douyu4535 2015-03-06 20:49
浏览 36
已采纳

XSS和file_get_contents?

My url is like page.php?path=content/x/y/z/aaa.md. Is the following php code XSS-secure?

include "Parsedown.php";

function path_purifier($path) {
  if(substr($path, 0, 8) !== "content/")
    return null;
  if (strpos($path,'..') !== false)
    return null;
  return "./" . $path;
}

$parsedown = new Parsedown();
$path = $_GET['path'];
$path = path_purifier($path);
echo $parsedown->text(file_get_contents($path));

Thanks for your attention

  • 写回答

1条回答 默认 最新

  • douweibeng5219 2015-03-06 21:18
    关注

    Yes, looks secure enough, but still not perfect. You also need to call is_file() and ensure it returns true, before you call file_get_contents(). Also to make it even safer you can implement a CSRF protection on top of it.

    Also, keep in mind, that some hosting providers don't allow relative paths. So if a path like '/content/x/y/file.md' might work on you local machine, keep in mind that on some hosters it will not. So you'd better always use absolute paths like __DIR__ . '/content/x/y/file.md'

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥30 这是哪个作者做的宝宝起名网站
  • ¥60 版本过低apk如何修改可以兼容新的安卓系统
  • ¥25 由IPR导致的DRIVER_POWER_STATE_FAILURE蓝屏
  • ¥50 有数据,怎么建立模型求影响全要素生产率的因素
  • ¥50 有数据,怎么用matlab求全要素生产率
  • ¥15 TI的insta-spin例程
  • ¥15 完成下列问题完成下列问题
  • ¥15 C#算法问题, 不知道怎么处理这个数据的转换
  • ¥15 YoloV5 第三方库的版本对照问题
  • ¥15 请完成下列相关问题!