什么是验证上传图像的最佳方式确实是一个想象 [英] what is the best way to verify an uploaded image is indeed an imag
本文介绍了什么是验证上传图像的最佳方式确实是一个想象的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我有一个允许其他人上传文件的网络应用程序,问题是如果我允许用户上传图像文件则需要
,假图像可以上传并导致
XSS问题。
在应用程序中,我会在上传时检查图像尺寸,以便任何虚假图像
实际上是一个文本文件被阻止(用户将.txt重命名为.gif,例如)。
但是,重命名为.gif的png文件可以包含脚本当直接在IE中加载
(在IE中键入图像URL并点击输入,例如)时,嵌入的
脚本由IE的JS引擎执行。尺寸检查始终返回有效
高度和宽度,因此无助于防止问题。
所以,我的问题是:什么是最好的方式验证上传的图片是真的
身份?我的意思是,我如何确定上传的图像何时结束.gif,
它确实是一个有效的GIF文件(等等用于
的其他常见图像类型网络)?是否有可用于验证身份的.NET方法?
我正在使用
g = System.Drawing.Image.FromFile (theFilePath)
height_ = g.Height
Width_ = g.Width
它对我提到的情况没有帮助上面。
Hi,
I have a web app that allows others to upload files, and the problem is that
if I allow users to upload image files, fake image can be uploaded and cause
XSS issues.
In the app, I do check image dimension when uploaded so that any fake image
that is actually a text file is blocked (user renames a .txt to .gif, e.g.).
However, a png file renamed to .gif can contain script that when loaded
directly in IE (type the image URL in IE and hit enter, e.g.), the embeded
script is executed by IE''s JS engine. Dimension check always return valid
height and width so it does not help prevent the issue.
So, my question is: What''s the best way to verify an uploaded image''s true
identity? I mean, how do i determine when an uploaded image ends with .gif,
it is indeed a valid GIF file (and so on for other common image types used on
the web)? Is there a .NET method that can be used to verify the identity?
I am using
g = System.Drawing.Image.FromFile(theFilePath)
height_ = g.Height
Width_ = g.Width
and it does not help the situation I mentioned above.
推荐答案
您应该检查上传文件的ContentType以确定真实文件
类型,ContentType将返回image / x-png对于PNG文件和
" image / gif"对于GIF文件,无论文件扩展名如何:
protected void Button1_Click(object sender,EventArgs e)
{
if( FileUpload1.HasFile)
{
string ct = FileUpload1.PostedFile.ContentType;
Response.Write(ct);
}
}
希望这会有所帮助。
此致,
Walter Wang(wa *** *@online.microsoft.com,删除''在线。'')
Microsoft在线社区支持
========== ========================================
获取通知通过电子邮件到我的帖子?请参阅
http://msdn.microsoft .com / subscripti ... ult.aspx#notif
ications。如果您使用的是Outlook Express,请确保清除
复选框工具/选项/读取:一次获取300个标题及时看到你的回复
。
注意:MSDN托管新闻组支持服务是针对非紧急问题
其中来自社区或Microsoft支持的初步响应
工程师可在1个工作日内完成。请注意,每个跟随
的响应可能需要大约2个工作日作为支持
专业人士与您合作可能需要进一步调查才能达到
最有效的分辨率。该产品不适用于需要紧急,实时或基于电话的交互或复杂的b $ b项目分析和转储分析问题的情况。这种性质的问题最好通过联系
Microsoft客户支持服务(CSS)处理
href =http://msdn.microsoft.com/subscriptions/support/default.aspx\"target =_ blank> http://msdn.microsoft.com/subscripti...t/default.aspx 。
======================================== ==========
此帖子按原样提供。没有保证,也没有授予任何权利。
Hi,
You should check the uploaded file''s ContentType to determine the real file
type, the ContentType will return "image/x-png" for a PNG file and
"image/gif" for a GIF file regardless the file extension:
protected void Button1_Click(object sender, EventArgs e)
{
if (FileUpload1.HasFile)
{
string ct = FileUpload1.PostedFile.ContentType;
Response.Write(ct);
}
}
Hope this helps.
Sincerely,
Walter Wang (wa****@online.microsoft.com, remove ''online.'')
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications. If you are using Outlook Express, please make sure you clear the
check box "Tools/Options/Read: Get 300 headers at a time" to see your reply
promptly.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
这也不起作用。 Firefox总是根据文件
扩展名发送Mime类型。 IE确实发送Mime类型,无论文件扩展名如何,但是这个
解决方案只有在所有客户使用IE时才有效。
有没有办法验证服务器端的图像?
" Walter Wang [MSFT]"写道:
Hi,
This does not work either. Firefox always sends Mime type based on file
extension. IE does send Mime type regardless of file extension, but this
solution only works if all your clients use IE.
Isn''t there a way to verify image on the server side?
"Walter Wang [MSFT]" wrote:
您应该检查上传文件的ContentType以确定真实文件
类型,ContentType将返回image / x-png对于PNG文件和
" image / gif"对于GIF文件,无论文件扩展名如何:
protected void Button1_Click(object sender,EventArgs e)
{
if( FileUpload1.HasFile)
{
string ct = FileUpload1.PostedFile.ContentType;
Response.Write(ct);
}
}
希望这会有所帮助。
此致,
Walter Wang(wa****@online.microsoft.com,删除''在线。'')
Microsoft在线社区支持
== ================================================ <无线电通信/>
通过电子邮件收到我的帖子通知?请参阅
http://msdn.microsoft .com / subscripti ... ult.aspx#notif
ications。如果您使用的是Outlook Express,请确保清除
复选框工具/选项/读取:一次获取300个标题及时看到你的回复
。
注意:MSDN托管新闻组支持服务是针对非紧急问题
其中来自社区或Microsoft支持的初步响应
工程师可在1个工作日内完成。请注意,每个跟随
的响应可能需要大约2个工作日作为支持
专业人士与您合作可能需要进一步调查才能达到
最有效的分辨率。该产品不适用于需要紧急,实时或基于电话的交互或复杂的b $ b项目分析和转储分析问题的情况。这种性质的问题最好通过联系
Microsoft客户支持服务(CSS)处理
href =http://msdn.microsoft.com/subscriptions/support/default.aspx\"target =_ blank> http://msdn.microsoft.com/subscripti...t/default.aspx 。
======================================== ==========
此帖子按原样提供。没有保证,也没有授予任何权利。
Hi,
You should check the uploaded file''s ContentType to determine the real file
type, the ContentType will return "image/x-png" for a PNG file and
"image/gif" for a GIF file regardless the file extension:
protected void Button1_Click(object sender, EventArgs e)
{
if (FileUpload1.HasFile)
{
string ct = FileUpload1.PostedFile.ContentType;
Response.Write(ct);
}
}
Hope this helps.
Sincerely,
Walter Wang (wa****@online.microsoft.com, remove ''online.'')
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications. If you are using Outlook Express, please make sure you clear the
check box "Tools/Options/Read: Get 300 headers at a time" to see your reply
promptly.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
谢谢你的支持快速更新。我知道MIME ContentType
方法不是你想要的。我会做进一步的研究,看看是否还有其他任何方法。
顺便说一句,我找不到问题你提到IE将加载
a .PNG文件伪造成.GIF文件类型,脚本将由
JScript引擎执行。你能告诉我你在哪里看到这个信息
吗?谢谢。
问候,
Walter Wang(wa****@online.microsoft.com,删除''在线。'')
Microsoft在线社区支持
============================= =====================
在回复帖子时,请回复群组通过你的新闻阅读器
其他人可以从你的问题中学习并从中受益。
==================== ==============================
此帖子提供按现状 ;没有保证,也没有授予任何权利。
Hi,
Thank you for your quick update. I understand that the MIME ContentType
approach is not what you wanted. I will do some further research to see if
there''s any other methods.
By the way, I''m not able to find the issue you mentioned that IE will load
a .PNG file faked in .GIF file type and the script will be executed by
JScript engine. Would you please let me know where you see the information
on this? Thanks.
Regards,
Walter Wang (wa****@online.microsoft.com, remove ''online.'')
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
这篇关于什么是验证上传图像的最佳方式确实是一个想象的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
