外部图像漏洞 [英] External image vulnerabilities

问题描述

通过 img 标记添加外部图片以及如何避免这些漏洞，我的网站上会出现哪些安全漏洞？

What security holes can appear on my site by including external images via img tag and how to avoid them?

我目前只检查提交时的图片的扩展名和 mime-type （可以在之后更改）在提交 s 属性。

I'm currently only checking the extension and mime-type of image on submission (that can be changed after URL is submitted) and URL is sanitized before putting it in src attribute.

推荐答案

谁处于危险之中可能存在差别。

There's probably a differentiation to be made here between who is at risk.

如果您所做的只是存储网址，而不是将图片上传到您的服务器，那么您的网站可能是安全的，并且任何潜力风险是指查看您网站的用户。

If all you're doing is storing URLs, and not uploading images to your server, then your site is probably safe, and any potential risk is to your users who view your site.

从本质上讲，您信任浏览器制造商的可靠性。 可能的事情没问题，但是如果某个浏览器中的某个浏览器出现涉及错误解析包含恶意代码的图像的安全漏洞，那么您的用户最终会为此付费（你可能会发现有趣的 GIFAR 。）

In essence, you're putting your trust in the reliability of the browser manufacturers. Things might be fine, but if a security hole in some browser one of your users uses were to arise that involved incorrectly parsing images that contain malicious code, then it's your users who will end up paying for it (you might find GIFAR interesting).

这取决于您是否信任浏览器制造商制作安全软件，以及您是否相信您的用户不会将URL上传到可能包含特定浏览器漏洞的图片。现在可能安全的可能不安全到下一个版本。

It comes down to whether you trust the browser manufacturers to make secure software, and whether you trust your users to not upload URLs to images that might contain exploits for certain browsers. What might be secure now might not be secure come the next release.

这篇关于外部图像漏洞的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！