我们应该清理$ _FILES ['filename'] ['name']吗? [英] Should we sanitize $_FILES['filename']['name']?

问题描述

用户将图像上传到服务器后，我们应该清理$_FILES['filename']['name']吗?

After the user uploads an image to the server, should we sanitize $_FILES['filename']['name']?

我确实检查文件大小/文件类型等.但是我不检查其他内容.有潜在的安全漏洞吗?

I do check file size/file type etc. But I don't check other things. Is there a potential security hole?

谢谢

推荐答案

绝对！正如@Bob已经提到的那样，普通文件名很容易被覆盖.

Absolutely! As @Bob has already mentioned it's too easy for common file names to be overwritten.

您可能还需要解决一些问题，例如，* nix不允许Windows中所有允许的字符，反之亦然.文件名也可能包含相对路径，并可能覆盖其他未上传的文件.

There are also some issues that you might want to cover, for instance not all the allowed chars in Windows are allowed in *nix, and vice versa. A filename may also contain a relative path and could potentially overwrite other non-uploaded files.

这是我为 phunction PHP框架编写的Upload()方法:

function Upload($source, $destination, $chmod = null)
{
    $result = array();
    $destination = self::Path($destination);

    if ((is_dir($destination) === true) && (array_key_exists($source, $_FILES) === true))
    {
        if (count($_FILES[$source], COUNT_RECURSIVE) == 5)
        {
            foreach ($_FILES[$source] as $key => $value)
            {
                $_FILES[$source][$key] = array($value);
            }
        }

        foreach (array_map('basename', $_FILES[$source]['name']) as $key => $value)
        {
            $result[$value] = false;

            if ($_FILES[$source]['error'][$key] == UPLOAD_ERR_OK)
            {
                $file = ph()->Text->Slug($value, '_', '.');

                if (file_exists($destination . $file) === true)
                {
                    $file = substr_replace($file, '_' . md5_file($_FILES[$source]['tmp_name'][$key]), strrpos($value, '.'), 0);
                }

                if (move_uploaded_file($_FILES[$source]['tmp_name'][$key], $destination . $file) === true)
                {
                    if (self::Chmod($destination . $file, $chmod) === true)
                    {
                        $result[$value] = $destination . $file;
                    }
                }
            }
        }
    }

    return $result;
}

重要的部分是:

1. array_map('basename', ...)，这可以确保文件不包含任何相对路径.
2. ph()->Text->Slug()，这可以确保文件名中仅允许使用.0-9a-zA-Z，所有其他字符均由下划线(_)
替换
3. md5_file()，这已添加到文件名 iff 中，另一个同名文件已经存在

1. array_map('basename', ...), this makes sure that the file doesn't contain any relative paths.
2. ph()->Text->Slug(), this makes sure only .0-9a-zA-Z are allowed in the filename, all the other chars are replaced by underscores (_)
3. md5_file(), this is added to the filename iff another file with the same name already exists

我更喜欢使用用户提供的名称，因为搜索引擎可以使用该名称来提供更好的结果，但是如果这对您并不重要，则简单的microtime(true)或md5_file()可以稍微简化一下事情.

I prefer to use the user supplied name since search engines can use that to deliver better results, but if that is not important to you a simple microtime(true) or md5_file() could simplify things a bit.

希望这会有所帮助！ =)

Hope this helps! =)

这篇关于我们应该清理$ _FILES ['filename'] ['name']吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！