网站通过文档上传暴露了哪些安全漏洞? [英] What are some Security holes a website is exposed through document upload?

问题描述

我是文档存储空间的新手.我不确定我在做什么，但在我开始之前，我想知道当允许文件上传时可能存在的安全威胁以及清理数据的最佳方法是什么?我正在使用 PHP，并允许使用图像、word 文档、pdf、excel 文档等.

I am new to the document storage space. I am not sure what i am doing yet, but before i begin i wanted to know about the possible security threats one has when one allows document uploads and what is the best way to sanitize the data? I am using PHP and will allow images, word docs, pdfs, excel docs, etc.

这是一个好的解决方案吗:

And is this a good solution:

http://blog.insicdesigns.com/2009/01/secure-file-upload-in-php-web-applications/

推荐答案

有两个非常明显的:

• 如果操作不当，文件上传器可能会允许用户覆盖其他人的文件——包括运行网站的 PHP.确保设置了权限，以便 Web 服务器的帐户对任何目录具有只读访问权限，但应写入内容，并且该目录中的任何内容都不能执行.
• 用户可以上传(大)足够的文件来填充网站的磁盘配额.即使他们不能，他们也可以尝试——而且服务器可能不会拒绝上传，直到整个文件发送完毕，这会消耗宝贵的资源，并且可能仍然填满驱动器(如果只是为了拒绝上传所需的时间)请求并删除临时文件).

• If improperly done, a file uploader could allow the user to overwrite other people's files -- including the PHP that runs the site. Make sure permissions are set so that the web server's account has read-only access to any directory but where stuff should be written, and that nothing in that directory can be executed.
• Users can upload (big) enough files to fill the site's disk quota. Even if they can't, they can try -- and the server might not refuse the upload til after the whole file's been sent anyway, chewing up precious resources and possibly still filling the drive (if only for the time it takes to refuse the request and delete the temp file).

这只是服务器的风险.文件可能包含会影响其他用户的恶意软件.您可能想为这些东西找一个扫描仪.

And that's just the risks to the server. Files can contain malware that can affect other users. You'll probably want to find a scanner for that stuff.

我建议，如果您想让人们上传文件，您可以找到许多其他人使用和推荐的预先编写的脚本.当有人做了你从未考虑过的事情时，自己动手肯定会给你带来问题.

I'll suggest that if you want to let people upload files, you find a pre-written script that a lot of other people use and recommend. Rolling your own is bound to cause you problems when someone does something that you never considered.

这篇关于网站通过文档上传暴露了哪些安全漏洞?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！