在从用户上传的网站内部运行php

时间:2018-11-08 22:22:49

标签: php

基督徒的快乐。 我首先告诉你:“对不起我的英语,但是在多年的学习中,我的英语说得不太好。” 无论如何.... 我有一个使用MVC设计模式开发的网站,用户可以在该网站上载php文件并运行他的文件。要使用此上传的文件,用户需要有一个令牌:example.com/home/profile/advance?token=XXXXXXXXXXXXXX 我希望从用户上传的文件无法与服务器交互,就好像它在虚拟机中一样。 有可能吗 我希望我自己解释一下。

1 个答案:

答案 0 :(得分:0)

那是绝对可能的。只需将用户令牌附加到您的表单上传器即可:

<?php
$token = 'xxx';
?>

<form action="home/profile/advance?token=<?php echo htmlentities(urlencode($token)); ?>" method="post" enctype="multipart/form-data">
<input type="file" name="fileToUpload" id="fileToUpload">
<input type="submit" value="Upload File" name="submit">

这将使$_POSThome/profile/advance?token=xxx

请注意,服务器端生成的令牌应该仅包含字母数字字符,但是为了安全起见,最好将其包装在htmlentities()urlencode()中。

但是,请注意,允许用户上传(并运行)自己的PHP文件是巨大的安全风险!我强烈建议不要允许他们运行PHP,而应将允许的上传限制为原始.txt文件。这里有几个不同的向量需要考虑,因此我建议实现以下内容(由CertaiN进行了少量修改):

<?php

header('Content-Type: text/plain; charset=utf-8');

try {
    
    // Undefined | Multiple Files | $_FILES Corruption Attack
    // If this request falls under any of them, treat it invalid.
    if (
        !isset($_FILES['upfile']['error']) ||
        is_array($_FILES['upfile']['error'])
    ) {
        throw new RuntimeException('Invalid parameters.');
    }

    // Check $_FILES['upfile']['error'] value.
    switch ($_FILES['upfile']['error']) {
        case UPLOAD_ERR_OK:
            break;
        case UPLOAD_ERR_NO_FILE:
            throw new RuntimeException('No file sent.');
        case UPLOAD_ERR_INI_SIZE:
        case UPLOAD_ERR_FORM_SIZE:
            throw new RuntimeException('Exceeded filesize limit.');
        default:
            throw new RuntimeException('Unknown errors.');
    }

    // You should also check filesize here. 
    if ($_FILES['upfile']['size'] > 1000000) {
        throw new RuntimeException('Exceeded filesize limit.');
    }

    // DO NOT TRUST $_FILES['upfile']['mime'] VALUE !!
    // Check MIME Type by yourself.
    $finfo = new finfo(FILEINFO_MIME_TYPE);
    if (false === $ext = array_search(
        $finfo->file($_FILES['upfile']['tmp_name']),
        array(
            'txt' => 'text/plain',
        ),
        true
    )) {
        throw new RuntimeException('Invalid file format.');
    }

    // You should name it uniquely.
    // DO NOT USE $_FILES['upfile']['name'] WITHOUT ANY VALIDATION !!
    // On this example, obtain safe unique name from its binary data.
    if (!move_uploaded_file(
        $_FILES['upfile']['tmp_name'],
        sprintf('./uploads/%s.%s',
            sha1_file($_FILES['upfile']['tmp_name']),
            $ext
        )
    )) {
        throw new RuntimeException('Failed to move uploaded file.');
    }

    echo 'File is uploaded successfully.';

} catch (RuntimeException $e) {

    echo $e->getMessage();

}

相关问题
最新问题