PHP文件上传:MIME或基于扩展的验证? [英] PHP file upload: mime or extension based verification?
问题描述
什么是优点&这两种文件验证方式的缺点?
在这些日子里,我依赖于MIME类型,但是在这篇文章中, PHP中的文件上传问题说:
永远不要依靠浏览器提交的MIME类型!
- 下载这个漂亮的php标志我画了
- 查看它。很好,是不是?
- 把它重命名为whatever_you_like.php
- 把所有的真棒mime类型/任何跳棋都放进去 >
- 运行它
总而言之,您永远不应该依靠 编辑: When I try to process file upload, should I run verification based on file MIME type or file-extension? What are Pros & cons of these 2 ways of file validating? And, Any other security issues should i be concerned of? In these days I was relying on MIME type but the answer with most up-votes in this post File upload issues in PHP says: Never rely on the MIME type submitted by the browser!
Okay, so to all the geniouses here yapping something about "SCREW EXTENSIONS, CHECK MIME! FILEINFO RLZ!", I've prepared some tutorial: In conclusion, you should NEVER EVER EVER rely on MIME type. You web server doesn't care about MIME type, it determines what to do by EXTENSION, the ultimately downvoted @Col. Shrapnel's answer is actually right. Any information provided to you by something checking MIME is absolutely irrelevant to your webserver when it comes to execution. EDIT: the not-as-uncommon-code-as-you'd-want-it-to-be that opens a website to this type of attack:
这篇关于PHP文件上传:MIME或基于扩展的验证?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
<$ p $ <?php
$ mimetype = mime_content_type($ _ FILES ['file'] ['tmp_name']);
if(in_array($ mimetype,array('image / jpeg','image / gif','image / png'))){
move_uploaded_file($ _ FILES ['file'] ['tmp_name '],'/ whatever / something / imagedir /'。$ _FILES ['file'] ['name']);
回声'OK';
} else {
echo'上传真实图片,混蛋!';
}
<?php
$mimetype = mime_content_type($_FILES['file']['tmp_name']);
if(in_array($mimetype, array('image/jpeg', 'image/gif', 'image/png'))) {
move_uploaded_file($_FILES['file']['tmp_name'], '/whatever/something/imagedir/' . $_FILES['file']['name']);
echo 'OK';
} else {
echo 'Upload a real image, jerk!';
}
![漂亮的php标志我画了](\"https://jehy-security.github.io/php-image-injection/php-logo-virus.jpg\"){kind=link}
