如何检查原始文件的mime类型 [英] How to check original file mime type
问题描述
Mandiant能够上传文件类型不允许的文件,绕过当前过滤器。
文件上传页面仅检查文件扩展名以允许或拒绝上传。此方法忽略了文件的实际内容以及对负责与内容交互的员工构成的潜在危险。
如何实施文件头检查以验证内容无论使用何种应用程序,上传都将被解释为图像。
我尝试了什么:
在javascript中检查MIMETYPE和标题
Mandiant was able to upload a document with filetype that is not allowed, bypassing current filters.
The file upload pages only checked the file extension to permit or deny the upload. This method ignores the actual content of the file and the potential danger posed to employees responsible for interacting with the content.
How to implement file header inspection to verify the content in the upload will be interpreted as an image regardless of the application used.
What I have tried:
Checked MIMETYPE and headers in javascript
推荐答案
如果只支持像图像这样的几种文件类型,你可以写一个函数检查魔术字节。
这样的函数通常会从文件开头读取固定数量的字节,并在文件类型特定位置搜索魔术字节。 br />
Linux file 命令使用名为 magic 的文件提供此类检查,该文件定义搜索模式。此文件可用作支票的起点。
一些图像文件定义:
If only a few file types like images should be supported you can write a function checking for "magic bytes".
Such a function will usually read a fixed number of bytes from the beginning of the file and search for the magic bytes at file type specific positions.
The Linux file command provides such checks using a file named magic that defines the search patterns. This file can be used as starting point for your checks.
Some image file definitions:
0 string \x89PNG\x0d\x0a\x1a\x0a PNG image data
0 string GIF8 GIF image data
0 beshort 0xffd8 JPEG image data
0 string MM\x00\x2a TIFF image data, big-endian
0 string II\x2a\x00 TIFF image data, little-endian
格式非常简单:
第一个值是偏移量,第二个是数据类型,第三个是数据(使用C样式的字符串,其中\ xNN表示十六进制字节,\NNN表示八进制字节)。 br />
Howerver,这些检查可能仍然失败。
The format is quite simple:
The first value is the offset, the second the data type, and the third the data (with strings using C style where \xNN indicates a hex byte and \NNN an octal byte).
Howerver, these checks might still fail.
这篇关于如何检查原始文件的mime类型的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
