安全文件上传并验证它 [英] Secure File Upload and validating it

问题描述

我获得了视频上传和图片上传：

我的环境： LAMP

编辑：我将允许远程上传和 POST 视频上传

EDIT2：我得到的文件将被重命名，我将不会存储原始文件名。

$ _ FILES mime类型。 第二个检查 finfo_file （如果函数存在）mimetype再次
（ PHP 5.3 ）或shell命令文件。


1. 如果文件通过上述检查，文件将被移动到公共目录。

我的问题是这个设置安全吗？还是我可以改进一些东西？我昨天看了这个洞，这个对我来说似乎够用了，但是谁知道：）

我是新手，当涉及到编码和安全性时： - ）

只要您使用自己的文件名和扩展名进行重命名，并且在您的应用程序代码中没有包含类型漏洞（例如：include（$（$;

） _GET ['whatever']）;），这是相当不错的。你还需要确保你的服务器上的所有东西都是最新的版本（特别是任何处理图片/视频的东西）。

其他人建议包括一个文件服务脚本输出文件，而不是将文件保存在公用文件夹中，并直接在src属性中引用该文件。有些人还会建议病毒扫描一切。

I get Video uploads and image uploads:

My environment: LAMP

EDIT: I will allow remote upload and POST video upload

EDIT2: The files which i get will be renamed i wont store the orginal file names.

1. First I check with $_FILES the mime type.

2. Second I check with finfo_file (if function exists) the mimetype again (PHP 5.3) or with shell command file.

3. File gets moved to public dir if its passed the above checks.

My question is this setup secure? Or can I improve something? I read the hole day yesterday this seems for me enough, but who knows :)

I'm a novice when it comes coding and security :-)

解决方案

as long as you rename with your own file name and extension, and have no include type vulnerabilities in your apps code (ie: include($_GET['whatever']);), this is fairly good. you will also want to make sure everything on your server stack is the latest version (especially anything that processes images/video).

others would recommend including a file serving script which outputs the file, instead of keeping the file in a public folder and referencing the file directly in your src attributes. some would also recommend virus scanning everything.

这篇关于安全文件上传并验证它的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！