PHP文件上传安全分析
我看到我长期使用的文件上传过滤已被妥协。
当我们查看 Image 上传的选项时,我们可以使用一些功能。我依靠Finfo_open函数来验证该文件确实是一个图像,但不是那么安全。
<?php
// file extension ( Bad )
$mime = end(explode('.','test.gif')); // VALID GIF
print_r($mime); // .gif
// getimagesize ( Worst )
$mime = getimagesize('test.gif')['mime']; // VALID GIF
print_r($mime); // image/gif
// FINFO ( A little good )
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, 'test.gif'); // VALID GIF
print_r($mime); // image/gif
?>
是的,但是我们有问题。它在下面的文件中返回为GIF。
test.gr,
GIF89
<?php
我认为Finfo_open功能会更健康,这给我带来了很多误解。 我需要您的建议。
I see that the file upload filtering that I have been using for a long time has been compromised.
When we look at our options for image upload, there are a few functions we can use. I relied on the finfo_open function to verify that the file is indeed an image, but it's not that secure.
<?php
// file extension ( Bad )
$mime = end(explode('.','test.gif')); // VALID GIF
print_r($mime); // .gif
// getimagesize ( Worst )
$mime = getimagesize('test.gif')['mime']; // VALID GIF
print_r($mime); // image/gif
// FINFO ( A little good )
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, 'test.gif'); // VALID GIF
print_r($mime); // image/gif
?>
Yes, but we have a problem. It returns as gif in the file below.
test.gif
GIF89
<?php
I thought the finfo_open function would be more healthy, it misled me a lot.
I need your suggestions on this.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您可以在下面尝试。步骤1,2您已经在处理。
1)检查并确保上传的文件扩展名为“ GIF”
2)使用MIME_CONTENT_TYPE函数或Finfo_file函数检查MIME类型是否是GIF
3)读取文件的前四个字符(魔术字节),并确保它们是” GIF8“。对于其他类型,您需要使用不同的魔术字节。
以下是有关不同文件类型的魔术字节的更多详细信息。
https://gipedia.org/wikipedia.org/wiki/wiki/list_of_file_signatures
功能以从上传的GIF文件中创建一个临时GIF文件。
如果GIF创建失败,则意味着它不是适当的GIF。
https://www.php.net/manual/manual/enual/en/en/en/en/en/en/en/en/en/en/function.imagecreate.froheateeefromgif。 php
https://www.php.php.net/manual/manual/manual/enual/enual/en /ref.image.php
You can try below . Steps 1,2 you are already handling.
1)Check and make sure the uploaded file extension is "gif"
2)Use mime_content_type function or finfo_file function to check if mime type is gif
3)Read the first four chars ( magic bytes) of the file and make sure sure they are "GIF8" . For other types you need to use different magic bytes.
Below is more details about magic bytes for different files types.
https://en.wikipedia.org/wiki/List_of_file_signatures
4)You can use the imagecreatefromgif function to create a temp gif file out of the uploaded gif file.
If that gif create fails , means it is not a proper gif.
https://www.php.net/manual/en/function.imagecreatefromgif.php
https://www.php.net/manual/en/ref.image.php