上载pdf文件的真实性 [英] Authenticity of uploaded pdf files
问题描述
我的服务器只能接受pdf文件.我正在使用php上传文件.目前,我正在检查文件是否以%PDF开头,以确保上传的文件确实是pdf文件.是否进行其他检查以确保100%(或至少非常强烈)它是pdf文件.恶意用户可以上传以%PDF开头的可执行文件吗?我将不胜感激.
My server must only accept pdf files. I am using php to upload files. Currently, I am checking if the file starts with %PDF to ensure the uploaded file really is a pdf file. Are there other checks to ensure 100%(or at least very strongly) that it is a pdf file. Can malicious users upload executable files beginning with %PDF? I'd appreciate any help.
推荐答案
您可以使用PECL FPDI
来查看是否可以成功读取文件.但是对于PDF文件,我认为嵌入式恶意软件比可执行文件的错误命名要引起更大的关注.每当您接受来自用户的上传时,最好通过 ClamAV
或类似的文件.
You can use the PECL FileInfo
extension to detect the MIME type. (I suspect however, that internally, it just does the same thing you're already doing.) Alternatively, you might use FPDI
to see if you can successfully read the file. With PDF files though, I think embedded malware is a bigger concern than misnamed executables. Any time you're accepting uploads from users, it's probably a good idea to run the file through ClamAV
or similar.
这篇关于上载pdf文件的真实性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!