开发者

Security: How to validate image file uploads?

问答 作者:

I need to accept image file uploads from the users.

How can I check and be 100% sure that I don't get a malicio开发者_JAVA技巧us file or something?

Check the mime type? Re-draw the image? Anti-virus?

Redraw the image, read it up with GD's imagecreatefromXXX() and save it back with imageXXX()

This way you can also scale it to more convenient sizes and keep bandwidth consumption in check.

To save on computing power, deny upload to files bigger than a certain limit.

5megs or 10megs should be fine, as limits go.

Keep GD updated, and be wary that (7 years ago, apparently) it used to sport buffer overflows in the handling of PNG images

Alternatively, you could also preprocess uploaded images in background with commands such as ImageMagick's convert and such.

Last note of warning: on Windo(w)s convert is also a command used to format hard disk, so put some effort into removing abiguities if you deploy on that.

If you are concerned about malicious files use an antivirus checker, or better yet, two of them since one might be lagging on a particular new strain.

MIME types can be spoofed, as can using file.

You could use code to open it, checking to see if all the blocks are the right sizes, but exploits take advantage of flaws in the code used to open the image. You could be opening the door to exploit on your host/server if your code isn't hardened and aware of all the ways it could be exploited - it's almost a chicken and egg situation, so I lean toward trusting a couple antivirus tools more.

I would not go for 100% image type validation, I use simple script to check image type validation

<?php

$imgExtension = array('jpg','jpe','jpeg','gif','png');
$image_name = pathinfo($_FILES['image']['name']);
$extension = strtolower($image_name['extension']);
if(in_array($extension,$ImgExtension)) {
    //process file upload - move_uploaded_file()
}

?>

Still you can also check mime type to make more accurate validation.

I'm not sure if it's completely safe but you could use

if( getimagesize($filename) )
  //probably an image

继续阅读:mime-typesphpsecurityupload

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9