wamp 服务器如何防止通过点斜杠访问根文件夹之上
wamp server how to prevent access above root folder by dot dot slash
如何防止root以上权限访问? (按点点斜线)
我可以看到分区中的所有文件。
为了测试访问权限,我编写了这个脚本并添加了一个 Go UP link:
<?php
$PartialPath = @$_GET['p']; if(empty($PartialPath)){ $PartialPath = ''; }else{ $PartialPath = "\".$PartialPath; }
$PartialPath_Root = dirname(__FILE__);
$ScanPath = $PartialPath_Root . $PartialPath;
echo 'Scan: ',$ScanPath,'<br><br>';
$Files_arr = scandir($ScanPath);
foreach ($Files_arr as $file) {
if ('.' === $file){}
else if ('..' === $file){ echo '<a href="?p=',$PartialPath,'../" target="_self">.. GO UP </a><br><br>'; }
else{ echo $file,'<br>'; }
}
?>
取消@Hamidreza Kalantari 的回答
我创建了一个过滤器来检测路径是否在根之外:
if(Func_AllowOnlyRootPath($PartialPath) == "1"){
// continue...
}else{
echo '<br>unsecure path - outside root<br>';
//die('Directory Traversal Prevented');
}
echo '<br>PartialPath: ',$PartialPath, '<br>';
function Func_AllowOnlyRootPath($VerifyPath){ if(empty($VerifyPath)){ return "1"; } $real_path=realpath($VerifyPath); if(strpos($real_path, ($_SERVER['DOCUMENT_ROOT']))!==0){ return "0"; } return "1"; }
function Func_AllowOnlyPhpScriptPath($VerifyPath){ if(empty($VerifyPath)){ return "1"; } $real_path=realpath($VerifyPath); if(strpos($real_path, (dirname(__FILE__)))!==0){ return "0"; } return "1"; }
使用realpath函数获取实际路径(不包含任何..),然后检查它是否以root开头:
$real_path=realpath($PartialPath);
if(strpos($real_path, $PartialPath_Root)!==0) die('Directory Traversal Prevented');
如何防止root以上权限访问? (按点点斜线)
我可以看到分区中的所有文件。
为了测试访问权限,我编写了这个脚本并添加了一个 Go UP link:
<?php
$PartialPath = @$_GET['p']; if(empty($PartialPath)){ $PartialPath = ''; }else{ $PartialPath = "\".$PartialPath; }
$PartialPath_Root = dirname(__FILE__);
$ScanPath = $PartialPath_Root . $PartialPath;
echo 'Scan: ',$ScanPath,'<br><br>';
$Files_arr = scandir($ScanPath);
foreach ($Files_arr as $file) {
if ('.' === $file){}
else if ('..' === $file){ echo '<a href="?p=',$PartialPath,'../" target="_self">.. GO UP </a><br><br>'; }
else{ echo $file,'<br>'; }
}
?>
取消@Hamidreza Kalantari 的回答
我创建了一个过滤器来检测路径是否在根之外:
if(Func_AllowOnlyRootPath($PartialPath) == "1"){
// continue...
}else{
echo '<br>unsecure path - outside root<br>';
//die('Directory Traversal Prevented');
}
echo '<br>PartialPath: ',$PartialPath, '<br>';
function Func_AllowOnlyRootPath($VerifyPath){ if(empty($VerifyPath)){ return "1"; } $real_path=realpath($VerifyPath); if(strpos($real_path, ($_SERVER['DOCUMENT_ROOT']))!==0){ return "0"; } return "1"; }
function Func_AllowOnlyPhpScriptPath($VerifyPath){ if(empty($VerifyPath)){ return "1"; } $real_path=realpath($VerifyPath); if(strpos($real_path, (dirname(__FILE__)))!==0){ return "0"; } return "1"; }
使用realpath函数获取实际路径(不包含任何..),然后检查它是否以root开头:
$real_path=realpath($PartialPath);
if(strpos($real_path, $PartialPath_Root)!==0) die('Directory Traversal Prevented');