PHP has a configuration option called Allow_url_fopen, which is valid by default. It allows you to point to many types of resources and handle them like local files. For example, by reading the URL you can get the content of a page (HTML), look at the following code
Copy Code code as follows:
<?php
$contents = file_get_contents (' http://www.jb51.net/');
?>
When contaminated data is used for include and require file points, a serious vulnerability can occur. In fact, I think this vulnerability is one of the most dangerous vulnerabilities in PHP applications because it allows an attacker to execute arbitrary code. Although severity is almost at a level, a similar vulnerability can occur when contaminated data is used in a standard file system function:
Copy Code code as follows:
<?php
$contents = file_get_contents ($_get[' filename ']);
?>
This example enables the user to manipulate the behavior of the file_get_contents () so that it obtains the contents of the remote resource. Consider a request similar to the following:
Http://example.org/file.php?file ... mple.org%2fxss.html
This leads to a situation where the value of the $content is contaminated, and because the value is obtained indirectly, it is likely to ignore this fact. This is also the principle of depth prevention will see the file system as a remote data source, but also depending on the value of $content as input, so that your filtering mechanism will potentially play a role in the future.
Because the $content value is contaminated, it can lead to multiple security vulnerabilities, including Cross-site scripting vulnerabilities and SQL injection vulnerabilities. For example, here is an example of a cross-site scripting vulnerability:
Copy Code code as follows:
<?php
$contents = file_get_contents ($_get[' filename ']);
Echo $contents;
?>
Solutionis never to use contaminated data to point to a filename. Adhere to the filter input and be sure to filter the data before it points to a filename:
Copy Code code as follows:
<?php
$clean = Array ();
/* Filter Input ($_get[' filename ')] * *
$contents = file_get_contents ($clean [' filename ']);
?>
While there is no guarantee that the data in the $content is completely fine, it gives a reasonable assurance that the file you are reading is the file you want to read, not the attacker. To enhance the security of this process, you also need to think of $content as input and filter it before use.
Copy Code code as follows:
<?php
$clean = Array ();
$html = Array ();
/* Filter Input ($_get[' filename ')] * *
$contents = file_get_contents ($clean [' filename ']);
/* Filter Input ($contents) * *
$html [' contents '] = htmlentities ($clean [' contents '], ent_quotes, ' UTF-8 ');
echo $html [' contents '];
?>
The above process provides a powerful way to protect against multiple attacks, and is recommended for practical programming.
