This kind of vulnerability, mainly can read the user to pass the path name, uses the improper filtering method, causes the malicious user, the file saves in unexpected place, brings the security hidden danger.
In fact, we seize a few places, we first to analyze, since the user to save the file, and the file will be a variety of formats, there may be some file content and user incoming format inconsistent, and some file content is also included in the Trojan code. Then, we let the user save the file, with the site file to do a separate authorization, do isolation.
Keep the storage directory separate, directory permissions read-only cannot be performed
This step is authorized from the system design, no matter what file you last, it is impossible to execute. Even if I do not do any testing, your files are stored here, and will not constitute a security system for me. (If you have a picture of some reactionary words, it needs to be dealt with separately)
do not directly use the server incoming value, all to be detected
This kind of thing as we do all the input is a harmful principle, for the client incoming: type, name, should be judged, not directly used. For a file name to be generated to a directory.
The best way to file names is to write your own dead directory (do not read the incoming directory), the file name, preferably randomly generated, do not read the user file name. File extension, you can take the rightmost "." The following character.
The above 2 methods, just from 2 aspects of the overall constraints on the deposit.
Method 2: Save the file name, write to the directory you specified, and the file name is generated by itself.
Method 1: As long as the file is guaranteed to write to the location, and then from the configuration, the Write directory for permission control, this is a permanent solution. Can do, you no matter what file, you have no permission to jump out to run.
The above 2 methods, used together, can ensure that the file is stored correctly, and then the permissions can be controlled. Here, by the way, to determine whether the user's storage file to meet the required type, directly check the file name extension, as long as the extension to allow the storage. Anyway, do the enforcement permission limit, you do not as required to save content, also no harm. Anyway, can not be executed, nor how much harm.
correct steps:
1. Read the file name to verify that the extension is within range
2. Define your own generated file name, directory, extension can come from the file name extension. Other values, which are configured on their own, do not read the contents of the storage
3. Move the file to a new directory (this directory permission is set to read only)
Well, the above is the general method of operation, I hope you have help, but also welcome friends to communicate! Also hope to provide a better way! Next, I will in the web development, common some methods functional security design aspects continue to write some of my experience, views!
http://www.bkjia.com/PHPjc/372242.html www.bkjia.com true http://www.bkjia.com/PHPjc/372242.html techarticle this kind of vulnerability, mainly can read the user to pass the path name, uses the improper filtering method, causes the malicious user, the file saves in unexpected place, brings the security hidden danger. Actually ...
