问题描述
我管理一个庞大而活跃的论坛,我们受到了非常严重的问题所困扰。我们允许用户嵌入远程图像,就像计算器如何处理图像(imgur),但是我们还没有一组特定的主机,图像可以从以下code的任何主机被嵌入:
I manage a large and active forum and we're being plagued by a very serious problem. We allow users to embed remote images, much like how stackoverflow handles image (imgur) however we don't have a specific set of hosts, images can be embedded from any host with the following code:
[img]http://randomsource.org/image.png[/img]
和这工作好得很......除了用户可以嵌入需要认证的图像时,图像会导致一个弹出式出现,因为认证弹出窗口可以进行编辑,他们把像请输入您的[网站名称]用户名和密码在这里,不幸的是我们的用户一直在下降了。
and this works fine and dandy... except users can embed an image that require authentication, the image causes a pop-up to appear and because authentication pop-ups can be edited they put something like "please enter your [sitename] username and password here" and unfortunately our users have been falling for it.
什么是这个正确的反应?我一直在考虑以下内容:
What is the correct response to this? I have been considering the following:
-
每个页面加载有一段JavaScript代码执行页面上的检查每个图像及其状态
Each page load has a piece of Javascript execute that checks each image on the page and its status
有图像的主机授权列表
禁用远程完全嵌入
问题是我从来没有见过这种情况发生在其他地方,但我们与它的困扰,我们怎么prevent呢?
The problem is I've NEVER seen this happen anywhere else, yet we're plagued with it, how do we prevent this?
推荐答案
它比密码问题的更多。您还允许一些用户来进行对其他用户的CSRF攻击。例如,用户可以建立自己的个人资料形象<$c$c>[img]http://my-active-forum.com/some-dangerous-operation?with-some-parameters[/img]$c$c>.
Its more than the password problem. You are also allowing some of your users to carry out CSRF attacks against other users. For example, a user can set up his profile image as [img]http://my-active-forum.com/some-dangerous-operation?with-some-parameters[/img]
.
最好的解决方案是 -
The best solution is to -
- 下载图像服务器侧,并将其存储在文件系统/数据库。保持一个合理的最大文件大小,否则攻击者可以下载大量数据的金紫荆星章的到你的服务器霸占N / W和磁盘资源。
- 可选,验证文件实际上是一个图片
- 即成使用扔掉的域名或IP地址的形象。它可以创建一个伪装成一个罐子或applet图像;从暴殄天物域提供的所有文件保护您
从这样的恶意活动。
如果你不能在服务器端下载图像,允许创建URL模式的服务器端的白名单(不只是域)。丢弃不要这个URL模式匹配的任何URL。
If you cannot download the images on the server side, create a white list of allowed url patterns (not just domains) on the server side. Discard any urls that don't match this URL pattern.
您必须在JavaScript执行任何检查。在JS执行检查解决您的燃眉之急,但不会保护你的CSRF。你还在做从用户的浏览器攻击者控制的URL的请求,这是有风险的。此外,这种方法对性能的影响是望而却步。
You MUST NOT perform any checks in javascript. Performing checks in JS solves your immediate problems, but does not protect your from CSRF. You are still making a request to an attacker-controlled url from your users browser, and that is risky. Besides, the performance impact of that approach is prohibitive.
这篇关于遥感图像嵌入:如何处理需要身份验证的呢?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!