验证上传的文件是否是实际的图像文件很重要吗? [英] Is it important to verify that the uploaded file is an actual image file?
问题描述
我的问题是,文件类型验证速度慢,我宁愿只检查文件扩展名如果足够安全。我无法想象恶意软件伪装成图像的情况。
我已经看到使用getimagesize()来验证图像的建议,但是这个函数是非常慢,我不知道是否有必要,甚至是有效的,以防止恶意软件上传...
任何信息非常赞赏。 >
getimagesize()有点太慢了(因为所有上传如我们所知,以超高速完成;))你可以尝试 fileinfo 库。它检查文件中的至少一些字节。这是非常快的,我每天使用它应用程序中的数百个文件,应该跑得快,它确实。 然而,你不验证你不'不知道。所以可能首先检查扩展名,确保一个安全的文件名和一个安全的存储,并将其正确发送到客户端。
在让任何图像库触摸它应包括在您的网站的用户的计算机上),出于安全原因,该文件应由病毒扫描程序进行扫描。与 getimagesize()相比,这个速度要慢得多,其他人建议仔细看一下<?php 以及防止上传作为有效载荷。当然,这包括检查 phar 文件,如果不通过PHP安装安全设置(例如suhosin)阻止包含的话
旁边的按需病毒扫描,存储的文件应该不时检查,因为以前未知的漏洞。
所以这部分总是一个背景工作。但即使按需实时检查通常也不会花费太多时间,除非您的应用程序一直在上传。您可能需要引入一些上传队列,因此上传已经完成,但在运行必要的任务之后,文件get就可以提供给上传者。
Let's say you could upload any file you wished to a server, but the file extension MUST be ".jpg". Would you be able to upload anything that could harm the server?
The point of my question is that file type verification is slow, and I would rather only have to check the file extension if that is secure enough. I am having trouble imagining a scenario where malware disguised as an image could be used.
I have seen recommendations for using getimagesize() to verify an image, but this function is pretty slow, and I cannot figure out if it is necessary, or even effective, for preventing malware uploads...
Any information on this is greatly appreciated.
If you think getimagesize() is a bit too slow (because all uploads are done in super highspeed as we know ;) ) you can try the fileinfo library as well. It inspects at least some bytes within the file. It's pretty fast, I use it every day for hundreds of files in an app that should run speedy and it does.
However, what you don't verify you don't know. So probably first checking extension, ensure a safe filename and a safe store and that they are properly send out to the client.
Before letting any image library touch it (and this should include those on the computers of your site's users), for security reasons the file should be scanned by a virus scanner. That's much more slow compared to getimagesize(), others suggest to take a look into the file for any occurance of <?php as well to prevent uploading as payload. Naturally this includes checking for phar files if inclusion is not prevented via the PHP installations security settings (e.g. by suhosin)
Next to on-demand virus scanning, stored files should be checked from time to time again and again because of formerly unknown exploits.
So part of this is always a background job. But even the on demand real-time checks often do not take that much time unless your application does uploads all the time. You might want to introduce some upload-queue, so the upload is already done but the file get's available to the uploader after the necessary tasks have been run.
这篇关于验证上传的文件是否是实际的图像文件很重要吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
