验证上传的文件是否为实际图像文件很重要吗? [英] Is it important to verify that the uploaded file is an actual image file?

问题描述

假设您可以将任何文件上传到服务器，但文件扩展名必须是.jpg".你能上传任何可能损害服务器的内容吗?

Let's say you could upload any file you wished to a server, but the file extension MUST be ".jpg". Would you be able to upload anything that could harm the server?

我的问题的重点是文件类型验证很慢，如果足够安全，我宁愿只检查文件扩展名.我无法想象可以使用伪装成图像的恶意软件的场景.

The point of my question is that file type verification is slow, and I would rather only have to check the file extension if that is secure enough. I am having trouble imagining a scenario where malware disguised as an image could be used.

我已经看到了使用 getimagesize() 验证图像的建议，但此功能非常慢，我无法确定它是否有必要，甚至是否有效，以防止恶意软件上传...

I have seen recommendations for using getimagesize() to verify an image, but this function is pretty slow, and I cannot figure out if it is necessary, or even effective, for preventing malware uploads...

非常感谢您提供有关此的任何信息.

Any information on this is greatly appreciated.

推荐答案

如果您认为 getimagesize() 有点太慢(因为我们知道所有上传都是以超高速完成的 ;) )您也可以尝试 fileinfo 库.它至少检查文件中的一些字节.它非常快，我每天都使用它来处理一个应用程序中的数百个文件，该应用程序应该可以快速运行并且确实如此.

If you think getimagesize() is a bit too slow (because all uploads are done in super highspeed as we know ;) ) you can try the fileinfo library as well. It inspects at least some bytes within the file. It's pretty fast, I use it every day for hundreds of files in an app that should run speedy and it does.

然而，你不验证你不知道.所以可能首先检查扩展名，确保安全的文件名和安全的存储，并将它们正确发送给客户端.

However, what you don't verify you don't know. So probably first checking extension, ensure a safe filename and a safe store and that they are properly send out to the client.

在让任何图像库接触它之前(这应该包括您网站用户的计算机上的那些)，出于安全原因，应该通过病毒扫描程序扫描文件.与 getimagesize() 相比，这要慢得多，其他人建议查看文件中是否出现任何 <?php 以及防止作为有效负载上传.当然，这包括检查 phar 文件，如果没有通过 PHP 安装安全设置(例如通过 suhosin)阻止包含

Before letting any image library touch it (and this should include those on the computers of your site's users), for security reasons the file should be scanned by a virus scanner. That's much more slow compared to getimagesize(), others suggest to take a look into the file for any occurance of <?php as well to prevent uploading as payload. Naturally this includes checking for phar files if inclusion is not prevented via the PHP installations security settings (e.g. by suhosin)

在按需病毒扫描旁边，由于以前未知的漏洞，应不时检查存储的文件.

Next to on-demand virus scanning, stored files should be checked from time to time again and again because of formerly unknown exploits.

因此其中一部分始终是后台工作.但即使是按需实时检查通常也不会花费太多时间，除非您的应用程序一直在上传.您可能想引入一些上传队列，以便上传已经完成，但在运行必要的任务后，上传者可以使用文件获取.

So part of this is always a background job. But even the on demand real-time checks often do not take that much time unless your application does uploads all the time. You might want to introduce some upload-queue, so the upload is already done but the file get's available to the uploader after the necessary tasks have been run.

这篇关于验证上传的文件是否为实际图像文件很重要吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！