处理上传的动画gif以确保安全 [英] Process uploaded animated gif for security
问题描述
我们正在一个网站上允许GIF动画上传.为了确保该图像确实是图像,并且没有恶意软件/病毒/后门/特洛伊木马或图像数据本身以外的任何其他图像,我们尝试重新创建原始图像.
但是,当内部有很多帧时,该过程本身将花费一些时间.还有其他方法可以确保上传的GIF动画文件没有上述问题吗?
您永远不能100%保证文件不包含恶意软件-即使采用这种方法,gif仍然有可能包含一些可能是恶意的代码
也就是说,这种可能性很小,您可以期望在大多数现代操作系统中很快修补此类错误.
您可以对上传的文件进行多种检查,尽管处理时间更少:
- 检查文件扩展名是否符合您的期望-尽管可以欺骗,但在上传阶段忽略
content-type. - 使用最新的病毒扫描程序,使用病毒扫描程序扫描所有上传的文件.
- 请勿将文件存储在可以执行的位置-例如不要存储在Web根目录(
www.example.com/uploads/image.aspx)中. - 通过程序或脚本为文件提供服务,该程序或脚本将从存储中读取它们作为数据,然后将输出流式传输到浏览器.
-
提供文件时,请确保正确的
content-type,并且在可能的情况下,请正确设置文件扩展名.使用Content-Disposition设置浏览器将使用的名称:Content-Disposition: attachment; filename="fname.ext"
We are working on a website to allow animated GIF upload. To ensure the image is indeed an image and without malware/virus/backdoor/trojan or anything other than image data itself, we try to recreate the original image.
However, the process itself will take sometime when there are lots of frames inside. Is there any other way to ensure an uploaded animated GIF file is free from the issues mentioned above?
You can never 100% guarantee that a file does not contain malware - even with your approach there is the chance that the gif contains some code that could be malicious simply by opening the image in a vulnerable viewer.
That said, the chances are low and you can expect these sort of bugs to be patched fairly quickly in most modern operating systems.
There are various checks you can do on uploaded files though that take less processing time:
- Check the file name extension is what you expect - ignore the
content-typeat upload stage though as this can be spoofed. - Virus scan all uploaded files with a virus scanner with up to date definitions.
- Do not store the files in a location where they can be executed - e.g. do not store in the web root (
www.example.com/uploads/image.aspx). - Serve the files via a program or script that reads them from storage as data and then streams the output to the browser.
When serving the files, ensure the correct
content-type, and if possible, filename extension is set correctly. UseContent-Dispositionto set the name the browser will use:Content-Disposition: attachment; filename="fname.ext"
这篇关于处理上传的动画gif以确保安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
