Some time ago, the tester reported a flash xss bug. After analysis, the program that uses Loader. loadBytes and does not do data stream format validation will be recruited. The self-testing method only needs one line of code:
ExternalInterface.call('alert', ‘msg from flash’);
After compilation, change the suffix to jpg, png, and other image formats. Select the first Image Upload method on the Sina Weibo website ......
Although users generally do not upload images of unknown origins, they are curious about how to prevent them. The file format determined by the type of the Flash FileReference is very primitive, but it is really determined by the file suffix, so it is obvious that there will be problems with changing the suffix ......
The solution is to read the real format data in the data stream. Use winHex to view the file streams of various images. The variable length of the file header (24-to 64-bit binary data) is the data block that identifies the file format. Therefore, you can use ByteArray to read this part of data to determine the file format. The formats of images to be identified are fixed. Therefore, only the first 24-bit binary data can be used to determine the formats.
Code:
Var file: FileReference = new FileReference (); var fileFilter: FileFilter = new FileFilter ('image file :(*. jpg ,*. jpeg ,*. gif ,*. png ,*. bmp )','*. jpg ;*. jpeg ;*. gif ;*. png ;*. bmp '); stage. addEventListener (MouseEvent. CLICK, function (evt: MouseEvent) {file. browse ([fileFilter]) ;}); file. addEventListener (Event. SELECT, function (evt: Event) {file. addEventListener (Event. COMPLETE, onLoadCpl); file. load () ;}); function onLoadCpl (evt: Event): void {file. removeEventListener (Event. COMPLETE, onLoadCpl); var byteArray: ByteArray = evt.tar get. data as ByteArray; var fileTypeHex: String = byteArray. readUnsignedByte (). toString (16) + byteArray. readUnsignedByte (). toString (16) + byteArray. readUnsignedByte (). toString (16); trace (fileTypeHex ); if (fileTypeHex = 'ffd8ff' | fileTypeHex = '89504e '| fileTypeHex = '000000' | fileTypeHex = 'include8 ') {// hex loadByte (byteArray) of jpg & jpeg, png, gif, and bmp;} else {trace ('file format incorrect ');}} function loadByte (byteArray: ByteArray): void {var loader: Loader = new Loader (); // loader. contentLoaderInfo. addEventListener (Event. COMPLETE, function (e: Event) {}); // load the image loader. loadBytes (byteArray );}
Compare the file data read using winHex:
Jpg & jpeg:
Png:
Gif:
Bmp:
Completely consistent. Success ~