天...
CodeMirror 使用方法
2020-08-17 19:13

qq_39670012的博客 CodeMirror 使用方法初步建立步骤 npm install codemirror下载组件引入核心配置包 import * as CodeMirror from 'codemirror/lib/codemirror' import 'codemirror/lib/codemirror.css' 引入后在html界面中建立...
没有解决我的问题, 去提问

悬赏问题

¥60 求一个简单的网页(标签-安全|关键词-上传)
¥35 lstm时间序列共享单车预测，loss值优化，参数优化算法
¥15 基于卷积神经网络的声纹识别
¥15 Python中的request，如何使用ssr节点，通过代理requests网页。本人在泰国，需要用大陆ip才能玩网页游戏，合法合规。
¥100 为什么这个恒流源电路不能恒流？
¥15 有偿求跨组件数据流路径图
¥15 写一个方法checkPerson，入参实体类Person，出参布尔值
¥15 我想咨询一下路面纹理三维点云数据处理的一些问题，上传的坐标文件里是怎么对无序点进行编号的，以及xy坐标在处理的时候是进行整体模型分片处理的吗
¥15 CSAPPattacklab
¥15 一直显示正在等待HID—ISP

PHP：安全方式保存并显示CodeMirror中的用户代码

1条回答 默认 最新

悬赏问题

1条回答默认最新