doufen3786 2010-01-27 16:51
浏览 32
已采纳

WordPress / FTP自定义文件上传安全性

My file upload routine first checks to make sure the user is logged in to the wordpress application which is hosting the upload form...CHECK!

Here is the code at the top of my uploader utility that does this...

if (!is_user_logged_in()){
    die("You Must Be Logged In to Access This");;
}

So far so good. Now I'm seeking to further secure the upload utility to prevent malicious scripts from being extracted from the uploaded zip files (the upload requires a zip file).

The downside to using a zip, I presume, is that it can contain any number or type of files that might make it more complicated to handle than otherwise.

So my question is for tips on how to further secure this uploader to make sure no malicious files are sent. The desired allowed files are .php, .jpg, .gif, .png

  • 写回答

1条回答 默认 最新

  • dongmaomou4117 2010-01-27 16:59
    关注

    Your approach goes the wrong way. You need to make sure that none of the files in the ZIP file are ever going to be used in a situation in which malicious files could do any damage.

    You will never be able to guarantee that an uploaded ZIP file contains only non-malicious data. To do that, you would have to virus scan it, parse the containing PHP code, and whatnot.

    Just see that whatever maliciousness is contained, can never unfold.

    For PHP scripts, for example, you would have to ensure that they are not stored anywhere where they can be called from the outside, and executed.

    For images.... Well, if you want to make totally sure they don't contain any exploits that attack image displaying components, you could always copy them using PHP´s gd functions, destroying any EXIF Metadata (and probably any other harmful stuff) in the process.

    There is still some basic sanitation one could and should do. Check out this question (link below, markdown seems broken right now) for more reading on the issue - especially bobince's answer and the link he posts. That taught me a lot.

    How to make a safe file upload script in php?

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 安装svn网络有问题怎么办
  • ¥15 Python爬取指定微博话题下的内容,保存为txt
  • ¥15 vue2登录调用后端接口如何实现
  • ¥65 永磁型步进电机PID算法
  • ¥15 sqlite 附加(attach database)加密数据库时,返回26是什么原因呢?
  • ¥88 找成都本地经验丰富懂小程序开发的技术大咖
  • ¥15 如何处理复杂数据表格的除法运算
  • ¥15 如何用stc8h1k08的片子做485数据透传的功能?(关键词-串口)
  • ¥15 有兄弟姐妹会用word插图功能制作类似citespace的图片吗?
  • ¥15 latex怎么处理论文引理引用参考文献