安全地允许通过MIME TYPES/fil上传网络字体(ttf，eot，svg，woff，otf) [英] Safely allow upload of web fonts (ttf, eot, svg, woff, otf) via MIME TYPES / fil

问题描述

我试图通过检查mime类型来允许在我们的应用程序中安全地上传网络字体.这适用于我们允许的大多数文件类型，但这是网络字体的问题.

I'm trying to allow safe upload of web fonts in our application, by checking against mime types. This works for most types of files we allow, but it's a problem for web fonts.

我们使用PHP的 http://php.net/manual检查mime类型/en/book.fileinfo.php

问题是php会将所有网络字体检测为mime"application/octet-stream"，但允许这样做，将允许.exe或许多其他可能危险的文件上传.

The problem is that php will detect all web fonts as mime "application/octet-stream", but allowing that, would allow .exe or many other possibly dangerous file uploads.

处理此类文件的最佳方法是什么?

What is the best way to handle upload of this kind of files?

推荐答案

找到一个包含有关字体格式信息的魔术文件，并将其传递给finfo_open().

Find a magic file that contains info about the font formats, and pass that to finfo_open().

这篇关于安全地允许通过MIME TYPES/fil上传网络字体(ttf，eot，svg，woff，otf)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！