在服务器上获取文件，使用PHP GD2调整大小，安全注意事项 [英] Fetching a file on a server, resizing with PHP GD2, security considerations

问题描述

当服务器从不受信任的域中获取文件时，安全方面的考虑是什么?

What are the security considerations when a server fetches a file from an untrusted domain?

调整您不希望使用PHP GD2库的图像的大小时，安全性考虑因素是什么?

What are the security considerations when resizing an image that you don't trust with PHPs GD2 library?

文件将存储在服务器计算机上，并将提供下载.我知道我不能相信MIME类型标头.我还有什么要注意的吗?

The file will be stored on the server machine, and will be offered for download. I know I can't trust the MIME-Type header. Is there anything else I should be aware of?

我有一个如下所示的 webservice :

输入

http-URL(或预期为URL的 String )

An http-URL (or a String that is expected to be a URL)

输出

文件的元描述，如果有则为错误.

A meta description of the file, or an error if there was one.

元描述具有以下两种形式之一:

The meta description has one of two forms:

1. 这是一张图片+我域中图片的URL +图片缩略图(在我的服务器上生成并托管)
2. 这不是图片+我域中文件的网址

---

更新

我可以提出的问题:

1. 远程服务器是一台恶意服务器，它将发送少量信息，足以保持套接字打开状态，但没有做任何有用的事情-诸如slowloris.我不知道这是多么真实的威胁.我想可以通过超时+进度检查来轻松避免这种情况.

1. The remote server is a malicious server that will send tiny bits of information, enough to keep the socket open, but doesn't do anything useful - like slowloris. I don't know how real of a threat this is. I suppose it could be easily avoided with timeout + progress check.

远程服务器提供的服务类似于图像(标头，mime类型)，但是当我用GD2加载时会导致PHP崩溃.

The remote server serves something that looks like an image (headers, mime-type) but causes PHP to crash when I load it with GD2.

服务器发送一个无用或错误的MIME类型标头.类似于text-plain用于二进制文件.

The server sends a useless or bad MIME-type header. Like text-plain for binary files.

远程服务器提供的映像中带有病毒.我认为调整图像大小可以消除病毒，但是如果没有理由扩展图像，我将提供原始图像.

The remote server serves an image with a virus in it. I assume that resizing the image will get rid of the virus, but I will serve the original image if there is no reason to scale.

远程服务器提供的文件中带有病毒.该文件将不被视为图像，因此我的服务器将不执行任何操作.直到用户下载并运行它，一切都不会发生.

The remote server serves a file with a virus in it. The file will not be treated as an image so my server will do nothing with it. Nothing will happen until the user downloads, and runs it.

此外，我假设我可以信任我的服务的用户.这是一个私有应用程序，可以让用户对不良行为负责.我认为他们不会故意尝试破坏它.

Also, I assume I can trust the users of my service. This is a private application in a situation where users can be held accountable for bad behavior. I assume they wont intentionally try to break it.

推荐答案

当服务器从不受信任的域中获取文件时，安全方面的考虑是什么?

What are the security considerations when a server fetches a file from an untrusted domain?

不信任域(主机)和文件.这涉及两点:

The domain (host) and the file is not to be trusted. This spreads over two points:

1. 运输
2. 数据

要安全地传输数据，请使用超时和大小限制.现代的HTTP客户端库提供了这两种功能.如果无法及时请求文件，请断开连接.如果文件太大，请删除数据.告诉用户获取文件有问题.或者，让用户通过使用用户浏览器和javascript获取文件来处理到该服务器的传输.然后发布.使用脚本设置发布限制.

To transport the data safely, use a timeout and a size limit. Modern HTTP client libraries offer both of that. If the file could not be requested in time, drop the connection. If the file is too large, drop the data. Tell the user that there was a problem getting the file. Alternatively let the user handle the transport to that server by using the users browser and javascript to obtain the file. Then post it. Set the post limit with your script.

只要数据不受信任，就需要谨慎处理.这意味着，您将实现一个能够在将文件标记为安全"之前对该文件进行不同安全检查的过程.

As long as the data is untrusted you need to handle it with caution. That means, you implement yourself a process that is able to run different security checks on the file before you mark it as "safe".

调整您不希望使用PHP GD2库的图像的大小时，安全性考虑因素是什么?

What are the security considerations when resizing an image that you don't trust with PHPs GD2 library?

然后不要将不受信任的数据传递到图像库.请参阅上面的步骤，首先将其置于安全状态.

Do not pass untrusted data to the image library then. See the step above, bring it into a safe state first.

文件将存储在服务器计算机上，并将提供下载.我知道我不能相信MIME类型标头.我还有什么要注意的吗?

The file will be stored on the server machine, and will be offered for download. I know I can't trust the MIME-Type header. Is there anything else I should be aware of?

我认为您仍然在上面.如何从不受信任进入 safe .当然，您不能相信Content-Type标头，但是也很了解它.

I think you're still at the point above. How to come to safe from untrusted. Sure you can't trust the Content-Type header, however it's good to understand it as well.

您要防止不受限制的文件上传漏洞 ^{­ OWASP} .

1. 检查文件名.如果您将数据存储在服务器上，请为其提供一个安全的临时名称，该名称不能预先猜测，也不能通过网络访问.
2. 检查与文件名关联的数据，例如该文件源的URL信息.正确处理编码.
3. 丢弃任何不符合您期望的东西，因此请严格检查您制定的前提条件.
4. 例如在使用病毒检查程序之前，请先验证文件数据.
5. 请先验证图像数据，然后再继续.这包括文件头(魔术数字)以及文件大小和文件内容有效.您应该使用专门针对此工作的库，例如图像文件格式格式检查器.这是专用软件，因此如果您的这部分业务可以开展业务.存在许多免费的软件映像文件代码，我仅将其留作参考，您仍然不能相信任何建议，因此需要进入主题.
6. 如果您打算自己调整图像的大小，则需要使所有内容变得双重安全，因为在托管旁边，您打算处理数据.因此，请先知道如何处理数据才能找到潜在的问题领域.
7. 进行日志记录和监视.
8. 为万一出问题的情况制定计划.
9. 考虑对已经存在的文件重复此过程，因此，如果您更改程序，则能够自动将这些原则也应用于过去完成的上传.
10. 为每种工作类型创建一个系统，该系统在工作完成后可以进行清理.一个系统进行下载，一个系统获取元数据等.在执行每个操作之后，请从映像还原系统.如果单个组件发生故障，它将不会处于被利用状态.此外，如果您发现故障，则可以在发现缺陷之前将整个系统停工.

1. Check the filename. If you store the data on your server, give it a safe temporary name that can not be guessed upfront and that is not accessible via the web.
2. Check the data associated with the filename, e.g. the URL information of the source of that file. Properly handle encoding.
3. Drop anything that does not meet your expectations, so check the pre-conditions you formulate strictly.
4. Validate the file data before you continue, for example by using a virus checker.
5. Validate the image data before you continue. This includes file-headers (magic numbers) as well as that the file-size and file-content is valid. You should use a library that has specialized for the job, e.g. an image-file-format-malformation-checker. This is specialized software, so if this part of your business get into business. Many free software image file code exists, I leave this just for the info, you can't trust any recommendation anyway and need to get into the topic.
6. If you plan to resize the image yourself, you need to make everything double-safe, because next to hosting you plan to process the data. So know what you do with the data first to locate potential fields of problems.
7. Do logging and monitoring.
8. Have a plan for the case that everything get's wrong.
9. Consider to repeat the process for already existing files, so if you change your procedure, you are able to automatically apply the principles to uploads that were done in the past as well.
10. Create a system for each type of work that is able to be cleaned after the work has been done. One system to do the download, one system to obtain the meta data etc.. After each action, restore the system from an image. If a single components fails, it won't be left over in an exploited state. Additionally if you detect a fail, you can take your whole system out of business until you have found the flaw.

这一切都取决于您想做什么，但是我想您已经明白了.创建一个对您有用的流程，知道可以在哪里添加改进，但是首先创建一个足够模块化的基础结构，以处理错误情况，并可能封装该流程以处理任何结果.

All this depends a bit how much you want to do, but I think you get the idea. Create a process that works for you knowing where improvement can be added, but first create an infrastructure that is modular enough to deal with error-cases and which probably encapsulates the process enough to deal with any outcome.

您可以将关键部件委托给您不需要关心的系统，例如将处理与托管分开.此外，托管图像时，Web服务器一定不能聪明.一个系统越愚蠢，它的可利用性就越差(通常).

You could delegate critical parts to a system that you don't need to care about, e.g. to separate processing from hosting. Additionally, when you host the images the webserver must not be clever. The more stupid a system is, the less exploitable it is (normally).

如果托管不属于您的业务，为什么不将其移交给Amazon s3或类似商店?您的域可以通过DNS设置保留.

If hosting is not part of your business, why not hand it over to amazon s3 or similar stores? Your domain can be preserved via DNS settings.

保持用于验证图像的库为最新(这意味着您知道使用了哪些库，反之亦然，例如，PHP exif扩展正在使用mbstring等.pp.-跟踪整个树).请注意，您应以有用的方式向库维护者报告缺陷，例如记录日志，存储上传数据以复制内容等.

Keep the libraries you use to verify images with up-to-date (which implicates you know which libraries are used and their versio, e.g. the PHP exif extension is making use of mbstring etc. pp. - track the whole tree down). Take care you're in the position to report flaws to the library maintainers in a useful way, e.g. with logging, storing upload data to reproduce stuff etc..

了解过去确实存在哪些图像漏洞利用以及哪些系统/组件/库(示例，请参阅免责声明).

Get knowledge about which exploits for images did exist in the past and which systems/components/libraries (example, see disclaimer there) were affected.

也可以进入该主题，这些是利用某些东西，将基础知识融合在一起的常用方法(我确定您知道，但是重新阅读一些东西总是很好的):

Also get into the topic which are common ways to exploit something, to get the basics together (I'm sure you are aware, however it's always good to re-read some stuff):

• 在PHP Web应用程序中安全地上传文件(Alla Bezroutchko； 2007年6月13日; PDF)

一些相关问题，

• 验证上传的文件是否为实际图像文件是否重要?
• PHP上传文件可增强安全性

• Is it important to verify that the uploaded file is an actual image file?
• PHP Upload file enhance security

这篇关于在服务器上获取文件，使用PHP GD2调整大小，安全注意事项的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！