流星安全CollectionFS
[英]Meteor security CollectionFS
问题描述
I have a question. 
我有个问题。 I declare a collection on both side, client and server like this: 我在客户端和服务器端都这样声明一个集合:
Images = new FS.Collection("images", {
stores: [imageStoreMongo],
filter: {
maxSize: 1048576, //in bytes
allow: {
contentTypes: ['image/*'],
extensions: ['png', 'jpg', 'jpeg', 'gif', 'svg']
},
onInvalid: function (message) {
if (Meteor.isClient) {
alert("Only png, jpg, gif or svg");
} else {
console.log(message);
}
}
}
});
The question is: does the client would be able to pass by the size file and type restriction or not? 问题是:客户端是否可以通过大小文件和类型限制? It's a bit confusing since the code is shared by client and server. 因为代码是由客户端和服务器共享的,所以这有点令人困惑。
The additional question would be more CollectionFS specific about if I change the mine type and the extension of a malware to make look like an image? 另一个问题是,如果我将地雷类型和恶意软件的扩展名更改为看起来像图像,则将有更多CollectionFS特定。
1 个解决方案
解决方案1
0 2014-10-26 10:05:57
I haven't used CollectionFS, but a general security principle is to never trust the client. 我没有使用过CollectionFS,但是一般的安全原则是永远不要信任客户端。 Validation on the client helps with usability, but you'll always want to validate on the server as well. 在客户端上进行验证有助于提高可用性,但是您始终也希望在服务器上进行验证。
As for uploading malware with an image extension, that's more of a question for Security.SE: 至于上传带有图片扩展名的恶意软件,这对于Security.SE来说是一个更大的问题:
Can web applications do anything to prevent client-side malware
Web应用程序可以采取任何措施来防止客户端恶意软件 Analyzing images to detect embedded scripts (TL;DR - process the image to prevent any exploits)
分析图像以检测嵌入式脚本 (TL; DR-处理图像以防止任何利用)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.