Mimetypes在上传中的可靠性(PHP) [英] Reliability of Mimetypes in Uploads (PHP)
问题描述
我有这个问题一段时间:一个文件的mime类型究竟是如何确定的?我相信这是通过检查文件的特定字节是否包含任何已知的幻数 / 文件签名,对吗?
如果是这样,这就提出了另一个问题,可以说我上传了一个带有假GIF文件签名的bash脚本到一个只允许上传图片的网站,会发生什么?或者:
$ b $ ol <
$我没有安装ATM的HEX编辑器,而且我也不喜欢从测试中形成安全相关的结论,因为我可能会错过(或误解)某些东西,所以我的问题是:上述哪一个选项是正确的? / p>
另外,还有没有其他的最佳实践(除了检查mimetype)以确保任何给定的文件实际上是它看起来/需要(或被允许)的东西?提前致谢。
PS:为了清楚起见,我并没有询问类型 $ _ FILES superglobal。
理解是文件上传代码中的MIME确定例程是非常粗糙的,$ _FILES数组中的MIME类型根本不可信。这是我的经验,它很容易受到伤害。
最好使用Fileinfo库,它提供更强大的文件类型检测功能。
http:// www.php.net/manual/en/ref.fileinfo.php
I've had this question for a while: how exactly is the mime type of a file determined? I believe this is done by checking if specific bytes of the file contain any of the known magic numbers / file signatures, right?
If so, this poses another question, lets say I upload a bash script with a fake GIF file signature to a website that only allows images to be uploaded, what is going to happen? Either:
- the mimetype detection routine is smart enough to detect fake signatures, or
image/gifis wrongly returned as the mimetype and the upload is allowed to continue
I don't have an HEX editor installed ATM, and I don't like to form security-related conclusions from tests as I might miss (or misinterpret) something, so my question is: which one of the above options is correct?
Also, are there any other best practices (besides checking the mimetype) to assure that any given file is in fact what it seems / needs (or is allowed) to be? Thanks in advance.
PS: Just to be clear, I'm not asking about the type index in the $_FILES superglobal.
My understanding is the MIME determination routines in the file upload code are extremely crude and that the MIME type in the $_FILES array simply can't be trusted. It's been my experience that it's easily foxed.
You're better off using the Fileinfo library, which provides more robust file type detection.
http://www.php.net/manual/en/ref.fileinfo.php
这篇关于Mimetypes在上传中的可靠性(PHP)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
