盲目信任图像网址并将其输出到网站上的html img标记中是否安全？它可以用来注入代码吗？ [英] Is it secure to blindly trust image urls and output them into html img tags on a site? Can it be used to inject code?

问题描述

我必须处理来自数据提供者的提要，在此提要中他们向我们提供图片网址，目前我们下载它们并将它们存储在我们自己的媒体服务器中，但我想知道是否可以安全地获取网址并直接在html中输出它作为img标签的src属性。

我主要关心的是这是否让我们有可能将某个文件放在该URL下可能会运行恶意脚本/做一些事情，而不是渲染一个图像（或不能渲染图像，如果它不是一个/不存在，这很好）

img src属性只会呈现图像，还是会将URL中指定的文件下载到用户的浏览器中，而不管它是什么？

我可以在导入阶段的网址至少看起来是一个有效的图像URL，所以它只会有.jpg或任何作为扩展，但显然这可能仍然允许他们重定向到其他东西。

决方案

图片网址当然可以指向脚本（有一些URL重写），但没有风险，得到的图像加载运行的脚本。 URL数据被视为二进制图像数据，而不是可运行的文本/脚本。

如果是脚本，对于浏览器来说，它只不过是一个损坏的图像文件。
因此，没有代码注入风险。至少这是我所知道的。

I have to process a feed from a data provider, in this feed they provide us with image URL, currently we download them and store them in our own media server, but I was wondering if it was safe to simply get the url and output it directly in the html as the src attribute of an img tag.

My main concern is if this exposes us to the possibility of someone placing files under that URL which would could run malicious scripts/ do something other than render an image (or fail to render an image if it isn't one/doesn't exist, which is fine)

Will the img src attribute only render images, or will it download the file specified in the URL to the user's browser regardless of what it is?

I can verify at the import stage that the URL at least appears to be a valid image URL, so it would only ever have .jpg or whatever as an extension, but obviously this might still allow them to redirect to something else.

解决方案

Image URLs can of course point to scripts (with some URL rewriting) but there's no risk to get a script run from an image load. URL data is treated as binary image data, not as runnable text/script.

If it's a script, for your browser it's nothing more than a corrupted image file. So, no code injections risk. At least this is what I know.

这篇关于盲目信任图像网址并将其输出到网站上的html img标记中是否安全？它可以用来注入代码吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！