接受图片上传时的安全性问题 [英] Security issues in accepting image uploads

问题描述

除了所有HTTP上传的常规内容之外，接受图像上传时要考虑的主要安全问题是什么?

What are the major security issues to consider when accepting image uploads, beyond the normal stuff for all HTTP uploads?

我接受图像上传，然后将这些图像显示给其他用户.

I'm accepting image uploads, and then showing those images to other users.

例如，我应该如何验证上传的图像实际上是有效的图像文件?查看器中是否存在任何可被格式错误的图像文件利用的已知漏洞，我应该为它们意外传递漏洞利用而担心? (快速搜索似乎表明IE5/6中曾经有过.)

How should I verify, for example, that the uploaded image is actually a valid image file? Are there any known vulnerabilities in viewers that are exploitable by malformed image files for which I should be concerned about accidentally passing along exploits? (Quickly googling seems to show that there once was in IE5/6.)

我是否应该剥离所有图像元数据以帮助用户防止意外的信息泄露?还是有一些安全，必要或有用的东西允许?

Should I strip all image metadata to help users prevent unintentional information disclosures? Or are there some things that are safe and necessary or useful to allow?

是否存在常见图像格式的奥秘功能可能是安全漏洞?

Are there any arcane features of common image formats that could be security vulnerabilities?

是否有任何图书馆可以解决这些问题? (和/或还有其他问题，例如将渐进式JPEG转换为普通JPEG，下采样以标准化大小，优化PNG等)

Are there any libraries that deal with these issues? (And/or with other issues like converting progressive JPEGs to normal JPEGs, downsampling to standardize sizes, optimizing PNGs, etc.)

推荐答案

我最近从网络安全视频:

• 最基本的选择是从单独的域中提供所有上传的内容，而该域仅提供静态内容-所有功能均已禁用，并且没有重要内容存储在其中.
• 考虑通过imagemagick等处理图像以剥离有趣的业务.
• 有关您要面对的问题的示例，请查看GIFAR，该技术将GIF和Java JAR放在同一文件中.

这篇关于接受图片上传时的安全性问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！