Amazon S3为每个对象创建唯一的密钥 [英] Amazon S3 creating unique keys for every object
问题描述
目前我正在使用随机字符串加密文件名我的PHP脚本之前发送文件到S3。
为了便于讨论,我们假设上传者找到一种方法来操纵上传文件名。他希望将我网站上的所有图片替换为香蕉。如果加密失败,防止在S3中覆盖文件的好方法是什么?
编辑:我不认为版本控制是可行的,因为我无法指定版本号在显示图片时显示图片的URL。
你是加密还是哈希?如果你正在使用md5或sha1哈希,攻击者可以很容易地发现一个哈希碰撞,让你滑在香蕉皮上。如果您在没有随机初始化向量的情况下进行加密,攻击者可能会在上传几百个文件后推断出您的密钥,而加密可能不是最好的方法。这是昂贵的计算,很难实现,你可以得到一个更安全的机制,这个工作用很少的努力。
如果你预先给每个文件名随机字符串,使用合理可靠的熵源,你不应该有任何问题,但你应该检查文件是否已经存在。虽然使用 S3 :: GetObject
来编写一个循环来检查,并且生成一个新的随机字符串,对于几乎不需要运行的东西来说,几乎从不意味着最终发生的可能性很高。
My app users upload their files to one bucket. How can I ensure that each object in my S3 bucket has a unique key to prevent objects from being overwritten?
At the moment I'm encrypting filenames with a random string in my php script before sending the file to S3.
For the sake of the discussion let's suppose that the uploader finds a way to manipulate the filename on upload. He wants to replace all the images on my site with a picture of a banana. What is a good way to prevent overwriting files in S3 if encryption fails?
Edit: I don't think versioning will work because I can't specify a version id in an image URL when displaying images from my bucket.
Are you encrypting, or hashing? If you are using md5 or sha1 hashes, an attacker could easily find a hash collision and make you slip on a banana skin. If you are encrypting without a random initialization vector, an attacker might be able to deduce your key after uploading a few hundred files, and encryption is probably not the best approach. It is computationally expensive, difficult to implement, and you can get a safer mechanism for this job with less effort.
If you prepend a random string to each filename, using a reasonably reliable source of entropy, you shouldn’t have any issues, but you should check whether the file already exists anyway. Although coding a loop to check, using S3::GetObject
, and generate a new random string might seem like a lot of effort for something that will almost never need to run, "almost never" means it has a high probability of happening eventually.
这篇关于Amazon S3为每个对象创建唯一的密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!