Last active
November 5, 2015 08:32
-
-
Save ts0818/58d30b5f941607ab5b08 to your computer and use it in GitHub Desktop.
パーフェクトPHP インクルード攻撃対応方法 ホワイトリスト方式によるインクルードファイルの制限
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| // nullバイトが含まれていた場合は処理終了 | |
| if (strpos($_GET['design'], "\0") !== false) { | |
| exit(); | |
| } | |
| // 「red.html」, 「blue.html」以外の読み込み指定があったら処理終了 | |
| $allow_files = array('red', 'blue'); | |
| if (in_array($_GET['design'], $allow_files, true) === false) { | |
| exit(); | |
| } | |
| // 指定されたファイルをインクルード | |
| include '/var/www/html/design/' . $_GET['design'] . '.html'; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment