MIME类型欺骗 [英] MIME Type spoofing
问题描述
问题:是否有任何其他技术可以阻止坏文件进入mime type spoofing?
简短回答:不。
较长的答案:
比较扩展名并确保它匹配MIME类型并不能真正阻止任何事情发生。正如评论中所述,修改文件扩展名更容易。 MIME类型和扩展名仅作为提示,并不存在固有的安全性。
确保传入文件不会造成伤害,这取决于您的目标是什么将是。在你的情况下,我明白你正在期待图像。所以你可以做的是先执行一些理智检查:扫描前几个字节,看看这些文件是否包含相关的图像头部签名 - 所有相关的图像格式都有这些。
签名标题可帮助您决定文件尝试模拟的图像格式。在下一步中,您可以检查其余内容是否与底层图像格式兼容。这可以保证你的文件是一个真正的特定格式的图像文件。
但即使如此,该文件可以精心设计,当你显示图像,用于显示该图像的流行库(例如libpng等)将会遇到攻击者在该库中发现的缓冲区溢出。
不幸的是,除了不允许来自客户端的任何输入外,没有办法主动防止这种情况。
Checking for mime type in php is pretty easy but as far as I know mime can be spoofed. The attacker can upload a php script with for example jpeg mime type. One thing that comes to mind is to check the file extension of the uploaded file and make sure it matches the mime type. All of this is assuming the upload directory is browser accessible.
Question: Are there any other techniques for preventing "bad files" from getting in with mime type spoofing?
Short answer: No.
Longer answer:
Comparing the extension and making sure that it matches the MIME type doesn't really prevent anything. As was said in the comments, it's even easier to modify a file extension. MIME type and extension are only to be meant as hints, there's no inherent security in them.
Ensuring that incoming files do no harm is very dependent on what your purpose for them is going to be. In your case I understood that you are expecting images. So what you could do is perform some sanity checks first: scan the first couple of bytes to see if the files contain the relevant image header signatures - all relevant image formats have these.
The "signature headers" help you to decide what kind of image format a file tries to impersonate. In a next step you could check if the rest of the contents are compliant with the underlying image format. This would guarantee you that the file is really an image file of that specific format.
But even then, the file could be carefully crafted in a way that when you display the image, a popular library used to display that image (e.g. libpng etc.) would run into a buffer overflow that the attacker found in that library.
Unfortuantely there's no way to actively prevent this besides not allowing any input from the client side at all.
这篇关于MIME类型欺骗的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
