安全上传文件 [英] Secure uploading file

问题描述

我的php项目中有文件上传系统.

I have file uploaded system in my php project.

我上传的内容:

1)检查文件扩展名和文件mime类型.

1) Check file extension and file mime type.

2)如果允许扩展名和mime类型，我将文件保存在public_html目录之外，然后给用户机会，这样下载文件:

2) If extension and mime type are allowed types, I save file outside of public_html directory and then, I give the opportunity to users, download file so:

     if (file_exists($file_path)) {
            header('Content-Description: File Transfer');
            header('Content-Type: some mime type');
            header('Content-Disposition: attachment; filename=somefilename');
            header('Content-Transfer-Encoding: binary');
            header('Expires: 0');
            header('Cache-Control: must-revalidate');
            header('Pragma: public');
            header('Content-Length: ' . filesize($file_path));
            readfile($file_path);
     }

问题:上传文件的此步骤是否安全?如果没有，可以采取什么措施来提高上传文件的安全性?

Question: this steps for uploading file, are secure or not? If not, what can make additional, for improve secure at uploading file?

谢谢.

推荐答案

• 检查MIME类型根本没有帮助，因为可以精心制作该信息.
• 这取决于您如何检查文件扩展名以及对该信息的处理方式.尝试将白名单"用于文件扩展名，而不是黑名单".
• 将其移动到public_html之外是个好主意，也请尝试重命名该文件，然后将扩展名添加到该文件中.
• 对压缩文件要格外小心，您可能最终会处理一些zipbomb或类似的东西.
• 如果要对文件进行某种操作(例如调整图像大小)，请小心.请记住，您正在处理的用户输入将与您的代码进行交互，并且可以精心设计以利用您的代码(例如，代码执行漏洞).
• Checking the MIME type doesn't help at all, because that information can be crafted.
• It depends how you are checking the file extension and what you are doing with that information. Try using "white list" for file extension instead of a "black list".
• Moving it outside of the public_html is a good idea, also try to rename the file and just add the extension to it.
• Be extra careful with compressed files, you could end up dealing with some zipbomb or something like that.
• Be careful with the file if you are going to do some sort of operation with it, like resizing images. Remember you are dealing with an user input that will interact with your code and it could be crafted to exploit your code (code execution vulnerability for example).

也请尝试阅读本文，它将为您提供一些有用的信息以前没有强硬.

Also try reading this article, it will give you some helpful information that you might not have tough before.

这篇关于安全上传文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！