简体繁体 English

信任文件上传中的“内容类型”

[英]Trusting “Content-Type” on File Uploads

原文 2015-12-28 20:59:11 8 3 java/ rest/ file-upload/ multipartform-data

If I'm supporting the upload of content (mostly images and video) by my REST API's users, is it safe to trust the Content-Type they declare in (multipart) uploads? 如果我支持REST API用户上传内容（主要是图片和视频），那么信任他们在（多部分）上传中声明的Content-Type是否安全？ Or should I, instead, run some kind of "media type detection" on the content (using, for example, Apache Tika) to ensure that the declared media type corresponds to the detected, actual one? 或者，我应该在内容上运行某种“媒体类型检测”（例如，使用Apache Tika）以确保声明的媒体类型与检测到的实际媒体类型相对应？ Am I being over-zealous by introducing this media type detection step? 通过介绍这种媒体类型检测步骤，我是否过度热心？

3 个解决方案

Never trust the input which you get from the user. 永远不要相信您从用户那里得到的输入。 Always run a check in your server side code be it type of file, size of file, etc. Use the REST API or Javascript to make the experience of the user smoother and faster. 始终检查服务器端代码，包括文件类型，文件大小等。使用REST API或Javascript可以使用户的体验更流畅，更快捷。

You certainly shouldn't blindly trust the Content-type header, or any other header. 您当然不应该盲目信任Content-type标头或任何其他标头。 These things should be used to inform your decisions about how to process the request. 应该使用这些东西来告知您有关如何处理请求的决定。 So, Content-type: application/json should allow you to interpret the message body as a json object - that sort of request might then be passed to a JSON deserialiser to bind it to an object. 因此， Content-type: application/json应该允许您将消息体解释为json对象 - 然后可以将这种请求传递给JSON反序列化器以将其绑定到对象。

It would be wrong to ignore the Content-type header just because the request body contains data which looks like something else. 忽略Content-type标头是错误的，因为请求主体包含看起来像其他东西的数据。 If the request is internally inconsistent then it should be rejected. 如果请求内部不一致，则应拒绝该请求。 It's one thing not to send a Content-type header but quite another for the header to be wrong . 发送Content-type标题是一回事，但标题错误则是另一回事。

So, the only situation where you might want to use some sort of automatic detection should be where you have no reasonable information about the content - either Content-Type is very generic (such as " / ") or not present at all. 因此，您可能希望使用某种自动检测的唯一情况应该是您没有关于内容的合理信息 - Content-Type非常通用（例如“ / ”）或根本不存在。 In that situation it's worth deciding whether some kind of autodetection is possible or valuable. 在那种情况下，值得决定某种自动检测是否可能或有价值。

You should definitely reject all the requests that are missing Content-Type header (and Content-Length as well) or have it set incorrectly. 您绝对应该拒绝所有缺少Content-Type标头的请求（以及Content-Length ）或者设置不正确。

It's definitely not about being over-zealous, rather about securing the system. 这绝对不是要过度热心，而是要保护系统。 If you have suspicions about the content just check it. 如果您对内容有疑问，请检查一下。 But remember to validate the size before checking the content. 但请记住在检查内容之前验证大小。 If you have a proxy server (eg nginx) it has appropriate modules to reject requests that are too big. 如果你有一个代理服务器（例如nginx），它有适当的模块来拒绝太大的请求。