我们应该清理$ _FILES ['filename'] ['name']吗? [英] Should we sanitize $_FILES['filename']['name']?
问题描述
用户将图像上传到服务器后,我们应该清理$_FILES['filename']['name']
吗?
After the user uploads an image to the server, should we sanitize $_FILES['filename']['name']
?
我确实检查文件大小/文件类型等.但是我不检查其他内容.有潜在的安全漏洞吗?
I do check file size/file type etc. But I don't check other things. Is there a potential security hole?
谢谢
推荐答案
绝对!正如@Bob已经提到的那样,普通文件名很容易被覆盖.
Absolutely! As @Bob has already mentioned it's too easy for common file names to be overwritten.
您可能还需要解决一些问题,例如,* nix不允许Windows中所有允许的字符,反之亦然.文件名也可能包含相对路径,并可能覆盖其他未上传的文件.
There are also some issues that you might want to cover, for instance not all the allowed chars in Windows are allowed in *nix, and vice versa. A filename may also contain a relative path and could potentially overwrite other non-uploaded files.
这是我为 phunction PHP框架编写的Upload()
方法:
function Upload($source, $destination, $chmod = null)
{
$result = array();
$destination = self::Path($destination);
if ((is_dir($destination) === true) && (array_key_exists($source, $_FILES) === true))
{
if (count($_FILES[$source], COUNT_RECURSIVE) == 5)
{
foreach ($_FILES[$source] as $key => $value)
{
$_FILES[$source][$key] = array($value);
}
}
foreach (array_map('basename', $_FILES[$source]['name']) as $key => $value)
{
$result[$value] = false;
if ($_FILES[$source]['error'][$key] == UPLOAD_ERR_OK)
{
$file = ph()->Text->Slug($value, '_', '.');
if (file_exists($destination . $file) === true)
{
$file = substr_replace($file, '_' . md5_file($_FILES[$source]['tmp_name'][$key]), strrpos($value, '.'), 0);
}
if (move_uploaded_file($_FILES[$source]['tmp_name'][$key], $destination . $file) === true)
{
if (self::Chmod($destination . $file, $chmod) === true)
{
$result[$value] = $destination . $file;
}
}
}
}
}
return $result;
}
重要的部分是:
-
array_map('basename', ...)
,这可以确保文件不包含任何相对路径. -
ph()->Text->Slug()
,这可以确保文件名中仅允许使用.0-9a-zA-Z
,所有其他字符均由下划线(_
) 替换
-
md5_file()
,这已添加到文件名 iff 中,另一个同名文件已经存在
array_map('basename', ...)
, this makes sure that the file doesn't contain any relative paths.ph()->Text->Slug()
, this makes sure only.0-9a-zA-Z
are allowed in the filename, all the other chars are replaced by underscores (_
)md5_file()
, this is added to the filename iff another file with the same name already exists
我更喜欢使用用户提供的名称,因为搜索引擎可以使用该名称来提供更好的结果,但是如果这对您并不重要,则简单的microtime(true)
或md5_file()
可以稍微简化一下事情.
I prefer to use the user supplied name since search engines can use that to deliver better results, but if that is not important to you a simple microtime(true)
or md5_file()
could simplify things a bit.
希望这会有所帮助! =)
Hope this helps! =)
这篇关于我们应该清理$ _FILES ['filename'] ['name']吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!