堆栈内存溢出
  简体   繁体   English

PHP的finfo :: buffer怎么会被欺骗?

[英]How can PHP's finfo::buffer be spoofed?

 原文  2014-11-12 12:50:19       php/ file

问题描述

When handling uploaded files $_FILES['foo']['type'] is not at all reliable. 处理上传的文件时, $_FILES['foo']['type']完全不可靠。 I've found if you change the extension on OS X the 'type' is changed automatically. 我发现如果你在OS X上更改扩展名,'type'会自动更改。

Instead consider: 而是考虑: 

$fileInfo = new \finfo(FILEINFO_MIME);
$mimeType = $fileInfo->buffer(file_get_contents($_FILES['foo']['tmp_name']));
$mimeType = explode(';', $mimeType);

Now, if I rename a PHP script to .jpg and upload it (on OS X 10.10) $_FILES['foo']['type'] = image/jpeg and $mimeType = text/x-php . 现在,如果我将PHP脚本重命名为.jpg并上传它(在OS X 10.10上) $_FILES['foo']['type'] = image/jpeg$mimeType = text/x-php

The file type can easily be changed but how can PHP's finfo::buffer be spoofed? 文件类型可以很容易地改变,但PHP的finfo :: buffer如何被欺骗? What is the difference between what PHP checked for $_FILES['foo']['type'] and finfo(FILEINFO_MIME) ? PHP检查$_FILES['foo']['type']finfo(FILEINFO_MIME)之间有什么区别?

2 个解决方案

解决方案1
 3  2014-11-12 12:58:31

PHP doesn't check anything in the $_FILES type; PHP不检查$_FILES类型中的任何内容; when uploading a file, the sending browser is sending meta data of what it thinks the file type is. 在上传文件时,发送浏览器正在发送它认为文件类型的元数据。 $_FILES['file']['type'] simply reflects this value uploaded by the browser. $_FILES['file']['type']仅反映浏览器上传的此值。 Obviously, anyone can spoof this at will. 显然,任何人都可以随意欺骗。

Finfo uses the magic database , which is simply a collection of identifying characteristics of file types. Finfo使用魔术数据库 ,它只是识别文件类型特征的集合。 Ie, all JPEG files have a characteristic header, all ZIP files start a certain way, this file type has these number of leading bytes, that file type has those kinds of trailing bytes etc. etc. This is harder to spoof, if you actually want to produce a valid file of a certain type, but by no means impossible. 即,所有JPEG文件都有一个特征标题,所有ZIP文件都以某种方式启动,这种文件类型具有这些前导字节数,该文件类型具有这些类型的尾随字节等。如果你真的这么做很难欺骗想要生成某种类型的有效文件,但绝不是不可能的。

解决方案2
 2  2014-11-12 12:59:21

$_FILES gets it's type from the Content-Type header of the mime part that contains the file. $_FILES从包含该文件的mime部分的Content-Type标头中获取它的类型。 That part is created by whatever sends the file, usually a browser which will guess the type based on the file extension. 该部分是由发送文件的任何内容创建的,通常是一个根据文件扩展名猜测类型的浏览器。

The fileinfo extension, on the other hand, relies on the magic_open library. 另一方面,fileinfo扩展依赖于magic_open库。 If I remember correctly, magic_open will check multiple attributes of the file, including file headers to determine the mimetype. 如果我没记错的话,magic_open将检查文件的多个属性,包括文件头以确定mimetype。 Try embedding php in an html file. 尝试在一个html文件中嵌入php。 I believe, since the file header is <!DOCTYPE html> it will determine text/html is the mime type. 我相信,由于文件头是<!DOCTYPE html> ,它将确定text/html是mime类型。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 可以用图像元数据来欺骗PHP filesize()方法吗? - Can PHP filesize() method be spoofed with image metadata? PHP的finfo为.docx返回“application / zip”MimeType是不是正确的? - Is it right that PHP's finfo returns “application/zip” MimeType for a .docx? php <5.3的替代finfo() - alternative to finfo() for php < 5.3 在PHP 7.0.1中找不到Finfo类 - Finfo class not found in PHP 7.0.1 PHP Finfo mimetype奇数字符 - PHP Finfo mimetype odd characters PHP 7.2 finfo魔术文件 - php 7.2 finfo magic file 在Windows上安装php finfo无法正常工作 - Install php finfo on windows not working 使用 PHP 的 finfo_file 的 Outlook msg 文件的 MIME 类型“application/CDFV2-corrupt” - Mime type “application/CDFV2-corrupt” for Outlook msg file using PHP's finfo_file 可以欺骗http_origin吗? - Can http_origin be spoofed? 如何缓冲PhantomJS的/ dev / stdout输出,以便PHP exec可以完整获取它? - How to buffer PhantomJS's /dev/stdout output so that PHP exec can get it whole?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM