摘要:的預(yù)定義變量和�����,這些變量的生成過程��。主要是由于之前看到一篇文章通過構(gòu)造沖突實(shí)現(xiàn)各種語(yǔ)言的拒絕服務(wù)攻擊�����。其中看似是相當(dāng)于注冊(cè)聲明對(duì)應(yīng)的預(yù)定義變量名����,而才是真正的將值寫入到和變量中的操作�����。提交最大變量數(shù)限制����,中做限制�,參考資料
PHP的預(yù)定義變量:$_SERVER,$_POST,$_GET,$_COOKIE,$_ENV,$_FILES和$_REQUEST,這些變量的生成過程��。
主要是由于之前看到一篇文章通過構(gòu)造Hash沖突實(shí)現(xiàn)各種語(yǔ)言的拒絕服務(wù)攻擊����。
看完之后思考這些變量是什么時(shí)候生成的�,是由web服務(wù)器生成的還是PHP生成的�����?
猜想:
客戶端將請(qǐng)求發(fā)送到web服務(wù)器�����,web服務(wù)器在收到請(qǐng)求后�����,將請(qǐng)求攜帶的參數(shù)寫入到緩沖區(qū)stdin�����,然后php寫入預(yù)定義變量的時(shí)候�,會(huì)從stdin中取出這些參數(shù)然后裝入到對(duì)應(yīng)的預(yù)定義變量中$_GET,$_POST,$_REQUEST中
自己跟蹤代碼看整個(gè)php的流程
1>執(zhí)行main/mian.c中的php_module_startup函數(shù)
2>執(zhí)行php_startup_auto_globals函數(shù),該函數(shù)在php_variables.c中定義的
//php_variable.c
void php_startup_auto_globals(void)
{
zend_register_auto_global(zend_string_init("_GET", sizeof("_GET")-1, 1), 0, php_auto_globals_create_get);
zend_register_auto_global(zend_string_init("_POST", sizeof("_POST")-1, 1), 0, php_auto_globals_create_post);
zend_register_auto_global(zend_string_init("_COOKIE", sizeof("_COOKIE")-1, 1), 0, php_auto_globals_create_cookie);
zend_register_auto_global(zend_string_init("_SERVER", sizeof("_SERVER")-1, 1), PG(auto_globals_jit), php_auto_globals_create_server);
zend_register_auto_global(zend_string_init("_ENV", sizeof("_ENV")-1, 1), PG(auto_globals_jit), php_auto_globals_create_env);
zend_register_auto_global(zend_string_init("_REQUEST", sizeof("_REQUEST")-1, 1), PG(auto_globals_jit), php_auto_globals_create_request);
zend_register_auto_global(zend_string_init("_FILES", sizeof("_FILES")-1, 1), 0, php_auto_globals_create_files);
}
//zend_compile.c,將各個(gè)預(yù)定義變量寫入
int zend_register_auto_global(zend_string *name, zend_bool jit, zend_auto_global_callback auto_global_callback){
zend_auto_global auto_global;
int retval;
auto_global.name = zend_new_interned_string(name);
auto_global.auto_global_callback = auto_global_callback;
auto_global.jit = jit;
retval = zend_hash_add_mem(CG(auto_globals), auto_global.name, &auto_global, sizeof(zend_auto_global)) != NULL ? SUCCESS : FAILURE;
zend_string_release(name);
return retval;
}
//zend_compile.c�����,將各個(gè)變量的key-value寫入到hashtable中
static zend_always_inline void *zend_hash_add_mem(HashTable *ht, zend_string *key, void *pData, size_t size){
zval tmp, *zv;
ZVAL_PTR(&tmp, NULL);
if ((zv = zend_hash_add(ht, key, &tmp))) { //這一步的$_REQUEST可能被攻擊
Z_PTR_P(zv) = pemalloc(size, ht->u.flags & HASH_FLAG_PERSISTENT);
memcpy(Z_PTR_P(zv), pData, size);
return Z_PTR_P(zv);
}
return NULL;
}
laruence的博客:
要知道PHP是怎么處理的�����,首先我們要了解,$_GET, $_POST, $_COOKIE等變量的構(gòu)造過程�����。
每個(gè)請(qǐng)求到來(lái)以后��,apache處理到response階段的時(shí)候�, 會(huì)將控制權(quán)交給PHP模塊, PHP模塊會(huì)在處理請(qǐng)求之前首先間接調(diào)用 php_request_startup函數(shù)����,在php_request_startup中:
#ifndef APACHE_HOOKS
int php_request_startup(void)
{
int retval = SUCCESS;
#ifdef HAVE_DTRACE
DTRACE_REQUEST_STARTUP(SAFE_FILENAME(SG(request_info).path_translated), SAFE_FILENAME(SG(request_info).request_uri), (char *)SAFE_FILENAME(SG(request_info).request_method));
#endif /* HAVE_DTRACE */
#ifdef PHP_WIN32
# if defined(ZTS)
_configthreadlocale(_ENABLE_PER_THREAD_LOCALE);
# endif
PG(com_initialized) = 0;
#endif
#if PHP_SIGCHILD
signal(SIGCHLD, sigchld_handler);
#endif
zend_try {
PG(in_error_log) = 0;
PG(during_request_startup) = 1;
php_output_activate();
/* initialize global variables */
PG(modules_activated) = 0;
PG(header_is_being_sent) = 0;
PG(connection_status) = PHP_CONNECTION_NORMAL;
PG(in_user_include) = 0;
zend_activate();
sapi_activate();
#ifdef ZEND_SIGNALS
zend_signal_activate();
#endif
if (PG(max_input_time) == -1) {
zend_set_timeout(EG(timeout_seconds), 1);
} else {
zend_set_timeout(PG(max_input_time), 1);
}
/* Disable realpath cache if an open_basedir is set */
if (PG(open_basedir) && *PG(open_basedir)) {
CWDG(realpath_cache_size_limit) = 0;
}
if (PG(expose_php)) {
sapi_add_header(SAPI_PHP_VERSION_HEADER, sizeof(SAPI_PHP_VERSION_HEADER)-1, 1);
}
if (PG(output_handler) && PG(output_handler)[0]) {
zval oh;
ZVAL_STRING(&oh, PG(output_handler));
php_output_start_user(&oh, 0, PHP_OUTPUT_HANDLER_STDFLAGS);
zval_ptr_dtor(&oh);
} else if (PG(output_buffering)) {
php_output_start_user(NULL, PG(output_buffering) > 1 ? PG(output_buffering) : 0, PHP_OUTPUT_HANDLER_STDFLAGS);
} else if (PG(implicit_flush)) {
php_output_set_implicit_flush(1);
}
/* We turn this off in php_execute_script() */
/* PG(during_request_startup) = 0; */
php_hash_environment();
zend_activate_modules();
PG(modules_activated)=1;
} zend_catch {
retval = FAILURE;
} zend_end_try();
SG(sapi_started) = 1;
return retval;
}
其中的zend_variables.c文件中php_hash_environment函數(shù):
PHPAPI int php_hash_environment(void)
{
memset(PG(http_globals), 0, sizeof(PG(http_globals)));
zend_activate_auto_globals();
if (PG(register_argc_argv)) {
php_build_argv(SG(request_info).query_string, &PG(http_globals)[TRACK_VARS_SERVER]);
}
return SUCCESS;
}
//回調(diào)zend_variables.c中的zend_activate_auto_globals函數(shù)將請(qǐng)求的value寫入到對(duì)應(yīng)的$_POST和$_GET預(yù)定義變量中
ZEND_API void zend_activate_auto_globals(void) /* {{{ */
{
zend_auto_global *auto_global;
ZEND_HASH_FOREACH_PTR(CG(auto_globals), auto_global) {
if (auto_global->jit) {
auto_global->armed = 1;
} else if (auto_global->auto_global_callback) {
//這里會(huì)回調(diào)php_auto_globals_create_post,php_auto_globals_create_get,php_auto_globals_create_request函數(shù)處理對(duì)應(yīng)的變量
auto_global->armed = auto_global->auto_global_callback(auto_global->name);
} else {
auto_global->armed = 0;
}
} ZEND_HASH_FOREACH_END();
}
拿其中一個(gè)$_REQUEST數(shù)據(jù)來(lái)看,php_variables.c文件中php_auto_globals_create_request函數(shù)對(duì)應(yīng)代碼:
static zend_bool php_auto_globals_create_post(zend_string *name)
{
if (PG(variables_order) &&
(strchr(PG(variables_order),"P") || strchr(PG(variables_order),"p")) &&
!SG(headers_sent) &&
SG(request_info).request_method &&
!strcasecmp(SG(request_info).request_method, "POST")) {
//寫入數(shù)據(jù)
sapi_module.treat_data(PARSE_POST, NULL, NULL);
} else {
zval_ptr_dtor(&PG(http_globals)[TRACK_VARS_POST]);
array_init(&PG(http_globals)[TRACK_VARS_POST]);
}
zend_hash_update(&EG(symbol_table), name, &PG(http_globals)[TRACK_VARS_POST]);
Z_ADDREF(PG(http_globals)[TRACK_VARS_POST]);
return 0; /* don"t rearm */
}
可以看到�,離成功不遠(yuǎn)了,sapi_module.treat_data 也就是php_default_treat_data,
在php_default_treat_data中�,對(duì)于變量��,都調(diào)用php_register_variable_safe來(lái)注冊(cè)變量��,
而php_register_variable_safe最終會(huì)調(diào)用php_register_variable_ex:
zend_variables.c文件中zend_register_auto_global和zend_activate_auto_globals之間的關(guān)系�����,應(yīng)該有先后順序的問題。
其中zend_register_auto_global看似是相當(dāng)于注冊(cè)聲明對(duì)應(yīng)的預(yù)定義變量名�����,而zend_activate_auto_globals才是真正的將值寫入到$_GET和$_POST變量中的操作��。
提交最大變量數(shù)限制���,php_varialbles.c中add_post_vars做限制�,SAPI_POST_HANDLER_FUNC(php_std_post_handler)
參考資料:
http://www.laruence.com/2008/...
http://www.laruence.com/2008/...
http://www.php-internals.com/...
文章版權(quán)歸作者所有��,未經(jīng)允許請(qǐng)勿轉(zhuǎn)載,若此文章存在違規(guī)行為�,您可以聯(lián)系管理員刪除。
轉(zhuǎn)載請(qǐng)注明本文地址:http://systransis.cn/yun/23225.html
