我用于 CSFR/XSFR 保护的 check_referrer 函数有什么问题?
What is wrong with check_referrer function that i use for CSFR/XSFR protection?
我在 php 文件中有他的代码,我想知道该代码是如何工作的。你能通过一个例子(所有代码)向我解释一下吗?
if (strpos(preg_replace('/^.+:\/\/(www\.)?/','',$_SERVER['HTTP_REFERER']).'/',preg_replace('/^.+:\/\/(www\.)?/','',$my_base_url))!==0)
是什么意思
'/^.+:\/\/(www\.)?/'
在第一个 () ?
全部功能代码:
function check_referrer($post_url=false){
global $my_base_url, $my_website_base, $xsfr_first_page, $_GET, $_POST;
if (sizeof($_GET)>0 || sizeof($_POST)>0)
{
if ($_SERVER['HTTP_REFERER'])
{
$base = $my_website_base;
if (!$base) $base = '/';
$_SERVER['HTTP_REFERER'] = sanitize($_SERVER['HTTP_REFERER'],3);
// update checks if HTTP_REFERER and posted url are the same!
if(strpos(urldecode($_SERVER['HTTP_REFERER']),$post_url)!==false) return true;
//if (strpos(preg_replace('/^.+:\/\/(www\.)?/','',$_SERVER['HTTP_REFERER']).'/',preg_replace('/^.+:\/\/(www\.)?/','',$my_base_url).$base)!==0)
if (strpos(preg_replace('/^.+:\/\/(www\.)?/','',$_SERVER['HTTP_REFERER']).'/',preg_replace('/^.+:\/\/(www\.)?/','',$my_base_url))!==0)
{
unset($_SESSION['xsfr']);
$wrongurlrefforme=urldecode($_SERVER['HTTP_REFERER']);
die("");
}
}
elseif ($xsfr_first_page)
{
unset($_SESSION['xsfr']);
die("");
}
}
}
那是一个regular expression。例如,它将匹配 http://www.
'/^.+:\/\/(www\.)?/'是正则表达式。
意思是:
/^ "Starting from the beginning of the string..."
.+ "... match any string that has at least one character"
:\/\/ "... followed by a colon followed by two foward slashes"
(www\.)?/ "... and if there is 'www.' after those, call that "group one""
所以...
preg_replace('/^.+:\/\/(www\.)?/','',$_SERVER['HTTP_REFERER'])
表示
"look in the 'HTTP_REFERER' element of the $_SERVER array, and see if it matches the description above. If it does, replace the 'www.' part of it with nothing."
无论结果如何,都会成为 strpos() 的第一个参数。
strpos() 的第二个参数的构造类似。
然后 strpos() 告诉您第二个字符串在第一个字符串中的位置。因此 if 语句询问 strpos() 的输出是否与零具有相同的值和类型。
更安全的比较是 !=,因为您不关心类型。
我在 php 文件中有他的代码,我想知道该代码是如何工作的。你能通过一个例子(所有代码)向我解释一下吗?
if (strpos(preg_replace('/^.+:\/\/(www\.)?/','',$_SERVER['HTTP_REFERER']).'/',preg_replace('/^.+:\/\/(www\.)?/','',$my_base_url))!==0)
'/^.+:\/\/(www\.)?/'
在第一个 () ?
全部功能代码:
function check_referrer($post_url=false){
global $my_base_url, $my_website_base, $xsfr_first_page, $_GET, $_POST;
if (sizeof($_GET)>0 || sizeof($_POST)>0)
{
if ($_SERVER['HTTP_REFERER'])
{
$base = $my_website_base;
if (!$base) $base = '/';
$_SERVER['HTTP_REFERER'] = sanitize($_SERVER['HTTP_REFERER'],3);
// update checks if HTTP_REFERER and posted url are the same!
if(strpos(urldecode($_SERVER['HTTP_REFERER']),$post_url)!==false) return true;
//if (strpos(preg_replace('/^.+:\/\/(www\.)?/','',$_SERVER['HTTP_REFERER']).'/',preg_replace('/^.+:\/\/(www\.)?/','',$my_base_url).$base)!==0)
if (strpos(preg_replace('/^.+:\/\/(www\.)?/','',$_SERVER['HTTP_REFERER']).'/',preg_replace('/^.+:\/\/(www\.)?/','',$my_base_url))!==0)
{
unset($_SESSION['xsfr']);
$wrongurlrefforme=urldecode($_SERVER['HTTP_REFERER']);
die("");
}
}
elseif ($xsfr_first_page)
{
unset($_SESSION['xsfr']);
die("");
}
}
}
那是一个regular expression。例如,它将匹配 http://www.
'/^.+:\/\/(www\.)?/'是正则表达式。
意思是:
/^ "Starting from the beginning of the string..."
.+ "... match any string that has at least one character"
:\/\/ "... followed by a colon followed by two foward slashes"
(www\.)?/ "... and if there is 'www.' after those, call that "group one""
所以...
preg_replace('/^.+:\/\/(www\.)?/','',$_SERVER['HTTP_REFERER'])
表示
"look in the 'HTTP_REFERER' element of the $_SERVER array, and see if it matches the description above. If it does, replace the 'www.' part of it with nothing."
无论结果如何,都会成为 strpos() 的第一个参数。
strpos() 的第二个参数的构造类似。
然后 strpos() 告诉您第二个字符串在第一个字符串中的位置。因此 if 语句询问 strpos() 的输出是否与零具有相同的值和类型。
更安全的比较是 !=,因为您不关心类型。