PHP允许的zip MIME类型 [英] PHP allowed zip mimetypes
问题描述
我知道(从该问题的答案中: .rar,.zip文件MIME类型),大多数人都将PHP中的zip文件作为application/zip或application/octet-stream进行检查,但是我对此有两个疑问:
I know (from the answer to this question: .rar, .zip files MIME Type) that that most people check zip files in PHP as application/zip or application/octet-stream, but I have a couple of questions about this:
- 仅检查
application/octet-stream是否安全(假设application/octet-stream可以用于描述比zip还要多的文件类型!).我知道我也可以通过其他方式检查文件,但我想我应该尝试使所有内容保持尽可能简单 - 我尝试检查尽可能多的不同实际zip类型;但是,有些会带来一些意想不到的结果.我发现1的mime类型为
application/x-external-editor,但是PHP在处理它时遇到了问题(尽管我得到的唯一错误是Warning: ZipArchive::close() [ziparchive.close]: Invalid or unitialized Zip object)-是否在任何地方都有记录?是否有PHP可以处理的实际x-模拟类型列表?
- is it safe just to check for
application/octet-stream(given thatapplication/octet-streamcan be used to describe many more file types than just zip!). I know I could check the file in other ways too, but thought I should try and keep everything as simple as possible - I've tried to check for as many different actual zip types as possible; but, there are some which give some unexpected results. I've found 1 for which the mime-type is
application/x-external-editor, but PHP has problems dealing with it (although the only error I get isWarning: ZipArchive::close() [ziparchive.close]: Invalid or unitialized Zip object) - is this documented anywhere? Is there a list of actualx-mimetypes which PHP can cope with?
修改
回答以下问题:
- 我正在使用
$_FILES['fileatt']['type']检查mime类型,但是使用mime_content_type()会得到相同的结果.不同的zip文件似乎是以下任意文件:'application/zip','application/x-compressed','application/x-zip-compressed','application/x-compressed','multipart/x-zip'.我不明白为什么当检测到哑剧类型为application/x-external-editor时出现错误. - 我已经安装了zip扩展名,并且在上载时从zip文件中提取所有文件.我没想过要检查错误.
- I'm checking the mime type by using
$_FILES['fileatt']['type'], but usingmime_content_type()gives the same result. Different zip files seem to be any one of the following:'application/zip','application/x-compressed','application/x-zip-compressed','application/x-compressed','multipart/x-zip'. I didn't understand why I got an error when the mime type was detected as beingapplication/x-external-editor. - I have got the zip extension installed, and I am extracting all the files from the zip files when they are uploaded. I hadn't thought about checking the error.
我还发现了我不太了解的另一件事:当我将以下代码与PHP读取为application/x-external-editor的文件一起使用时:
I have also found another thing I don't quite understand: when I use the following code with a file which PHP reads as application/x-external-editor:
if($zip->open($_FILES[fileatt]['tmp_name'])===TRUE)
{
echo "success";
} else {
echo "error";
}
打印错误",但将文件类型检查为
prints "error", but checking the file type as
$res = $zip->open($_FILES[fileatt]['tmp_name']);
if($res)
{
echo "success";
} else {
echo "error";
}
打印成功"字样;在这段代码中,我假设布尔有效地使用了==而不是===,但是为什么要这样做呢?
prints "success"; in this code, I assume that the boolean is effectively using ==, not ===, but why should this make a difference?
错误:
$res = $zip->open($_FILES[fileatt]['tmp_name']);
if($res===TRUE)
{
echo "success";
} else {
echo $res;
}
打印19-哪个错误( http://uk3.php .net/manual/en/ziparchive.open.php )19指的是什么?!
prints 19 - which error (http://uk3.php.net/manual/en/ziparchive.open.php) does 19 refer to?!
推荐答案
从不信任mime类型,客户端很容易欺骗这种类型.如果愿意,他们可以提交一个exe并给它一个text/plain哑剧类型.
Never trust the mime type, this can be easily spoofed by the client. They could submit an exe and give it a mime type of text/plain if they wanted to.
所有zip文件均以标准本地文件头签名(0x04034b50)开头,因此您可以检查文件的前4个字节是否与zip签名字节匹配.有关更多详细信息,请参见 PKZIP应用说明.
All zip files begin with a standard local file header signature (0x04034b50) so you could check that the first 4 bytes of the file match the zip signature bytes. See the PKZIP Appnote for more details.
如果启用了 zip扩展名,则可以更进一步,尝试打开并阅读zip到确保它是一个完全有效的zip文件.
If you have the zip extension enabled, you can go even further and attempt to open and read the zip to make sure it is a fully valid zip file.
类似的方法很有效:
$zip = zip_open('/path/to/file.zip');
if (is_int($zip)) {
echo "Error $zip encountered reading the file, is it a valid zip?";
} else {
echo "Thanks for uploading a valid zip file!";
}
zip_open如果成功打开将返回资源,否则返回一个整数,代表读取文件时发生的错误.
zip_open returns a resource if opened successfully, otherwise an integer representing the error that occurred reading the file.
编辑:详细说明您的一些问题:
To elaborate on some of your questions:
关于application/octet-stream:这就是您所说的非常普通的类型.这仅表示任何包含8位数据的文件,基本上所有内容都包含在内. application/zip是事实上的标准mime类型,但是某些客户端会使用您发现的其他值.还考虑到客户端可以轻易地欺骗任何文件类型以使用application/zip的事实,我不会依赖$_FILES['fileatt']['type'],因为它可以是任何东西.
About application/octet-stream: This is as you said, a very generic type. This just means any file that contains 8-bit data which is basically everything and anything. application/zip is the de-facto standard mime-type, but some clients will use other values as you have discovered. Also given the fact that a client can easily spoof any file type to use application/zip I wouldn't rely on $_FILES['fileatt']['type'] since it can be anything.
AFIK,mime_content_type()只是查看文件扩展名并将其映射到 mime.types 文件在系统上或内置在PHP中.如果有人将.zip扩展名放在exe文件上,它仍将注册为application/zip.我相信某些扩展名可能会检查文件头.
AFIK, mime_content_type() simply looks at the file extension and maps it to a mime type from a mime.types file on the system or built into PHP. If someone put a .zip extension on an exe file it would still register as application/zip. I beleive certain extensions may examine the file header.
Zip::open()返回TRUE或整数错误代码.因此,==将为您提供错误的假肯定,因为任何非零整数都将使用==求值为true,因为它将将非零整数强制转换为TRUE.如果要检查Zip::open的返回值,则应始终使用$res === true来检查是否成功.您可以在注释的此处中找到错误代码的含义.页面底部.
Zip::open() returns TRUE if the file was opened successfully, or an integer error code. Therefore, == will give you a false positive on an error because any non-zero integer will evaluate to true using == since it will cast a non-zero integer to TRUE. If you are going to check the return from Zip::open you should always use $res === true in order to check for success. You can find the meanings of the error codes here in the comment at the bottom of the page.
底线:由于您说过已经解压缩了zip,因此根据mime类型进行验证可能不那么麻烦,但是,仅尝试打开文件并根据返回值去比较容易. open的值.如果返回true,则可以认为该文件是有效的zip文件(当然,文件稍后可能会出现错误,但是它们至少上载了类似于zip文件的内容).
Bottom Line: Since you said you are already extracting the zip, it may be less of a bother to validate based on the mime type, but instead it would be easier to just attempt to open the file and go based on the return value of open. If it returns true, you can figure the file is a valid zip (there could of course be errors later in the file, but they at least uploaded something resembling a zip file).
希望对您有帮助.
这篇关于PHP允许的zip MIME类型的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
