“图像”规则是否足够安全?
[英]Is 'image' rule secure enough?
问题描述
So I'm trying to create a upload profile picture for my website... And I'm wondering if the image rule is secure enough in Laravel. 
因此,我试图为我的网站创建一个上传个人资料图片,而且我想知道image规则在Laravel中是否足够安全。
Consider the following code: 考虑以下代码:
input = [
'profile_picture' => Input::file('profile_picture'),
];
$rules = ['profile_picture' => 'required|image'];
$validator = Validator::make($input, $rules);
if ($validator->fails()) {
return 'It\'s not an image!';
}
Pretty simple, The thing I want you to focus on is the image rule in the rules array. 非常简单,我要让您关注的是rules数组中的image规则。
It seems like Laravel validates image by their MIME type. Laravel似乎通过其MIME类型来验证图像。 As we know, It can be edited from the client and then send to the server by using something like Tamper Data or Burp Proxy. 众所周知,可以从客户端进行编辑,然后使用篡改数据或Burp代理之类的内容将其发送到服务器。
And you say how do you know It validates image by their MIME type? 您说如何知道它通过其MIME类型验证图像? Well... Take a look at this code below, This is the Validator.php class that Laravel uses for validation. 好吧...看下面的这段代码,这是Laravel用于验证的Validator.php类。 It contains every rule I think. 它包含了我认为的每条规则。 And to be specific, This is the validateImage function, Which is the image rule. 具体来说,这是validateImage函数,这是image规则。
Validator/validateImage(): 验证器/ validateImage():
/**
* Validate the MIME type of a file is an image MIME type.
*
* @param string $attribute
* @param mixed $value
* @return bool
*/
protected function validateImage($attribute, $value)
{
return $this->validateMimes($attribute, $value, array('jpeg', 'png', 'gif', 'bmp'));
}
As the Doc-block says, It validates it by their MIME type. 就像Doc-block所说的那样,它通过其MIME类型对其进行验证。
So is it secure enough? 这样足够安全吗? Any questions are welcome! 任何问题都欢迎!
2 个解决方案
解决方案1
2 已采纳 2015-02-21 14:19:23
No it's not secure. 不,这是不安全的。 At least you can't be sure if it is a real image as the MIME type can be manipulated. 至少您不能确定它是否是真实图像,因为可以操纵MIME类型。 What usually helps is to use getimagesize() which will return false if the file is not an image. 通常有帮助的是使用getimagesize() ,如果文件不是图像,它将返回false 。 So you could extend the validator with this rule: 因此,您可以使用以下规则扩展验证器:
Validator::extend('real_image', function($attribute, $value, $parameters){
if($value instanceof Symfony\Component\HttpFoundation\File\UploadedFile){
if(getimagesize($value->getRealPath() !== false){
return true;
}
}
return false;
}
And add that to your validation rules: 并将其添加到您的验证规则:
$rules = ['profile_picture' => 'required|image|real_image'];
解决方案2
0 2015-02-21 13:35:48
To answer your question We can't say anything as secured or not. 回答您的问题我们不能说有把握的事情。
But Yes Laravel validates image only few format which you specified . 但是是, Laravel仅验证您指定的几种格式的图像 。 It is also mentioned here . 这里也提到了 。
If you think it is a basic validation, then you shall use the third party package like this which validates image by aspect ratio (Which only a real image can have it) 如果您认为这是基本验证,则应使用像这样的第三方程序包, 该程序包通过长宽比验证图像(只有真实的图像可以使用)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.