将画布与文件上传结合使用时的安全注意事项 [英] Security considerations when using canvas in conjunction with file uploading

问题描述

我正在开发一个基于 Pixastic 的图像编辑器/上传器，我在其中从<input> 标签，将其放入画布中，操作后，将数据以 base 64 编码，并使用 javascript 将其发布到我的应用程序，在那里它将保存为新的图像文件.如果是标准文件上传，我会给文件一个新的(安全)名称，测试以确保它确实是一个图像文件并复制它以去除任何潜在的恶意/个人 EXIF 数据，然后再将其提供给用户.

I'm working on a image editor/uploader based around Pixastic where I grab image data out of an <input> tag, put it into a canvas, and after manipulating it, encode the data in base 64 and post it to my app with javascript, where it will be saved as a new image file. If it were a standard file upload, I would give the file a new (safe) name, test to make sure it was really an image file and copy it to strip any potentially malicious/personal EXIF data before making it available to users.

我的问题是 - 这些安全措施在画布情况下是否有意义，还是毫无意义?此外，我忽略的方法是否存在任何安全问题?

My question is - do those security measures make sense in the canvas situation, or are they pointless? Additionally, are there any security issues with my approach that I'm overlooking?

仅供参考:服务器端解码/等将使用php完成.

Fyi: the serverside decoding/etc will be done with php.

谢谢.

推荐答案

您提出的一些问题(不确定是否全部)由 Shiflett 这里检查它并评论你的想法！

Some of what you have asked (Not sure if all) are discussed by Shiflett Here Check it and comment what you think of it!

这篇关于将画布与文件上传结合使用时的安全注意事项的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！