上载pdf文件的真实性 [英] Authenticity of uploaded pdf files

问题描述

我的服务器只能接受pdf文件.我正在使用php上传文件.目前，我正在检查文件是否以％PDF开头，以确保上传的文件确实是pdf文件.是否进行其他检查以确保100％(或至少非常强烈)它是pdf文件.恶意用户可以上传以％PDF开头的可执行文件吗?我将不胜感激.

My server must only accept pdf files. I am using php to upload files. Currently, I am checking if the file starts with %PDF to ensure the uploaded file really is a pdf file. Are there other checks to ensure 100%(or at least very strongly) that it is a pdf file. Can malicious users upload executable files beginning with %PDF? I'd appreciate any help.

推荐答案

您可以使用PECL ClamAV 或类似的文件.

You can use the PECL FileInfo extension to detect the MIME type. (I suspect however, that internally, it just does the same thing you're already doing.) Alternatively, you might use FPDI to see if you can successfully read the file. With PDF files though, I think embedded malware is a bigger concern than misnamed executables. Any time you're accepting uploads from users, it's probably a good idea to run the file through ClamAV or similar.

这篇关于上载pdf文件的真实性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！