javascript 有很多我不知道的特性和能力。我开发了一个自定义的闭源 CMS,我正在考虑添加一个功能来允许自定义 javascript 包含在他们网站的每个页面上(但不是后端系统本身)。我很好奇这样做的风险?CMS 是使用 PHP 构建的,并且在该 CMS 的后端系统中有 javascript,但仅此而已。
如果我允许自定义 javascript,是否可以操纵它来检索所有 php 代码,或者导致服务器本身出现问题?
我拥有服务器,因此我可以进行任何必要的调整以保护服务器。
同样,这纯粹是为了提供信息,我感谢人们可以给我的任何建议。
javascript 将存储在一个文件中,并使用 php 包含在页面本身上。我确实有代码可以阻止内部的任何内容,以防止在代码本身中使用 PHP。
回答您的第一个问题,不,您的 CMS 软件用户不能仅通过上传 JavaScript 代码段来窃取您的闭源 PHP 代码。
这是因为 JavaScript 在客户端(Web 浏览器)上运行。
如果 JavaScript 能够从客户端访问您的 PHP 代码,那么他们将能够在没有 JavaScript 的情况下访问它。这意味着您在 Web 服务器端配置了错误,例如设置文件权限以便任何人都可以查看它们。
你会遇到一些在任何情况下都不会尖叫的人。这些人都说这样的话:
eval()总是邪恶的。这并不总是邪恶的,但几乎总是不必要的。global或$_GLOBALS是邪恶的。再说一遍,如果你不知道自己在做什么,那只会是邪恶的。而且,这几乎总是不必要的。您应该将其视为警告。不要掉以轻心,如果你小心,你可以做到,但如果你不小心,它真的会咬你一口**。这足以让大多数人远离它。
在确定是否应该允许 CMS 解决方案的用户上传 JavaScript 代码段之前,您应该问自己以下问题:
If the only people who have access to this feature of uploading JavaScript modules are trusted system administrators, then you should consider it safe. I put that in italics because it's not really safe, but it does, at that point, fall on these trusted users to ensure that they don't upload something malicious.
Maybe you get Mary Neophyte, webmaster(amateur) extraordinaire who decides she wants a cool scriptlet on her CMS front page that displays the current weather in Anchorage, Alaska. She goes to Google, types in "JavaScript weather script", and arrives at Weather Channel. She decides their implementation is just too hard to install. She keeps looking. She arrives at Boris' Weather Script at http:/motherrussia.ru/ilovehackingidiots/weatherscript.html.
This isn't your fault when her CMS starts compromising her end users. She was the trusted administrator who uploaded a malicious script purposefully (though ignorantly). You shouldn't be held responsible for this type of behavior.
Long story short, you should be able to trust the trusted users of your CMS to be responsible enough to know what they are uploading. If they shoot themselves in the foot, that's not on you.
This absolutely, positively, without a doubt is never something that you should do. It is impossible for you to screen every possible obfuscation that someone could upload.
I'm not even going to get into this further. Don't do it. Period.
Don't assume that malicious code can't make it onto your website via HTML/CSS. While HTML is much easier to sanitize than JavaScript, it can still be exploited to deliver undesired JavaScript to a page.
If you are only allowing trusted users to upload HTML/CSS, then don't worry too much about it. I stress again, It is Mary Neophyte's fault if she uploads Boris' Weather Script to her site. However, don't let Boris himself come to your website and start uploading anything that will get displayed on a web page to anyone but ol' Boris himself.
I'll summarize everything into two rules: