堆栈内存溢出
  简体   繁体   English

Plupload-对安全性的怀疑

[英]Plupload - doubts about security

 原文  2012-08-14 08:12:19       php/ javascript/ security/ file-upload/ plupload

问题描述

http://www.plupload.com - " Allows you to upload files using HTML5 Gears, Silverlight, Flash, BrowserPlus or normal forms, providing some unique features such as upload progress, image resizing and chunked uploads. " This is the uploader used in current WordPress v3.4.1 and the best one out there in my opinion. http : //www.plupload.com-允许您使用HTML5 Gears,Silverlight,Flash,BrowserPlus或常规形式上传文件,并提供一些独特的功能,例如上传进度,图像大小调整和分块上传。 ”这是使用的上传器在目前的WordPress v3.4.1中,我认为是最好的。

It comes with upload.php file (full file: http://ideone.com/xbPUS ). 它带有upload.php文件(完整文件: http ://ideone.com/xbPUS)。

I have doubts about its security: When I have upload.php on my server and even if I don't setup any Javascript for Plupload anyone is still able to relatively easy send request to upload.php file and upload anything, anytime... TRUE OR FALSE? 我对其安全性表示怀疑:当我在服务器上安装了upload.php时,即使没有为Plupload设置任何Javascript,任何人仍然可以相对轻松地随时发送请求以上传upload.php文件并上传任何内容...对或错?

How do I prevent that? 我该如何预防?

2 个解决方案

解决方案1
 5 已采纳  2012-08-14 08:19:18

It's not a security issue. 这不是安全问题。 Across the internet you can try to upload anything you want to servers (addresses) that support POST method. 您可以尝试在Internet上将所需的任何内容上传到支持POST方法的服务器(地址)。 It's up to server-side software to accept or reject such upload - it's always been this way. 由服务器端软件决定是否接受此类上传-一直都是这种方式。 Of course there can be some restrictions put onto who uploads what (using tokens, authorization etc), but that's up to you (as developer) to handle. 当然,可以限制谁上传哪些内容(使用令牌,授权等),但这取决于您(作为开发人员)来处理。

As to upload.php file from plupload, I think it's suppose to be just a quick and dirty example, that makes trying out plupload a little bit easier. 至于从plupload上传upload.php文件,我认为这只是一个简单而又肮脏的例子,这使得尝试plupload更加容易。

解决方案2
 1  2012-08-14 08:22:55

I think you want Wordpress to work with upload.php and not the other way arround. 我认为您希望Wordpress与upload.php一起使用,而不是反过来。 So if anyone would call upload.php directly it will fail. 因此,如果有人直接调用upload.php,它将失败。 Can you set some specific information that will only be available from within your Wordpress functions. 您能否设置一些特定的信息,这些信息仅在您的Wordpress函数中可用。 In upload.php you can ask for this information if not available it will stop. 在upload.php中,您可以要求提供此信息(如果不可用),它将停止。 Hope this is what you need. 希望这是您所需要的。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 有关网址中参数的疑问 - Doubts about parameter in the URL 对这种多步骤形式的怀疑 - Doubts about this multistep form 对popen的疑惑 - Doubts about popen PHP和MySQL登录安全性疑虑 - PHP and mySQL login security doubts 怀疑Yii2 RBAC - Doubts about Yii2 RBAC 对PHP执行时间的怀疑 - Doubts About PHP Execution Time 关于保存SVG文件和检索的疑问 - Doubts about saving SVG files and retrieving 对Composer的require和require-dev的怀疑 - Doubts about require and require-dev of Composer Laravel 5关于图像/文件上传的疑问 - Laravel 5 doubts about image/file upload CodeIgniter:对HMVC和Views有些怀疑 - CodeIgniter: some doubts about HMVC and Views
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM