我目前正在为上传图片写上传类。我做了扩展检查,以确认上传的图像是支持的类型,并且当上传的文件被复制到其休息的地方时,照片始终是chmod(0664)。这是相对安全的吗?我对图像编码知之甚少,但即使有人经历了以某种方式欺骗我的扩展检查的麻烦,该文件也永远无法在服务器上运行,除非其他地方存在安全漏洞,并且攻击者已经加入我的文件系统,对吗?这里是我的扩展检查:文件上传和安全
function validate_ext() { //Function validates that the files extension matches the list of allowed extensions
$extension = $this->get_ext($this->theFile);
$ext_array = $this->extensions;
if (in_array($extension, $ext_array)) { //Check if file's ext is in the list of allowed exts
return true;
echo "ext found";
} else {
$this->error[] = "That file type is not supported. The supported file types are: ".$this->extString;
return false;
}
}
而这里的功能是将上传的文件复制到它的最后安息的地方。
if ($_FILES[$this->uploadName]['error'] === UPLOAD_ERR_OK){
$newfile = $this->uploadDir.$this->theFile;
if (!move_uploaded_file($this->tempFile, $newfile)) {
$this->error[] = "The file could not be moved to the new directory. Check permissions and folder paths.";
die($this->error_text());
}else{
$this->error[] = "The file ".$this->originalName." was successfully uploaded.";
if ($this->renameFile == true){
$this->error[] = $this->originalName." was renamed to ".$this->theFile;
}
chmod($newfile , $this->fileperm);
}
}else{
$this->error[] = $this->file_upload_error_message($_FILES[$this->uploadName]['error']);
die($this->error_text());
}
要真正确定什么都不会以某种方式执行,只需在它周围构建一个包装脚本。包装脚本应该做一个头(“Content-type:$ mime_type”)并将文件内容转储到标准输出。要确定MIME类型,请查看fileinfo pecl扩展名(http://us3.php.net/manual/en/ref.fileinfo.php)。 – Friek