One, usually, to verify whether a file is a picture, can be done in the following three ways:
1), determine if the file extension is the required picture extension
This kind of judgment is used more than a way, but this way is very inappropriate, others slightly to the image of a file extension is modified to the extension of the picture, bypassing your this check, if this upload file is shell, PHP or JSP, Then your website can basically be said to be in the hands of others.
However, this way of judging is not completely useless, we can put it in judging the outermost layer of the image, if a file extension is not the name of the image extension we require, it does not have the following content format check, to a certain extent, to reduce the pressure on the server is still a certain help, Otherwise, all the files are uploaded and then after the server to judge, that will be to a certain extent waste the resources of the device.
2), according to the file in front of a few bytes, that is often said magic number to judge, different file types of the beginning of a few bytes, you can view my other station introduction: Magic numbers representing different file types.
But this way of judging is also very unreliable, because he can only verify the first few bytes of the file, so when someone has an executable php file extension modified to PNG, and then in front of the "89 50″ two bytes, and then bypass the authentication method."
Here is a sample program that gets the first two bytes of a file through Java code:
ImportJava.io.File;ImportJava.io.FileInputStream;Importjava.io.IOException;ImportJava.io.InputStream; Public classImagetypecheck { Public StaticString bytestohexstring (byte[] src) {StringBuilder StringBuilder=NewStringBuilder (); if(src = =NULL|| Src.length <= 0) { return NULL; } for(inti = 0; i < src.length; i++) { intv = src[i] & 0xFF; String HV=integer.tohexstring (v); if(Hv.length () < 2) {stringbuilder.append (0); } stringbuilder.append (HV); } returnstringbuilder.tostring (); } Public Static voidMain (string[] args)throwsIOException {String ImagePath= "C:/favicon.png"; File Image=NewFile (ImagePath); InputStream is=NewFileInputStream (image); byte[] bt =New byte[2]; Is.read (BT); System.out.println (Bytestohexstring (BT)); }}
However, this way of judging and judging the extension of the same, is not completely useless, at least in the early stage in a simple check, for the next check to do the groundwork.
3), get the width and height properties of the picture
If you can normally get to a picture of the width of the high property, that is sure this is a picture, because non-image file We are not able to get its wide-height property, the following is used to get a picture based on whether you can get the width of the high property to determine whether this is a picture of the Java code:
/*** It is a very simple way to judge whether the current file is a picture by reading the file and getting its width and height. * * @paramImageFile *@return */ Public Static Booleanisimage (File imagefile) {if(!imagefile.exists ()) { return false; } Image img=NULL; Try{img=Imageio.read (ImageFile); if(img = =NULL|| Img.getwidth (NULL) <= 0 | | Img.getheight (NULL) <= 0) { return false; } return true; } Catch(Exception e) {return false; } finally{img=NULL; } }
Second, the picture file Security check processing
Well, we finally determine whether a file is a picture, but if it is in a normal view of the image file to add some illegal code:
This is in a normal image at the end of the addition of some of the IFRAME code, I have tried to open this image alone, but also put this picture on the Web page open, although this will not be executed, but does not mean that the insertion of other code will not be executed, anti-virus software (such as Avast) is reported as a virus.
So how do we prevent this, that can be opened normally, with the correct image file extension, but also to get its wide-height properties? Oh, we can at this time to rewrite the image, to add a watermark or to resize it, so that the newly generated image will not contain such malicious code, the following is a watermark added Java implementation:
/*** Add Image watermark * *@paramsrcimg target picture path, such as: C:\\kutuku.jpg *@paramwaterimg watermark Picture path, such as: C:\\kutuku.png *@paramThe x-watermark image is offset from the left side of the target image, if x<0, in the middle of the@paramy watermark image offset from the upper side of the target image, if y<0, in the middle of the@paramAlpha Transparency (0.0--1.0, 0.0 full transparent, 1.0 completely opaque) *@throwsIOException*/ Public Final Static voidAddwatermark (String srcimg, String waterimg,intXintYfloatAlphathrowsIOException {//loading the target pictureFile File =NewFile (SRCIMG); String ext= Srcimg.substring (Srcimg.lastindexof (".") + 1); Image Image=imageio.read (file); intwidth = image.getwidth (NULL); intHeight = image.getheight (NULL); //loads the target picture into memory. BufferedImage BufferedImage =Newbufferedimage (width, height, bufferedimage.type_int_rgb); Graphics2D g=Bufferedimage.creategraphics (); G.drawimage (Image,0, 0, width, height,NULL); //loads the watermark picture. Image waterimage = Imageio.read (NewFile (waterimg)); intwidth_1 = Waterimage.getwidth (NULL); intHeight_1 = Waterimage.getheight (NULL); //sets the transparency of the watermark picture. G.setcomposite (alphacomposite.getinstance (alphacomposite.src_atop, Alpha)); //sets the location of the watermark picture. intWidthdiff = width-width_1; intHeightdiff = height-height_1; if(X < 0) {x= WIDTHDIFF/2; } Else if(X >Widthdiff) {x=Widthdiff; } if(Y < 0) {y= HEIGHTDIFF/2; } Else if(Y >Heightdiff) {y=Heightdiff; } //The watermark picture is "painted" in the original position of the picture. G.drawimage (Waterimage, x, Y, width_1, height_1,NULL); //close the brush. G.dispose (); //Save the target picture. Imageio.write (bufferedimage, ext, file); }
Through the above methods, you should be able to avoid the majority of images with malicious code security issues, such as other ways, hope to inform.
How to format a picture and check the security check with Java