阻止上传可执行映像(PHP) [英] Block upload of executable images (PHP)
问题描述
我注意到用户一直试图通过头像图片上传来创建漏洞。当用户向我报告他们从Norton Anti-virus收到HTTP可疑可执行图像下载的通知时,就会发现这种情况。此警告引用了用户的头像图像。我不认为他们实际上在窃取信息或其他任何东西方面取得了任何成就,但我认为如果这个洞保持足够开放的话,它是可能的。我使用PHP上传图像文件,并检查上传的文件是否为png,jpg,bmp或gif。
It has come to my attention that a user has been trying to create an exploit through avatar image uploads. This was discovered when a user reported to me that they were getting a notice from their Norton Anti-virus saying "HTTP Suspicious Executable Image Download." This warning was referencing the user's avatar image. I don't think they had actually achieved anything in the way of stealing information or anything like that, but I assume it could be possible if the hole is left open long enough. I use PHP to upload the image files, and I check if the file being uploaded is a png, jpg, bmp, or gif.
这是检查是否为代码的代码这是一张图片:
This is the code that checks if it is an image:
$allow_types = array('image/jpeg', 'image/png', 'image/gif', 'image/jpg', 'image/png', 'image/bmp', 'image/bitmap');
if (in_array($this->tmp_image['type'],
$this->allow_types)) {
return true;
}
推荐答案
无法预防上传恶意文件。您需要关心的是如何处理这些文件。
There is no way to prevent uploading of malicious files. What you need to care about instead is how you handle those files.
重新保存图像文件等建议注定失败。可以通过对这些位进行排序来绕过这种操作,以便在已知的图像压缩器运行后它们按照攻击者想要的顺序。
Suggestions such as re-saving the image file are doomed. It is possible to bypass such manipulation by ordering the bits so that they are in the order the attacker wants after a known image compressor has run.
有很多方法可以合并图像和恶意文件。恶意文件可以是可执行文件,也可以只包含由浏览器解释的JavaScript。此外,您如何重新保存非图像类型的文件?
There are so many ways to combine images and malicious files. A malicious file could be an executable, or just contain JavaScript that gets interpret by a browser. Besides, how are you supposed to re-save files that are not type of image?
处理文件上传时,必须注意以下事项。
When handling file uploads, one must take care of the following.
-
限制每个用户上传的字节数,以免服务器空间不足。
Limit the amount of bytes to upload per user so your server won't run out of space.
限制每个用户上传的文件数量,这样您的服务器就不会用完inode。
Limit the amount of files to upload per user so your server won't run out of inodes.
存储文件在文档根目录下方,以便它们不能直接访问。
Store the files above your document root so that they aren't directly accessible.
通过PHP代理脚本提供文件,写如:
Serve your files through a PHP-proxy script, write something like:
$data = file_get_contents('/home/account/files/file.png');
header('Content-Type: image/png');
header('Content-Length: '. strlen($data));
header('X-Content-Type-Options: nosniff');
echo $data;
将上传的文件重命名为具有完全随机的名称,不带扩展名。如果您需要存储文件名(和扩展名/类型),请将详细信息存储在数据库中。
Rename uploaded files to have a completely random name without an extension. If you need to store the filename (and extension/type), store the details in the database.
如果需要,仅在用户拥有文件时提供文件获得许可。
If needed, serve files only when the user has a permission to have it.
绝不包含/执行您上传的文件。这意味着PHP中不包含或要求。没有包含它们的HTML脚本标记或样式表标记。没有Apache包括它们的命令。等等。
Never include/execute the files you uploaded. This means no include or require in PHP. No HTML script tags or stylesheet tags including them. No Apache Include commands including them. And so forth.
如果可能,请提供其他来源的文件。这大多消除了Flash发生的原始问题。使用不同的端口,域名或IP地址也可以。从子域服务是危险的,并且使用IP地址实现变得稍微困难(即,您不能通过域提供文件,仅通过IP提供服务,并且您不能通过IP服务站点,而是通过域提供服务)。
If at all possible, serve the files from other origin. This eliminates origin issues that occur with Flash mostly. Using a different port, a domain name or an IP-address is also fine. Serving from sub-domains is dangerous and with IP-addresses the implementation gets slightly harder (i.e., you can't serve files via the domain, only via IP and you can't serve the site via IP, but via the domain).
谨防LFI和RFI。在使用 fopen(), read()等函数中的文件名之前重命名文件名,并验证/清理任何目录值。
Beware of LFI and RFI. Rename the filenames before using the filename within functions like fopen(), read(), etc. and validate/sanitize any directory values as needed.
这篇关于阻止上传可执行映像(PHP)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
