User uploads a.jpg file, the file content is actually PHP code, will there be security issues? If so, how to prevent?
Reply content:
User uploads a.jpg file, the file content is actually PHP code, will there be security issues? If so, how to prevent?
Set MimeType
There is a risk that judging the file header is not complete. You can see
http://zone.wooyun.org/content/5429
You need to disallow execution of this code on the server side. Simply put, no matter what his extension is, anyway, this directory is static, don't throw things like CGI.
If you are a virtual hosting environment, you may be faced with an issue where the host environment cannot be configured in depth.
If you want to rest assured, I suggest that these users upload static files, hosted on the cloud, seven Qiniu and other external CDN server up.
It's not possible (and not caring) to have a security problem with PHP being accidentally executed. For the virtual host to run up a small station, the cost is not much or even nearly free.
10-23 add: A good way to think of a positive breakthrough.
After the user uploads, it is stored as any security extension (example: raw, Bin, etc.). When a call is needed, a PHP script is used as the intermediate layer to pass the file contents (read the file name of the request, locate the file, write the mime of the image file type to the HTTP header, and the actual contents of the picture file to the HTTP text).
For example: http://example.com/attach.php?id=13776
.
You can also use a more elegant syntax:http://example.com/attach.php/13776.jpg
or http://example.com/attach.php/13776
;
Even use rewrite to implement similar http://example.com/attach/13776
URLs.
This will receive several benefits:
- Absolutely safe. All malicious code is absolutely non-executable and is returned to the browser as HTTP, giving the attacker a knocked.
- URLs are obvious, and the rest principle is that outsiders cannot guess the program's directory structure from a URL.
- Through PHP, it is convenient to realize authentication, anti-theft chain and other practical functions.
- Maintain URL constancy, whether the program directory structure changes, or static files will be hosted on the CDN, the URLs will remain unchanged.
As far as I know there was a loophole, if the directory name is a.php
then a.jpg in the directory will be implemented as PHP.
Direct chip processing, GD or Imagick, etc., save again
Verify with the graphics library. Not pictures do not let upload.
When Nginx is paired with php-cgi, it is possible to prevent the path resolution problem. The controversial issue of the year was cgi.fix_pathinfo. In addition, when Nginx is in reverse mode. MimeType set the right, there should be no problem.
If it is nginx can be considered to distinguish between JPG and PHP folder, even if uploading a JPG but the path is not executed 0.0
chmod 0444 a.jpg
Prohibit file execution
The GD library gets a piece of the length-width size that is blocked for 0.
Very simple, detect the file header, if it is not the specified type is deleted.
The following is a sample code excerpt from the network.
摘自:http://justcoding.iteye.com/blog/891241