I have PHP shell and I want user to be able to call functions directly. I got it done. But then I found out that user can call even pre-defined functions like unlink and more. I think this is security hole so I want to restrict callable functions to only those which I have defined, e.g.:calling unlink wont work.
我有PHP shell,我希望用户能够直接调用函数。我完成了。但后来我发现用户甚至可以调用unlink等预定义函数。我认为这是安全漏洞所以我想将可调用函数限制为仅我已定义的函数,例如:调用unlink不起作用。
2 个解决方案
#1
0
You can get the list of define functions with
您可以使用获取定义函数列表
get_defined_functions();
It will return an assoc array with user defined and internal functions. You can use that information to decide whether a functions is user defined or internal. (manual)
它将返回一个带有用户定义和内部函数的assoc数组。您可以使用该信息来确定函数是用户定义的还是内部函数。 (手册)
#2
0
You can disable functions using the disable_functions INI setting (in your php.ini file).
您可以使用disable_functions INI设置(在php.ini文件中)禁用功能。
For example:
例如:
disable_functions=unlink,fopen,file_get_contents [and so on...]
#1
0
You can get the list of define functions with
您可以使用获取定义函数列表
get_defined_functions();
It will return an assoc array with user defined and internal functions. You can use that information to decide whether a functions is user defined or internal. (manual)
它将返回一个带有用户定义和内部函数的assoc数组。您可以使用该信息来确定函数是用户定义的还是内部函数。 (手册)
#2
0
You can disable functions using the disable_functions INI setting (in your php.ini file).
您可以使用disable_functions INI设置(在php.ini文件中)禁用功能。
For example:
例如:
disable_functions=unlink,fopen,file_get_contents [and so on...]