什么是上传文件最安全的方法? [英] What is the most secure method for uploading a file?
问题描述
我试图建立一个即插即用型的上传脚本系列,让内部使用的设计师可以复制到他们的网站的结构,修改几个变量,并在他们的网站上有一个准备好的上传表单。我们正在尽可能限制我们的曝光(我们已经关闭了fopen和shell命令)。
我在网站上搜索了最后一个小时并找到了许多不同的答案,处理依赖外部来源的具体方法。你们都认为什么是最好的脚本专用解决方案,足以作为一种可靠的保护方法?此外,如果可能的话,我想保留PHP或伪代码的语言。
编辑:我找到了我的答案(如下所示),而且它确实使用了shell命令exec(),如果你阻止脚本文件被上传(这个解决方案的效果非常好),你不会遇到任何问题。
$恕我直言,最好的解决方案是将包含上传文件的目录放在网络环境之外,并使用脚本使其可下载。这样,即使有人上传脚本,也不能通过从浏览器调用脚本来执行脚本,也不必检查上传文件的类型。The company I work for has recently been hit with many header injection and file upload exploits on the sites we host and while we have fixed the problem with respect to header injection attacks, we have yet to get the upload exploits under control.
I'm trying to set up a plug-and-play-type series of upload scripts to use in-house that a designer can copy into their site's structure, modify a few variables, and have a ready-to-go upload form on their site. We're looking to limit our exposure as much as possible (we've already shut down fopen and shell commands).
I've searched the site for the last hour and found many different answers dealing with specific methods that rely on outside sources. What do you all think is the best script-only solution that is specific enough to use as a reliable method of protection? Also, I'd like to keep the language limited to PHP or pseudo-code if possible.
Edit: I've found my answer (posted below) and, while it does make use of the shell command exec(), if you block script files from being uploaded (which this solution does very well), you won't run into any problems.
The best solution, IMHO, is to put the directory containing the uploaded files outside of the "web" environment and use a script to make them downloadable. In this way, even if somebody uploads a script it can not be executed by calling it from the browser and you don't have to check the type of the uploaded file.
这篇关于什么是上传文件最安全的方法?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
