问题
I have file uploaded system in my php project.
What I make at uploading:
1) Check file extension and file mime type.
2) If extension and mime type are allowed types, I save file outside of public_html directory and then, I give the opportunity to users, download file so:
if (file_exists($file_path)) {
header('Content-Description: File Transfer');
header('Content-Type: some mime type');
header('Content-Disposition: attachment; filename=somefilename');
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($file_path));
readfile($file_path);
}
Question: this steps for uploading file, are secure or not? If not, what can make additional, for improve secure at uploading file?
Thanks.
回答1:
- Checking the MIME type doesn't help at all, because that information can be crafted.
- It depends how you are checking the file extension and what you are doing with that information. Try using "white list" for file extension instead of a "black list".
- Moving it outside of the public_html is a good idea, also try to rename the file and just add the extension to it.
- Be extra careful with compressed files, you could end up dealing with some zipbomb or something like that.
- Be careful with the file if you are going to do some sort of operation with it, like resizing images. Remember you are dealing with an user input that will interact with your code and it could be crafted to exploit your code (code execution vulnerability for example).
Also try reading this article, it will give you some helpful information that you might not have tough before.
来源:https://stackoverflow.com/questions/21560949/secure-uploading-file