dongren2128 2010-05-17 19:07
浏览 84
已采纳

阻止上传可执行映像(PHP)

It has come to my attention that a user has been trying to create an exploit through avatar image uploads. This was discovered when a user reported to me that they were getting a notice from their Norton Anti-virus saying "HTTP Suspicious Executable Image Download." This warning was referencing the user's avatar image. I don't think they had actually achieved anything in the way of stealing information or anything like that, but I assume it could be possible if the hole is left open long enough. I use PHP to upload the image files, and I check if the file being uploaded is a png, jpg, bmp, or gif.

This is the code that checks if it is an image:

$allow_types = array('image/jpeg', 'image/png', 'image/gif', 'image/jpg', 'image/png', 'image/bmp', 'image/bitmap');
if (in_array($this->tmp_image['type'], 
$this->allow_types)) {
   return true;
}
  • 写回答

4条回答 默认 最新

  • dtv55860 2010-05-17 19:51
    关注

    There is no way to prevent uploading of malicious files. What you need to care about instead is how you handle those files.

    Suggestions such as re-saving the image file are doomed. It is possible to bypass such manipulation by ordering the bits so that they are in the order the attacker wants after a known image compressor has run.

    There are so many ways to combine images and malicious files. A malicious file could be an executable, or just contain JavaScript that gets interpret by a browser. Besides, how are you supposed to re-save files that are not type of image?

    When handling file uploads, one must take care of the following.

    • Limit the amount of bytes to upload per user so your server won't run out of space.

    • Limit the amount of files to upload per user so your server won't run out of inodes.

    • Store the files above your document root so that they aren't directly accessible.

    • Serve your files through a PHP-proxy script, write something like:

      $data = file_get_contents('/home/account/files/file.png');
header('Content-Type: image/png');
header('Content-Length: '. strlen($data));
header('X-Content-Type-Options: nosniff');
echo $data;

    • Rename uploaded files to have a completely random name without an extension. If you need to store the filename (and extension/type), store the details in the database.

    • If needed, serve files only when the user has a permission to have it.

    • Never include/execute the files you uploaded. This means no include or require in PHP. No HTML script tags or stylesheet tags including them. No Apache Include commands including them. And so forth.

    • If at all possible, serve the files from other origin. This eliminates origin issues that occur with Flash mostly. Using a different port, a domain name or an IP-address is also fine. Serving from sub-domains is dangerous and with IP-addresses the implementation gets slightly harder (i.e., you can't serve files via the domain, only via IP and you can't serve the site via IP, but via the domain).

    • Beware of LFI and RFI. Rename the filenames before using the filename within functions like fopen(), read(), etc. and validate/sanitize any directory values as needed.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(3条)

报告相同问题?

悬赏问题

  • ¥20 软件测试决策法疑问求解答
  • ¥15 win11 23H2删除推荐的项目,支持注册表等
  • ¥15 matlab 用yalmip搭建模型,cplex求解,线性化处理的方法
  • ¥15 qt6.6.3 基于百度云的语音识别 不会改
  • ¥15 关于#目标检测#的问题:大概就是类似后台自动检测某下架商品的库存,在他监测到该商品上架并且可以购买的瞬间点击立即购买下单
  • ¥15 神经网络怎么把隐含层变量融合到损失函数中?
  • ¥15 lingo18勾选global solver求解使用的算法
  • ¥15 全部备份安卓app数据包括密码,可以复制到另一手机上运行
  • ¥20 测距传感器数据手册i2c
  • ¥15 RPA正常跑,cmd输入cookies跑不出来