如何欺骗PHP的finfo :: buffer? [英] How can PHP's finfo::buffer be spoofed?

问题描述

在处理上传的文件时，$_FILES['foo']['type']根本不可靠.我发现，如果您在OS X上更改了扩展名，则类型"会自动更改.

When handling uploaded files $_FILES['foo']['type'] is not at all reliable. I've found if you change the extension on OS X the 'type' is changed automatically.

请考虑:

$fileInfo = new \finfo(FILEINFO_MIME);
$mimeType = $fileInfo->buffer(file_get_contents($_FILES['foo']['tmp_name']));
$mimeType = explode(';', $mimeType);

现在，如果我将PHP脚本重命名为.jpg并上传(在OS X 10.10上)，则$_FILES['foo']['type'] = image/jpeg和$mimeType = text/x-php.

Now, if I rename a PHP script to .jpg and upload it (on OS X 10.10) $_FILES['foo']['type'] = image/jpeg and $mimeType = text/x-php.

可以轻松更改文件类型，但是如何欺骗PHP的finfo :: buffer? PHP检查$_FILES['foo']['type']和finfo(FILEINFO_MIME)有什么区别?

The file type can easily be changed but how can PHP's finfo::buffer be spoofed? What is the difference between what PHP checked for $_FILES['foo']['type'] and finfo(FILEINFO_MIME)?

推荐答案

PHP不检查$_FILES类型的任何内容；上载文件时，正在发送的浏览器正在发送其认为是文件类型的元数据. $_FILES['file']['type']只是反映了浏览器上载的该值.显然，任何人都可以随意欺骗.

PHP doesn't check anything in the $_FILES type; when uploading a file, the sending browser is sending meta data of what it thinks the file type is. $_FILES['file']['type'] simply reflects this value uploaded by the browser. Obviously, anyone can spoof this at will.

Finfo使用 magic 数据库，该数据库只是识别以下内容的特征的集合文件类型.也就是说，所有JPEG文件都有一个特征性的标头，所有ZIP文件都以某种方式启动，这种文件类型具有这些前导字节数，该文件类型具有那些尾随字节数等.想要生成某种类型的有效文件，但绝不是不可能的.

Finfo uses the magic database, which is simply a collection of identifying characteristics of file types. I.e., all JPEG files have a characteristic header, all ZIP files start a certain way, this file type has these number of leading bytes, that file type has those kinds of trailing bytes etc. etc. This is harder to spoof, if you actually want to produce a valid file of a certain type, but by no means impossible.

这篇关于如何欺骗PHP的finfo :: buffer?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！