我如何获得用来让用户上传文件的文件夹？ [英] How do I secure a folder used to let users upload files?

问题描述

我有一个文件夹中使用，为用户使用ASP页面，上传照片我的Web服务器。

I have a folder in my web server used for the users to upload photos using an ASP page.

是否足够安全给IUSR写入权限的文件夹？我必须保护的东西？
恐怕黑客绕过ASP页面，并直接将内容上传至该文件夹中。

Is it safe enough to give IUSR write permissions to the folder? Must I secure something else? I am afraid of hackers bypassing the ASP page and uploading content directly to the folder.

我使用ASP经典IIS6的Windows 2003 Server上。上传是通过HTTP，FTP不是

I'm using ASP classic and IIS6 on Windows 2003 Server. The upload is through HTTP, not FTP.

编辑：更改问题的清晰度和改变我的答案是注释

Changing the question for clarity and changing my answers as comments.

推荐答案

另外，我建议不要让网友上传到这是从Web访问的文件夹。即使是最好的MIME类型检测可能会失败，你绝对不希望用户上传，比方说，伪装成在你的MIME探查失败的情况下的JPEG格式的可执行文件，但在IIS正常工作。

also, I would recommend not to let the users upload into a folder that's accessible from the web. Even the best MIME type detection may fail and you absolutely don't want users to upload, say, an executable disguised as a jpeg in a case where your MIME sniffing fails, but the one in IIS works correctly.

在PHP的世界，它甚至更糟，因为攻击者可以上传恶意PHP脚本，并通过Web服务器以后访问它。

In the PHP world it's even worse, because an attacker could upload a malicious PHP script and later access it via the webserver.

总是，总是上传的文件的某处存储在目录中的文档根目录以外，并通过一些访问，脚本，不额外消毒（至少明确地设置一个图像/任何MIME类型。

Always, always store the uploaded files in a directory somewhere outside the document root and access them via some accessing-script which does additional sanitizing (and at least explicitly sets a image/whatever MIME type.

这篇关于我如何获得用来让用户上传文件的文件夹？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！