问题描述
我试图通过检查mime类型来允许在我们的应用程序中安全地上传网络字体.这适用于我们允许的大多数文件类型,但这是网络字体的问题.
I'm trying to allow safe upload of web fonts in our application, by checking against mime types. This works for most types of files we allow, but it's a problem for web fonts.
我们使用PHP的 http://php.net/manual检查mime类型/en/book.fileinfo.php
问题是php会将所有网络字体检测为mime"application/octet-stream",但允许这样做,将允许.exe或许多其他可能危险的文件上传.
The problem is that php will detect all web fonts as mime "application/octet-stream", but allowing that, would allow .exe or many other possibly dangerous file uploads.
处理此类文件的最佳方法是什么?
What is the best way to handle upload of this kind of files?
推荐答案
找到一个包含有关字体格式信息的魔术文件,并将其传递给finfo_open()
.
Find a magic file that contains info about the font formats, and pass that to finfo_open()
.
这篇关于安全地允许通过MIME TYPES/fil上传网络字体(ttf,eot,svg,woff,otf)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!