多部分表单直接提交到 URL
我们有一个基于网络的应用程序,其中用户可以选择将文档/文件上传到我们的数据库中。在上传任何文档/文件之前,我们希望将文件发送给一些网站提供的免费在线病毒扫描,例如 http:// /virusscan.jotti.org/en,从他们那里获取扫描状态。只有当响应状态正常时,才应该允许上传到我们的数据库。
我什至尝试了以下给出的解决方案: lindaocta.com/?cat=20
我的问题是:
1) 如何在我的应用程序中直接将文档/文件发送到免费的在线病毒扫描程序网站而不将文档下载到我的服务器 。
2)现在的Web应用程序是使用AJAX开发的,因此可以在页面中逐步更新响应。如果我尝试阅读从免费在线病毒扫描程序网站返回的响应,这不是我所期望的。我该如何解决此类场景?
技术 操作系统:RedHat Linux ES5.0 Java 1.6 JSP 小服务程序 汤姆猫 v6.0.10
We've a web-based application wherein there is an option for Users to upload documents / files into our database. Before uploading any document / file, we want to send the file for free online virus scanning offered by few websites like http://virusscan.jotti.org/en, get the scan status from them. Only if the response status is OK, it should be allowed to uploaded to our database.
I even tried a solution given in:
lindaocta.com/?cat=20
My question here is:
1) How do I handle in my application to directly send the document / file to the free online virus scanner websites without downloading the document to my server.
2) Nowadays web applications are developed using AJAX, hence response can be progressively updated in the page. If I try to read the response returned from free online virus scanner website, it is not what I expected. How do I solve this kind of scenarios?
Technologies
OS: RedHat Linux ES5.0
Java 1.6 JSP
Servlets
Tomcat v6.0.10
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
1) 您至少必须通过服务器代理请求,以便有机会检查病毒扫描程序的响应。如果客户直接向 AV 公司发布信息,您的 servlet 将被排除在循环之外,除非 AV 站点提供某种基于令牌的第三方验证系统。什么是免费 AV 网站?
2) 切勿在客户端(浏览器)处理任何安全业务逻辑,无论是通过 AJAX 还是任何其他方法。攻击者可以简单地修改 JavaScript 并伪造来自 AV 扫描仪站点的积极响应。
为什么您如此害怕将可能不安全的文件下载到您的服务器?只需将其上传到您创建的特殊非公开可浏览目录(其中没有其他程序正在查找配置文件),扫描病毒,如果不通过则将其删除。如果您从未尝试执行它,并且它没有覆盖某些配置文件或内核文件或其他内容,那么您可能已经做得足够了。
1) You would have to at least proxy the request through your server in order to have any chance at inspecting the virus scanner's response. If the client posts directly to the AV company, your servlet would be cut out of the loop, unless the the AV site offers some kind of token based 3rd party verification system. What is the free AV site?
2) Never handle any security business logic on the client (browser) side whether it be by AJAX or any other method. An attacker can simply modify the javascript and forge a positive response from the AV scanner site.
Why are you so scared of downloading the potentially unsafe file to your server? Just upload it to a special non-publicly browsable directory that you create (where no other program is looking for config files), scan it for viruses, and delete it if it doesn't pass. If you never try to execute it, and it's not overwriting some config file or kernel file or something, you've probably done enough.