我有这段代码:
<?php
$file=htmlentities($_POST['configdata']);
print ("About to show this configuration file:" . $file);
echo "<p></p>";
$results = system("type $file");
print "data is " . $results;
?>
为了防止路径遍历,我需要实现什么? 我一直试图弄清楚这一点。 任何帮助将不胜感激!
答案 0 :(得分:1)
一个例子:
<?php
$whitelist = [
'Apache' => '/apache/directory/httpd/conf/httpd.conf',
'PHP' => '/php/directory/php/php.ini',
'MySQL' => '/mysql/directory/mysql/my.ini'
];
if (! empty($_POST['configdata']) && isset($whitelist[$_POST['configdata']])) {
$hd = fopen($whitelist[$_POST['configdata']], 'r');
$content = fread($hd, filesize($whitelist[$_POST['configdata']]));
fclose($hd);
echo $content;
exit;
} else {
if (! empty($_POST['configdata'])) {
echo '<p>Invalid option, please try again</p>';
}
$options = '';
foreach ($whitelist as $k => $v) {
$options .= "<option value=\"{$k}\">{$k}</option>";
}
$html = <<<HTML
<form method="POST">
<select name="configdata">
<option>Select file</option>
{$options}
</select>
<input type="submit" value="Try" />
</form>
HTML;
echo $html;
}