问题描述
我在Internet上找到了以下代码,用于在php中安全上传图片.
I have found following code on internet for secure image upload in php.
我想知道它涵盖了图像上传中所有可能的攻击方式.
I want to know it covers all possible way of attacks in image uploading.
define('MAX_SIZE_EXCEDED', 101);
define('UPLOAD_FAILED', 102);
define('NO_UPLOAD', 103);
define('NOT_IMAGE', 104);
define('INVALID_IMAGE', 105);
define('NONEXISTANT_PATH', 106);
class ImgUploader
{
var $tmp_name;
var $name;
var $size;
var $type;
var $error;
var $width_orig;
var $height_orig;
var $num_type;
var $errorCode = 0;
var $allow_types = array(IMAGETYPE_GIF, IMAGETYPE_JPEG, IMAGETYPE_PNG);
function __construct($fileArray)
{
foreach($fileArray as $key => $value)
{
$this->$key = $value;
}
if($this->error > 0)
{
switch ($this->error)
{
case 1: $this->errorCode = MAX_SIZE_EXCEDED; break;
case 2: $this->errorCode = MAX_SIZE_EXCEDED; break;
case 3: $this->errorCode = UPLOAD_FAILED; break;
case 4: $this->errorCode = NO_UPLOAD; break;
}
}
if($this->errorCode == 0)
{
$this->secure();
}
}
function secure()
{
//$this->num_type = exif_imagetype($this->tmp_name);
@list($this->width_orig, $this->height_orig, $this->num_type) = getimagesize($this->tmp_name);
if(filesize($this->tmp_name) > 1024*1024*1024*5) // allows for five megabytes. Change this number if need be.
{
$this->errorCode = MAX_SIZE_EXCEDED;
return false;
}
if (!$this->num_type)
{
$this->errorCode = NOT_IMAGE;
return false;
}
if(!in_array($this->num_type, $this->allow_types))
{
$this->errorCode = INVALID_IMAGE;
return false;
}
}
function getError()
{
return $this->errorCode;
}
function upload_unscaled($folder, $name)
{
return $this->upload($folder, $name, "0", "0");
}
function upload($folder, $name, $width, $height, $scaleUp = false)
{
// $folder is location to be saved
// $name is name of file, without file extention
// $width is desired max width
// $height is desired max height
if($this->errorCode > 0)
return false;
// deal with sizing
// if image is small enough to not scale, or upload_unscaled() is called, don't scale
if((!$scaleUp && ($width > $this->width_orig && $height > $this->height_orig)) || ($width === "0" && $height === "0"))
{
$width = $this->width_orig;
$height = $this->height_orig;
}
else
{
// if height diff is less than width dif, calc height
if(($this->height_orig - $height) <= ($this->width_orig - $width))
$height = ($width / $this->width_orig) * $this->height_orig;
else
$width = ($height / $this->height_orig) * $this->width_orig;
}
// Resample
switch($this->num_type)
{
case IMAGETYPE_GIF: $image_o = imagecreatefromgif($this->tmp_name); $ext = '.gif'; break;
case IMAGETYPE_JPEG: $image_o = imagecreatefromjpeg($this->tmp_name); $ext = '.jpg'; break;
case IMAGETYPE_PNG: $image_o = imagecreatefrompng($this->tmp_name); $ext = '.png'; break;
}
$filepath = $folder.(substr($folder,-1) != '/' ? '/' : '');
if(is_dir($_SERVER['DOCUMENT_ROOT'].$filepath))
$filepath .= $name.$ext;
else
{
$this->errorCode = NONEXISTANT_PATH;
imagedestroy($image_o);
return false;
}
$image_r = imagecreatetruecolor($width, $height);
imagecopyresampled($image_r, $image_o, 0, 0, 0, 0, $width, $height, $this->width_orig, $this->height_orig);
switch($this->num_type)
{
case IMAGETYPE_GIF: imagegif($image_r, $_SERVER['DOCUMENT_ROOT'].$filepath); break;
case IMAGETYPE_JPEG: imagejpeg($image_r, $_SERVER['DOCUMENT_ROOT'].$filepath); break;
case IMAGETYPE_PNG: imagepng($image_r, $_SERVER['DOCUMENT_ROOT'].$filepath); break;
}
imagedestroy($image_o);
imagedestroy($image_r);
return '/'.$filepath;
}
}
我还在"images"文件夹中存储了一个.htaccess文件,该文件关闭了文件脚本,因此没有人可以在photos文件夹中执行脚本.
I also have a .htaccess file stored in the "images" folder which turns off file scripts, so no one can execute scripts in the photos folder.
<Files ^(*.jpg)>
order deny,allow
deny from all
</Files>
Options -Indexes
Options -ExecCGI
AddHandler cgi-script .php .php3 .php4 .php5 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi
出于安全原因,这已经足够了,或者我必须采取其他措施来保护我的代码和网站.
does this enough for security reason, or i have to take some other steps to secure my code and website.
推荐答案
我要说的第一件事是使用Apache的 mod_mime 检查文件类型,否则我可以发送说我是JPEG文件!的HTTP请求,您只需信任文件扩展名,例如是的!您具有.jpg扩展名,但实际上,我可以注入PHP源代码而不是JPEG数据,然后我可以在您的服务器上执行PHP源代码.
The first thing I'd say is to check the file types with Apache's mod_mime, otherwise I can send a HTTP request which says I'm a JPEG file! and you simply trust the file extension like Yeap! you have .jpg extension, but in reality I can inject the PHP source code instead of JPEG data, and later I can execute the PHP source code on your server.
另一件事是始终强制Apache不运行任何这些图像类型.您可以使用 ForceType 指令来做到这一点.
The other thing is to always force the Apache to NOT run any of those image types. You can do that with ForceType Directives.
<FilesMatch "(?i)\.jpe?g$">
ForceType image/jpeg
</FilesMatch>
我没有看到底线.关闭文件脚本绝对有帮助.
I didn't see the bottom lines. Turning off file scripts will absolutely helps.
这篇关于使用php和htaccess上传图像的安全方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!