上传图片 - 安全 [英] Uploading Images - Security
问题描述
我写了一个电子学习包管理实用工具。使用此实用程序,导师可以写出他们的课程,添加/上传图片等。
I am writing the Admin utility for an eLearning Package. Using this utility, the Tutors can write their courses, add/upload images, etc.
上传文件,具体而言,图像文件时,我的问题是关于安全漏洞。
My problem is regarding security vulnerabilities when uploading files, specifically, image files.
以下code是我的控制器code为上传新的映像文件的POST:
The following code is my controller code for the POST that uploads a new image file:
[HttpPost]
public virtual ActionResult StepImage(int CourseId, int StepOrder, HttpPostedFileBase file)
{
service.CourseId = CourseId;
service.StepOrder = StepOrder;
if (file.ContentLength > 0)
{
var fileName = Path.GetFileName(file.FileName);
var fileExtension = Path.GetExtension(fileName);
if ((fileExtension == ".jpg") || (fileExtension == ".gif") || (fileExtension == ".png"))
{
service.StoreImageFileName(fileName);
var path = Server.MapPath("~/[path to where images are uploaded]/" + service.CourseId + "/");
if(!Directory.Exists(path))
{
Directory.CreateDirectory(path);
}
file.SaveAs(path + fileName);
}
else
{
// Refactor notice : Validation for invalid file extension
}
}
else
{
// Refactor notice : Validation for no file chosen
}
return RedirectToAction(MVC.Admin.StepEditor.Actions.Edit(CourseId, StepOrder));
}
您可以从上面的code,我检查的文件扩展名,只允许为.jpg,.gif和巴纽看看。
You can see from the above code that I check for the file extension and only allow .jpg, .gif and .png.
-
我试过存储App_Data文件夹下的文件,但是这导致了403禁止响应时查看尝试显示图像。
I tried storing the files under the App_Data folder, but this resulted in a 403 forbidden response when the Views try to display the images.
所以我把它们放在〜/图片/...
So I put them in ~/Images/...
有没有跟这个有安全隐患?有人可以上载.jpg扩展名的.exe文件,并得到它来执行坏人code?
Is there a security risk with this? Can someone upload an .exe file with a .jpg extension and get it to execute baddie code?
它必须说,风险是低的,因为只有导师将有权使用该上传文件的页面,但你还需要另外一张不满家教......或者,他们给自己的登录信息到学生.. ,或什么的。
It has to be said that the risk is low, as only Tutors will have permissions to use the page that uploads the file, but you just need one disgruntled tutor... Or they give their login details to a student... or whatever.
- 在$ C $(c)任何其他安全风险?
基础知识是从斯科特Hanselman的和菲尔哈克的博客文章在拍摄使用ASP.NET MVC上传文件的主题2 +
PS:
The basics are taken from Scott Hanselman's and Phil Haack's blog posts on the subject of uploading files using ASP.NET MVC 2 +:
<一个href=\"http://www.hanselman.com/blog/ABackToBasicsCaseStudyImplementingHTTPFileUploadWithASPNETMVCIncludingTestsAndMocks.aspx\"相对=nofollow>斯科特Hanselman的帖子
推荐答案
您获得当您将图像App_Data文件夹一个403响应,因为IIS prevents从的App_Data直接访问文件的任何浏览器。
You get a 403 response when you place the images in the App_Data folder because IIS prevents any browser from directly accessing files in App_Data.
将它们放置在〜/图片/工程,但根据该文件夹的安全性,这可能意味着,任何人都可以列出〜/图像的内容/和/或查看图片。默认情况下,IIS所禁止列出任何文件夹的内容,但任何人查看图像是允许的。因此,如果某人知道的图像的文件名,他们可以查看它们。
Placing them in ~/Images/ works but depending on the security on that folder this could mean that anyone can list the contents of ~/Images/ and/or view the images. By default, IIS forbids listing the contents of any folder but viewing the images by anyone is allowed. So, if someones knows the filename of the images, they can view them.
一个解决方案是使用基于URL的认证。只有教师(或谁需要),就可以看到图像即可。
A solution is to use URL based authentication. Only the tutors (or whoever needs to) will be able to see the images then.
如果您想对谁看到什么什么的网页完全控制,你仍然可以把图像在App_Data文件夹,然后流他们如─或任何需要他们的这样的。
If you want complete control over who sees what on what pages, you could still place the images in the App_Data folder and then stream them to who- or whatever needs them like this.
关于上传一个.exe为JPG,这当然是可能的。它甚至会为任何类型的文件工作。
About uploading an .exe as a jpg, this is certainly possible. It will even work for any type of file.
但是,您将文件保存到磁盘,没有做任何自己与它。这使得风险非常小的.exe文件-AS-JPG是你的服务器上执行。除非某人的作用体现在.NET code,迫使.NET执行JPG的漏洞,这是不太可能。
However, you save the file to the disk and don't do anything yourself with it. That makes the risk very small that the .exe-as-jpg is executed on your server. Unless someones finds an exploit in .net code that forces .net to execute the jpg, this is very unlikely.
您还显示JPG到你的观点用户。这再一次承载着可能是用户的浏览器有一个漏洞,迫使它在用户的计算机上执行的.exe-AS-JPG安全风险。不过,我觉得还是非常不可能发生的(但并非不可能。这之前已经如已经完成看到这个)。
You also show the jpg to the user in your views. That carries once again the security risk that possibly the user's browser has an exploit that forces it to execute the .exe-as-jpg on the user's computer. However, I think that is still very unlikely to happen (but not impossible. It has been done before e.g. see this).
要prevent这一点,你需要在你的服务器端,检查每一个形象,看它是否真的是一个形象code。然而,这些(可能是不存在的)的安全风险是非常小的,甚至利用这种风险将需要别人谁知道不少计算机和编程。就个人而言,我不会担心这一点。
To prevent this, you would need code on your server side that checks every image to see if it really is an image. However, these (possibly non-existent) security risks are very small and even exploiting this risks would require someone who knows quite a lot of computers and programming. Personally, I wouldn't worry about this.
绝对安全是不可能的(好吧,总之从来没有开启您的计算机。如果它没有做任何事情,没有什么可以去错毕竟)。这一切都取决于你要多少保障多少时间和放大器;钱可以投资。
Absolute security is impossible (Well, short of never turning your computer on. If it doesn't do anything, nothing can go wrong after all). It all depends how much security you want and how much time & money you can invest.
这篇关于上传图片 - 安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
