文件上传和安全性 [英] File Uploading and Security

问题描述

我目前正在编写一个用于上传图片的上传课程.我进行扩展名检查，以验证上传的图像是否受支持，并且在将上传的文件复制到其静止位置时，照片始终为chmod(0664).这相对安全吗?我对图像编码了解不多，但是即使有人遇到了以某种方式欺骗我的扩展名检查的麻烦，该文件也永远不会在服务器上运行，除非其他地方存在安全漏洞并且攻击者已经在我的文件中系统，对吗?这是我的扩展程序检查:

I'm currently writing an upload class for uploading images. I do extension checks to verify that the uploaded images are of the supported types, and the photos are always chmod(0664) when the uploaded file is copied to it's resting place. Is this relatively safe? I don't know much about image encoding, but even if someone went through the trouble of somehow tricking my extension check, the file could never be ran on the server anyways unless there was a security hole elsewhere and the attackers were already into my file system, correct? Here's my extension check:

function validate_ext() { //Function validates that the files extension matches the list of allowed extensions
    $extension = $this->get_ext($this->theFile);
    $ext_array = $this->extensions;
    if (in_array($extension, $ext_array)) { //Check if file's ext is in the list of allowed exts
        return true;
        echo "ext found";
    } else {
        $this->error[] = "That file type is not supported. The supported file types are: ".$this->extString;
        return false;
    }
}

这是将上传的文件复制到最终放置位置的功能.

And here's the function that copies the uploaded file to it's final resting place.

if ($_FILES[$this->uploadName]['error'] === UPLOAD_ERR_OK){
    $newfile = $this->uploadDir.$this->theFile;
    if (!move_uploaded_file($this->tempFile, $newfile)) {
        $this->error[] = "The file could not be moved to the new directory. Check permissions and folder paths.";
        die($this->error_text());   
    }else{
        $this->error[] = "The file ".$this->originalName." was successfully uploaded.";
        if ($this->renameFile == true){
            $this->error[] = $this->originalName." was renamed to ".$this->theFile;
        }
        chmod($newfile , $this->fileperm);
    }
}else{
    $this->error[] = $this->file_upload_error_message($_FILES[$this->uploadName]['error']);
    die($this->error_text());
}

推荐答案

在Linux世界中，只要您授予了该文件不可执行的权限，该文件就无法执行.是.jpeg还是.bash.与此相反，也可以执行具有可执行权限的.jpeg(如果该.jpeg文件的内容是可执行文件，而不是图像内容).

In Linux world, as long as u gave the file non-executable permission, the file cannot execute. Whether it's .jpeg or it's .bash. That's true the other way around too, .jpeg with an executable permission could be executed too (if the content of that .jpeg file is executable file, not image content).

这篇关于文件上传和安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！