图片上传-安全问题
我正在开发一个 ASP.NET Web 应用程序,希望用户能够从本地系统上传图像,或者传递图像的 URL。图像可以是 JPG 或 PNG。这样做我应该关注哪些安全问题?我见过在 JPG 文件中嵌入代码的各种方法。 C#(或外部库)中是否有任何方法可以确认文件是 JPG/PNG,否则会抛出错误?至少,我将保存上传图像的目录设置为不可浏览,并将最大大小限制为 1mb,但我想实施进一步的检查。
感谢您的任何建议。
I'm developing an ASP.NET Web app and would like the user to be able to either upload an image from their local system, or pass in a URL to an image. The image can either be a JPG or PNG. What security issues should I be concerned about doing this? I've seen various ways of embedding code within JPG files. Are there any methods in C# (or external libraries) which can confirm that a file is a JPG/PNG, otherwise throw an error? At the very least, I'm making the directory which holds uploaded images non-browsable and putting a max size limit of 1mb, but I'd like to implement further checks.
Thanks for any advice.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
也许吧,但这本身并没有真正的帮助。您可以轻松地创建既是有效图像格式又包含活动 HTML/脚本内容的文件,供 IE 内容嗅探偶然发现。或者还需要担心 Java 和 Flash 源策略被破坏,这与编写服务器安全上下文的脚本具有相同的效果。
如果您处理图像(例如裁剪、调整大小)并重新保存,那么内容走私攻击就变得非常非常困难。但是,您应该始终确保您的服务器端工具是最新的,因为图像处理库中的漏洞可能会让您遭受服务器端攻击。
如果您做不到这一点,那么缓解所有内容注入问题的最佳选择是从不同的[子]域提供图像,该域无法访问任何敏感凭据(cookie、 图像
如果为此目的使用子域(例如
images.example.com),则您的主网站应该只能通过www.example.com 访问code> 且不是example.com。否则,注入images.example.com的内容可以在 IE 中访问example.com的 Cookie。example.com应 301 重定向到www.example.com以防止不必要的 Cookie 泄漏。将标头
X-Content-Type-Options: nosniff添加到响应中以阻止来自 IE8 的内容走私攻击。 (唉,对早期版本没有帮助。)另外:
清理用户指定的文件名很难,特别是如果您的应用可能运行在 Windows 服务器上,其中关于可用文件名的规则是确实很复杂。一个好的开始是只允许字母数字,并添加您自己的文件扩展名和前缀。 (需要使用前缀来避免 Windows 保留的文件名和空文件名。)
更好:将用户提供的文件名存储在数据库中,而不是将其用作真实文件名。
有关文件上传安全问题的更多讨论,请参阅此问题。
Maybe, but that doesn't really help in itself. You can easily make file that is both a valid image format and contains active HTML/script content for IE content-sniffing to stumble on. Or then there's the broken Java and Flash origin policies to worry about, which can have the same effect of scripting into your server's security context.
If you process the image (eg. crop, resize) and re-save that makes it very, very difficult to do content-smuggling attacks. However, you should always ensure that your server-side tools are up-to-date, as vulnerabilities in image processing libraries might expose you to server-side exploit.
If you can't do that, your best bet as a mitigation for all content-injection problems is to serve your images from a different [sub]domain which doesn't have access to any of the sensitive credentials (cookies, basic auth) of the main site.
If using a subdomain for this purpose such as
images.example.com, your main site should be accessible only throughwww.example.comand notexample.com. Otherwise, content injected intoimages.example.comcan access cookies forexample.comin IE.example.comshould 301-redirect towww.example.comto prevent unwanted cookie leakage in general.Add the header
X-Content-Type-Options: nosniffto the response to block content-smuggling attacks from IE8. (Doesn't help with earlier versions, alas.)Also:
Sanitising user-specified filenames is hard, especially if your app is likely running on a Windows server where the rules about usable filenames are complicated indeed. A good place to start is allowing only alphanumerics, and adding your own file extension and prefix. (A prefix is necessary to avoid the Windows reserved filenames, and the empty filename.)
Better: store the user-supplied filename in the database instead of using it as a real filename.
See this question for more discussion of file upload security problems.
这绝对是一个雷区。需要考虑的事项(不一定是详尽的列表,没有保证等)。
This is an absolute minefield. Something to take into consideration (not necessarily an exhaustive list, no guarantees, etc.).
不要让用户确定将在您的服务器上使用的文件名。如果需要,请使用 [生成的 guid].jpg 并将其使用的文件名放入数据库表中。
请参阅此处的#12:http:// /www.codinghorror.com/blog/2009/01/top-25-most-dangerous-programming-mistakes.html
也要小心 URL,确保它是绝对的外部 URL,这样他们就无法使用您自己的 Web 服务器将机密文件从 LAN 复制到他们可以访问的区域,因为您将从以下位置加载该 URL在您的网络服务器上运行的代码。
Don't let the user determine the file name that will be used on your server. Use [generated guid].jpg instead and put the file name they used in a database table if you need it.
See #12 here: http://www.codinghorror.com/blog/2009/01/top-25-most-dangerous-programming-mistakes.html
Be careful with the URL too, make sure it's an absolute, external URL so they can't use your own web server to copy a confidential file off your LAN out into an area they can access it since you'll be loading that URL from code running on your web server.
您可以使用基础设施即服务来处理图像,例如我们的解决方案 - Uploadcare:
https://uploadcare。 com
如果您对上传的图像应用任何图像操作,它就会被修改,因此,任何可能嵌入到该文件中的代码都将被销毁。
You may use Infrastructure as a Service for handling images, for example our solution - Uploadcare:
https://uploadcare.com
If you apply any of the image operations to the uploaded image, it gets modified, and therefore any code that might be embedded within the file will be destroyed.