問題描述
當我嘗試處理文件上傳時,我應該根據文件 MIME 類型還是文件擴展名運行驗證?
When I try to process file upload, should I run verification based on file MIME type or file-extension?
什么是優點 &這兩種文件驗證方式的缺點?
What are Pros & cons of these 2 ways of file validating?
而且,我還應該關注任何其他安全問題嗎?
And, Any other security issues should i be concerned of?
在這些日子里,我依賴于 MIME 類型,但在這篇文章中獲得最多投票的答案
In these days I was relying on MIME type but the answer with most up-votes in this post
PHP 中的文件上傳問題 說:
永遠不要依賴瀏覽器提交的 MIME 類型!
Never rely on the MIME type submitted by the browser!
推薦答案
好的,對于所有在這里大喊螺絲擴展,檢查 MIME!FILEINFO RLZ!"的天才,我準備了一些教程:
Okay, so to all the geniouses here yapping something about "SCREW EXTENSIONS, CHECK MIME! FILEINFO RLZ!", I've prepared some tutorial:
- 下載這個我畫的漂亮的php標志
- 查看它.很不錯,不是嗎?
- 將其重命名為whatever_you_like.php
- 通過所有精彩的啞劇類型/任何跳棋
- 運行它
總而言之,您永遠不要永遠依賴 MIME 類型.您的網絡服務器不關心 MIME 類型,它決定了由 EXTENSION 執行的操作,最終被否決的 @Col.Shrapnel 的回答其實是對的.通過檢查 MIME 提供給您的任何信息在執行時絕對與您的網絡服務器無關.
In conclusion, you should NEVER EVER EVER rely on MIME type. You web server doesn't care about MIME type, it determines what to do by EXTENSION, the ultimately downvoted @Col. Shrapnel's answer is actually right. Any information provided to you by something checking MIME is absolutely irrelevant to your webserver when it comes to execution.
打開網站以應對此類攻擊的不常見代碼如您所愿:
the not-as-uncommon-code-as-you'd-want-it-to-be that opens a website to this type of attack:
<?php
$mimetype = mime_content_type($_FILES['file']['tmp_name']);
if(in_array($mimetype, array('image/jpeg', 'image/gif', 'image/png'))) {
move_uploaded_file($_FILES['file']['tmp_name'], '/whatever/something/imagedir/' . $_FILES['file']['name']);
echo 'OK';
} else {
echo 'Upload a real image, jerk!';
}
這篇關于PHP 文件上傳:基于 MIME 或擴展名的驗證?的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網!