PHP标题内容类型图像/ JPEG安全问题
[英]php header content-type image/jpeg security question
问题描述
Hi I was wondering if the following would pose any threats ? 
嗨,我想知道以下情况是否会构成威胁? The url is take from the browser checks if its a picture and output it otherwise display "image does not exist". 该网址是从浏览器获取的,检查其是否为图片并输出,否则显示“图片不存在”。 I haven't done the if statement yet. 我还没有完成if语句。 But should i put anymore header(); 但是我应该再放header();吗? settings before outputting or any other suggestions that could make it a bit more secure if I have missed any. 输出之前的设置或任何其他建议,如果我错过了任何建议,可能会使它更安全。
header('content-type: image/jpeg');
$file = urlencode('http://domain.com/images/file.jpg');
ob_start();
require_once($file);
$out = ob_get_contents();
ob_end_flush();
echo $out;
2 个解决方案
解决方案1
5 已采纳 2010-11-19 14:23:56
Yes it's a huge security risk, as you're asking PHP to interprete a remote file. 是的,这是一个巨大的安全风险,因为您正在要求PHP解释远程文件。 If a user may pass any URI to your script, he'll be able to make control of your server with ease. 如果用户可以将任何URI传递给您的脚本,则他将能够轻松控制您的服务器。
You should use the cURL functions or a simple file_get_contents (or fopen ) call, if the URL wrappers are available on your installation. 如果URL包装器在您的安装中可用,则应使用cURL函数或简单的file_get_contents (或fopen )调用。
解决方案2
2 2010-11-19 14:26:08
You definitely shouldn't be using require_once for that. 您绝对不应该为此使用require_once。
Use readfile() . 使用readfile() 。
header('content-type: image/jpeg');
$file = urlencode('http://domain.com/images/file.jpg');
readfile($file);
exit();
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.