安全性:如何验证图像文件上传? [英] Security: How to validate image file uploads?

问题描述

我需要接受用户上传的图像文件.

I need to accept image file uploads from the users.

如何检查并100％确保没有恶意文件或其他东西?

How can I check and be 100% sure that I don't get a malicious file or something?

检查MIME类型?重新绘制图像?防病毒?

Check the mime type? Re-draw the image? Anti-virus?

推荐答案

重新绘制图像，并使用 GD 的imagecreatefromXXX()并用imageXXX()

Redraw the image, read it up with GD's imagecreatefromXXX() and save it back with imageXXX()

通过这种方式，您还可以将其缩放到更方便的大小，并控制带宽消耗.

This way you can also scale it to more convenient sizes and keep bandwidth consumption in check.

为节省计算能力，请拒绝上传大于特定限制的文件.

To save on computing power, deny upload to files bigger than a certain limit.

根据限制，5兆或10兆应该没事.

5megs or 10megs should be fine, as limits go.

保持GD更新，并要警惕(显然是7年前)

Keep GD updated, and be wary that (7 years ago, apparently) it used to sport buffer overflows in the handling of PNG images

或者，您也可以使用 ImageMagick 之类的命令在后台对上传的图像进行预处理.的convert等.

Alternatively, you could also preprocess uploaded images in background with commands such as ImageMagick's convert and such.

最后的警告:在Windo(w)s 上convert也是用于格式化硬盘的命令，因此如果您要消除歧义，请花点力气.部署.

Last note of warning: on Windo(w)s convert is also a command used to format hard disk, so put some effort into removing abiguities if you deploy on that.

这篇关于安全性:如何验证图像文件上传?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！