如何辨别某人伪造文件类型？ （PHP）

Question

I'm programming something that allows users to store documents and pictures on a webserver, to be stored and retrieved later. When users upload files to my server, PHP tells me what filetype it is based on the extension. However, I'm afraid that users could rename a zip file as somezipfile.png and store it, thus keeping a zip file on my server. Is there any reasonable way to open an uploaded file and "check" to see if it truly is of the said filetype?

Answer 1

Magic number . If you can read first few bytes of a binary file you can know what kind of file it is.

Answer 2

查看PHP的FileInfo PECL扩展，它可以为您执行MIME魔术查找。

Answer 3

Sort of. Most file types have some bytes reserved for marking them so that you don't have to rely on the extension. The site http://wotsit.org is a great resource for finding this out for a particular type.

If you are on a unix system, I believe that the file command doesn't rely on the extension, so you could shell out to it if you don't want to write the byte checking code.

For PNG ( http://www.w3.org/TR/PNG-Rationale.html )

The first eight bytes of a PNG file always contain the following values:

(decimal) 137 80 78 71 13 10 26 10

(hexadecimal) 89 50 4e 47 0d 0a 1a 0a

(ASCII C notation) \\211 PNG \\r \\n \\032 \\n

Answer 4

许多文件类型在文件的开头都有“ 魔术数字 ”来识别它们。您可以从文件的前面读取一些字节，并将它们与已知幻数列表进行比较。

Answer 5

If you are only dealing with images, then getimagesize() should distinguish a valid image from a fake one.

$ php -r 'var_dump(getimagesize("b&n.jpg"));'
array(7) {
  [0]=>
  int(200)
  [1]=>
  int(200)
  [2]=>
  int(2)
  [3]=>
  string(24) "width="200" height="200""
  ["bits"]=>
  int(8)
  ["channels"]=>
  int(3)
  ["mime"]=>
  string(10) "image/jpeg"
}

$ php -r 'var_dump(getimagesize("/etc/passwd"));'
bool(false)

A false value from getimagesize is not an image.

Answer 6

在unix系统上，从'file'命令捕获输出应该提供足够的信息。

Answer 7

有关如何在PHP中快速完成此操作的确切答案，请查看以下问题： 如何使用php查找文件的mime类型？

Answer 8

As a side note I ran into a similar problem where I had to do my own type checking. The front end interface to my application was done in flash. The files were being passed through flash to a php script. When I was attempting to do a MIME type check using php the type always returned was application/octetstream because it was coming from flash.

I had to implement a magic numbers type paradigm. I simply created an xml file that held the file type along with some defining patterns found within the beginning of the file. Once the file reached the server I did some pattern matching with the xml file and then accepted or rejected the file. I didn't noticed any real performance decrease either which I was expecting.

This is just a side note to anyone who may be using flash as there front end and trying to type check the file once it is uploaded.

Answer 9

As well as identifying the filetype, you might want to watch out for files with other files embedded or appended to them. This will unfortunately require a more indepth analysis of the file contents than just using "magic numbers".

For example, http://quantumrook.wordpress.com/2007/06/06/hide-a-rar-file-in-a-jpg-file/ (this particular type of data hiding can be easily worked around by loading and resaving into a new file the actual image data .. others will be more difficult.)