上传前检查文件内容 [英] Check the content of file before upload
问题描述
在上传到服务器之前,我必须检查 zip/rar 文件的内容.
I have to check the Content of a zip/rar file before uploading to the server.
让我解释一下这个场景.
Let me explain the scenario.
我的网络项目中有两种类型的用户:
There are 2 types of users in my web project:
1:普通注册用户2:项目管理员
1: Normal Registered user 2: Administrator of the Project
任何注册用户都可以在我们的项目上创建页面,也可以为页面创建主题.
Any Registered user can Create Pages on our Project,also they can create Themes For Pages.
这里我们中的一个人提出了一个功能,将主题上传为主题包[压缩在Zip/Rar文件中].
Here one of us suggested a feature that to upload the Theme as theme pack [Compressed in Zip/Rar File].
如果是管理员就可以了,没有更多的安全限制.
If it is a Administrator then it is ok,there is no more security constraints.
但恐怕对于普通注册用户来说.
But i am afraid in the case of Normal Registered Users.
我的问题是:
假设注册用户上传的主题包包含一些可能会损害系统的恶意文件 [包括 PHP 文件].我知道上传后可以检查内容,但如果用户在此之前执行文件会发生什么?
Assume that a Registered User uploading a theme pack that contains some malicious Files [Including PHP file] that may hurt the system. I know that it is posible to check the Contents after upload,but what will happen if the use executed the File before that?
Ex : 一个用户上传了一个主题包:包含 一些 PHP 代码 &其他大文件,首先我们的系统会提取主题包的内容:假设提取大文件需要一些时间,并且较小的PHP文件已经提取出来.这样用户可以先运行PHP文件.
Ex : a user uploading a theme pack : contains some PHP codes & other large files,First our system will extract the content of the Theme Pack: Assume that the extraction of large files takes some time,and the smaller PHP file already extracted.So that the user can RUN the PHP file First.
以上是我的菜鸟,其实我不知道其他方面.
The above one is my noob soubt,Actually i dont know other sides.
请帮我解决这个问题.
能否以安全的方式上传 ZIP 文件?
Is it possible to upload the ZIP file in a secure manner ?
推荐答案
当然,除非您有某种插件(适用于所有浏览器)进行检查/上传,否则您将无法检查此客户端为你.您必须在服务器端处理此问题.
You won't be able to check this client side unless, of course, you had some kind of plugin (for all browsers) that did the checking/uploading for you. You'll have to handle this on the server side.
此外,管理员可以像非管理员一样轻松上传病毒.一些用户甚至不知道他们的机器比棚户区妓院的病毒还多.
Also, Admins can upload viruses just as easily as non-admins. Some user's don't even know their machine has more viruses than a shanty-town brothel.
此外,除非您运行该 php 文件,否则用户将如何在您检查之前在您的服务器上执行他们的 PHP 文件?无论如何,这听起来像是灾难的秘诀.所要做的就是让某些东西从裂缝中溜走,恶意用户就会破坏您的网站.允许普通人将可执行脚本上传到您的服务器是自找麻烦.
Also, how is the user going to execute their PHP file on your server before you've checked it unless you run that php file? This sounds like a recipe for disaster anyway. All it will take is for something to slip through the cracks and a malicious user will destroy your site. Allowing normal people to upload executable script to your server is asking for serious trouble.
这篇关于上传前检查文件内容的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
