处理/删除UTF-8的从右到左覆盖字符的最佳方法是什么?

时间:2014-01-24 01:24:14

标签: php security encoding utf-8

有一个utf-8字符(HEX字节E2 80 AE),当由utf-8启用的系统正确处理时,将向用户显示已经反转的字符。通常由蛇使用来隐藏或弄乱文件扩展名。

以下是此类文件名字符串的示例:

an .EXE called: EvilFile‮.EXE

an .scr called: yo.na‮.scr

文件名扩展验证如果完成就不会有问题,这将显示导致问题的字符串,htmlentities()会导致字符串变为:EvilFileâ ®.EXE

那么,将文件名修复回EvilFile.EXE的最佳解决方案是什么?

使用iconv完成的测试会在输出上产生相同类型的编码问题。

<!DOCTYPE html>
<head>
    <meta charset="utf-8"> 
    <title></title>
</head>

<body>
<?php
$evilString = "EvilFile‮.EXE";
$ret = null;

$ret .= '<h1>htmlentities/ENT_QUOTES | ENT_IGNORE</h1>';
$ret .= htmlentities($evilString, ENT_QUOTES | ENT_IGNORE, "UTF-8").'<br>';

//enc options
$enc = array(
    "UTF-8", 
    "ASCII", 
    "Windows-1252", 
    "ISO-8859-15", 
    "ISO-8859-1", 
    "ISO-8859-6", 
    "CP1256",
    "US-ASCII//TRANSLIT", 
    "UTF-8//IGNORE",
    "UTF-8//TRANSLIT"
 );

//iconv
foreach ($enc as $i) {
    $ret .= '<h1>iconv/'.$i.'</h1>';
    foreach ($enc as $j) {
        $ret .= " $i - $j: ".@iconv($i, $j, $evilString).'<br>';
    }
}

//mb_convert_encoding
$ret .= '<h1>mb_convert_encoding</h1>';
foreach (mb_list_encodings() as $chr) {
    $ret .= $chr.' - '.mb_convert_encoding($evilString, 'UTF-8', $chr)."<br>";   
} 

echo $ret;
?> 
</body>
</html>

结果 

iconv/US-ASCII//TRANSLIT
------------------------
US-ASCII//TRANSLIT - UTF-8: EvilFile
US-ASCII//TRANSLIT - ASCII: EvilFile
US-ASCII//TRANSLIT - Windows-1252: EvilFile
US-ASCII//TRANSLIT - ISO-8859-15: EvilFile
US-ASCII//TRANSLIT - ISO-8859-1: EvilFile
US-ASCII//TRANSLIT - ISO-8859-6: EvilFile
US-ASCII//TRANSLIT - CP1256: EvilFile
US-ASCII//TRANSLIT - US-ASCII//TRANSLIT: EvilFile
US-ASCII//TRANSLIT - UTF-8//IGNORE: EvilFile.EXE <<< - See answer below
US-ASCII//TRANSLIT - UTF-8//TRANSLIT: EvilFile

iconv/UTF-8//IGNORE
-------------------
UTF-8//IGNORE - UTF-8: EvilFile‮.EXE
UTF-8//IGNORE - ASCII: EvilFile
UTF-8//IGNORE - Windows-1252: EvilFile
UTF-8//IGNORE - ISO-8859-15: EvilFile
UTF-8//IGNORE - ISO-8859-1: EvilFile
UTF-8//IGNORE - ISO-8859-6: EvilFile
UTF-8//IGNORE - CP1256: EvilFile
UTF-8//IGNORE - US-ASCII//TRANSLIT: EvilFile
UTF-8//IGNORE - UTF-8//IGNORE: EvilFile‮.EXE
UTF-8//IGNORE - UTF-8//TRANSLIT: EvilFile‮.EXE

iconv/UTF-8//TRANSLIT
---------------------
UTF-8//TRANSLIT - UTF-8: EvilFile‮.EXE
UTF-8//TRANSLIT - ASCII: EvilFile
UTF-8//TRANSLIT - Windows-1252: EvilFile
UTF-8//TRANSLIT - ISO-8859-15: EvilFile
UTF-8//TRANSLIT - ISO-8859-1: EvilFile
UTF-8//TRANSLIT - ISO-8859-6: EvilFile
UTF-8//TRANSLIT - CP1256: EvilFile
UTF-8//TRANSLIT - US-ASCII//TRANSLIT: EvilFile
UTF-8//TRANSLIT - UTF-8//IGNORE: EvilFile‮.EXE
UTF-8//TRANSLIT - UTF-8//TRANSLIT: EvilFile‮.EXE

mb_convert_encoding
-------------------
pass - EvilFileâ®.EXE
auto - EvilFile‮.EXE
wchar - EvilFileâ®.EXE
byte2be - 䕶楬䙩汥긮䕘
byte2le - 癅汩楆敬胢⺮塅
byte4be - ������������?
byte4le - ������������������
BASE64 - ��)^q
UUENCODE -
HTML-ENTITIES - EvilFileâ®.EXE
Quoted-Printable - EvilFile‮.EXE
7bit - EvilFileâ®.EXE
8bit - EvilFileâ®.EXE
UCS-4 - ������������?
UCS-4BE - ������������?
UCS-4LE - ������������������
UCS-2 - 䕶楬䙩汥긮䕘
UCS-2BE - 䕶楬䙩汥긮䕘
UCS-2LE - 癅汩楆敬胢⺮塅
UTF-32 - ?
UTF-32BE - ?
UTF-32LE -
UTF-16 - 䕶楬䙩汥긮䕘
UTF-16BE - 䕶楬䙩汥긮䕘
UTF-16LE - 癅汩楆敬胢⺮塅
UTF-8 - EvilFile‮.EXE
UTF-7 - EvilFile???.EXE
UTF7-IMAP - EvilFile???.EXE
ASCII - EvilFileâ®.EXE
EUC-JP - EvilFile??EXE
SJIS - EvilFile窶ョ.EXE
eucJP-win - EvilFile??EXE
SJIS-win - EvilFile窶ョ.EXE
CP932 - EvilFile窶ョ.EXE
CP51932 - EvilFile??EXE
JIS - EvilFile??ョ.EXE
ISO-2022-JP - EvilFile??ョ.EXE
ISO-2022-JP-MS - EvilFile??ョ.EXE
Windows-1252 - EvilFile‮.EXE
Windows-1254 - EvilFile‮.EXE
ISO-8859-1 - EvilFileâ®.EXE
ISO-8859-2 - EvilFileâŽ.EXE
ISO-8859-3 - EvilFileâ?.EXE
ISO-8859-4 - EvilFileâŽ.EXE
ISO-8859-5 - EvilFileтЎ.EXE
ISO-8859-6 - EvilFileق?.EXE
ISO-8859-7 - EvilFileβ?.EXE
ISO-8859-8 - EvilFileג®.EXE
ISO-8859-9 - EvilFileâ®.EXE
ISO-8859-10 - EvilFileâŪ.EXE
ISO-8859-13 - EvilFileā®.EXE
ISO-8859-14 - EvilFileâ®.EXE
ISO-8859-15 - EvilFileâ®.EXE
ISO-8859-16 - EvilFileâ®.EXE
EUC-CN - EvilFile??EXE
CP936 - EvilFile鈥?EXE
HZ - EvilFile???.EXE
EUC-TW - EvilFile??EXE
BIG-5 - EvilFile??EXE
EUC-KR - EvilFile??EXE
UHC - EvilFile巽?EXE
ISO-2022-KR - EvilFile???.EXE
Windows-1251 - EvilFile‮.EXE
CP866 - EvilFileтАо.EXE
KOI8-R - EvilFileБ─╝.EXE
KOI8-U - EvilFileБ─╝.EXE
ArmSCII-8 - EvilFileՉ….EXE
CP850 - EvilFileÔÇ«.EXE
JIS-ms - EvilFile??ョ.EXE
CP50220 - EvilFile??ョ.EXE
CP50220raw - EvilFile??ョ.EXE
CP50221 - EvilFile??ョ.EXE
CP50222 - EvilFile??ョ.EXE

我想有(我不热衷)。将字符串传递给utf8_encode(),然后通过preg_replace()以删除情绪化的字符。但必须有更好/更清洁的方式。 

echo preg_replace('/[^a-z0-9_ \[\]\.\(\)#%&-]/si', '', utf8_encode($evilString)).'<br>';

1 个答案:

答案 0 :(得分:1)

经过一些进一步的测试后,我添加了US-ASCII//TRANSLIT - UTF-8//IGNORE以便修复这些类型的字符串,而不使用你将使用的正则表达式:

echo iconv('US-ASCII//TRANSLIT', 'UTF-8//IGNORE', $evilString); //EvilFile.EXE

希望这可以帮助将来解决这个独特问题的任何人。

相关问题
最新问题