要上传的白名单或黑名单文件扩展名? [英] Whitelist or blacklist file extensions for uploads?

问题描述

我正在制作一个新闻通讯编辑器，它将允许文件上传(新闻通讯的发件人可以将文件上传到将在电子邮件中链接到的服务器).

I'm making a newsletter editor which will allow file uploads (the sender of the newsletter can upload files to the server which will be linked to in the email).

该站点已设置为仅由Servlet实际上执行/处理URI，因此这不会带来很大的安全风险，但有人告诉我将.jsp，.php，.asp，.aspx列入黑名单， .exe，.com和.bat.这并不能使我成为一个全面的黑名单，我给人的印象是黑名单不是一个好政策.

The site is set up so that only .do URIs are actually executed/handled by servlets so it's not much of a security risk, but I've been told to blacklist .jsp, .php, .asp, .aspx, .exe, .com, and .bat. This does not strike me as a comprehensive blacklist, and I've the impression that blacklists are not a good policy.

另一方面，白名单将长达数十个.识别允许/不允许的扩展名的正确方法是什么?还是仅允许任何内容并通过病毒扫描程序运行它们，或者将它们组合使用，是否更合适?

On the other hand, a whitelist would be dozens long. What's the correct way to identify allowable/disallowable extensions? Or is it more proper to just allow anything and run it by a virus scanner, or some combination of these?

推荐答案

或者只允许任何内容并由病毒扫描程序运行是更合适的方法.

Or is it more proper to just allow anything and run it by a virus scanner.

是的

黑名单和白名单都被轻易规避，只会造成管理上的痛苦，并且无法提供任何安全性.

Both blacklists and whitelists are trivially circumvented and cause just administration pain and provide no security whatsoever.

这篇关于要上传的白名单或黑名单文件扩展名?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！