如何验证使用 php 上传的文件不包含可执行二进制文件? [英] How do I verify a file uploaded with php doesn't contain an executable binary?

问题描述

使用一个简单的 firefox 插件，黑客可以更改他们想要上传的任何文件的 MIME 类型，绕过您的文件类型检查器.

Using a simple firefox addon, a hacker can change the mime type of any file they want to upload, bypassing your file type checker.

然后黑客可以使用像 GIMP 这样的程序将 php 脚本嵌入到图像、音频或任何其他文件的二进制数据中.

Hackers can then use a program like GIMP to embed a php script inside the binary data of an image, audio or any other file.

我该如何检查并防止它?

How can I check for this, and prevent it?

推荐答案

您可以使用 mime_content_type() 获取文件的实际 mime 类型，而不是客户端浏览器传输的值.

You can use mime_content_type() to get the actual mime type of the file instead of the value transmitted by the client browser.

然后您可以使用诸如 php-ClamAV 之类的库，它允许执行病毒-用 PHP 扫描.

Then you can use a library such as php-ClamAV that allows to perform virus-scans in PHP.

您可以放弃任何文件扩展名，除了您期望的扩展名(例如 .png、.jpg 等，如果您期望得到图像).在图像的特定情况下，您还可以通过修改图像来中和图像(例如稍微调整它们的大小，修改压缩率，一些会修改数据并中和任何可执行文件的东西).

You can discard any file extension except those you expect (eg .png, .jpg, etc if you're expecting images). In the specific case of images, you could also neutralize images by modifying them (eg slightly resize them, modify the compression rate, something that would modify the data and neutralize any executable).

最后当然是不给文件执行权.但与评论中所说的相反，这不会真正保护你.例如，如果黑客找到了一种通过注入运行 php 文件的方法，他将能够 chmod 文件并正确执行(甚至运行它).

Finally of course, take of not giving the execution right to the file. But contrary to what is said in the comments, this will not really protect you. If the hacker finds a way to run php file though an injection for instance, he'll be able to chmod the file and get the execution right (and even run it).

一个好的做法是始终以不可预测的方式重命名文件.如果上传后不打算被客户端访问，请将文件发送到禁用目录浏览的文件夹中.

A good practice is also to always rename the file in an unpredictable way. If it is not meant to be accessed by clients after upload, send the files in a folder where directory browsing is disabled.

这篇关于如何验证使用 php 上传的文件不包含可执行二进制文件?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！