@imagecreatefromjpeg和imagejpeg（）是否有效防止用户上传带有恶意php代码的图像？ [英] Are @imagecreatefromjpeg and imagejpeg() effective for preventing users from uploading images with malicious php code within them?

问题描述

这是 upload_processor.php 中的代码：

include_once 'functions.php';

$name = $_FILES['upload-image']['name'];
$type = $_FILES['upload-image']['type'];
$size = $_FILES['upload-image']['size'];
$temp = $_FILES['upload-image']['tmp_name'];
$error = $_FILES['upload-image']['error'];

img_processor($temp, $error, $size)

在这里是 functions.php ：

function img_processor($img_temp, $img_error, $img_size){
    if($img_error===0){
        if($img_size < 4194304){
            if( $proc_img = @imagecreatefromjpeg($img_temp) ){
                imagejpeg($proc_img,'../uploaded/something.jpeg');
            } elseif( $proc_img = @imagecreatefrompng($img_temp) ){
                imagepng($proc_img,'../uploaded/something.png');
            } elseif( $proc_img = @imagecreatefromgif($img_temp) ){
                imagegif($proc_img,'../uploaded/something.gif');
            } else {
                echo("Only JPEGs, PNGs, and GIFs are allowed");
            }

            if(isset($proc_img)){
                echo("upload complete");                
            }

        } else {
            echo("Your file was too big. Only images that are 4MB or less are allowed");
        }
    } else {
        echo('Error uploading file! Code '.$img_error);
    }
}

基本思想是重新创建图像，然后重命名因此，没有人可以上传 malicious_code.php.jpg 之类的东西。

The basic idea is to recreate the image, then rename it so that no one can upload something like malicious_code.php.jpg.

这段代码有什么漏洞？有更好的方法来保护我的网站免受PHP注入的图像吗？

What are the holes in this code? Are there better ways to protect my site from PHP-injected images?

推荐答案

1. 如果出现错误， imagegreatefrom * 将返回false，因此 @ 运算符在这种情况下实际上并没有做很多事情。

1. The imagegreatefrom* will return false if there's an error so the @ operator isn't really doing much in this situation.

代替调用 imagecreatefrom * ，您可以使用 exif_imagetype ，然后调用适当的处理程序。我不确定是否存在安全隐患（尽管从直觉上看，上述代码可能存在安全隐患），但性能应会提高，因为您不必在真相测试失败时就创建图像资源。

Instead of calling imagecreatefrom*, you can check to see if the input file is valid using exif_imagetype and then call an appropriate handler. I am not sure if there are security implications (although intuitively it sounds like there could be security problems with the above code), but the performance should improve, as you're not having to create an image resource every time a truth test fails.

$handlers = array(
    IMAGETYPE_GIF => 'imagecreatefromgif',
    IMAGETYPE_JPEG => 'imagecreatefromjpeg',
    IMAGETYPE_PNG => 'imagecreatefrompng'
);
$type = exif_imagetype($img_temp);

if(array_key_exists($type,$handlers)){
       $proc_img = call_user_func_array($handlers[$type],array($img_temp));
} else {
    // do error logic here
}

另一个好处是，您可以添加处理程序，而不必制作一个巨大的if语句。参见 http://www.php.net/manual/zh/function。 exif-imagetype.php 了解更多信息。

The other added benefit is that you can add handlers without having to make a giant if statement. See http://www.php.net/manual/en/function.exif-imagetype.php for more info.

这篇关于@imagecreatefromjpeg和imagejpeg（）是否有效防止用户上传带有恶意php代码的图像？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！