可以上传带有恶意文件名的文件吗?
[英]Is it possible to upload a file with malicious filename?
问题描述
是否可以将HTTP上传请求发送到Apache或IIS的文件,该文件的文件名将带有“ ../”或“ ..”而不会被拒绝,并将被传递给php或ASP.Net引擎?
1 个解决方案
解决方案1
1 2013-02-08 07:35:14
Not really the way you are asking. 
并不是您问的方式。 By the time it gets to the server the browser has read the file and delivered it as a chunk of content with no information about where it came from other than the original file name which you can choose to use or discard. 到服务器时,浏览器已读取文件并将其作为内容块发送,除了您可以选择使用或丢弃的原始文件名外,没有任何有关文件来源的信息。
Generally file uploads go into a temporary storage place (eg /tmp) and then need to be moved out of there to somewhere which you can control and name. 通常,文件上传会进入一个临时存储位置(例如/ tmp),然后需要移出该位置到您可以控制和命名的位置。
This storage is configured on the server, and so any attempt to put path info into the filename should also be blocked by the file upload implementation of the server which should sanitise the filenames again if the browser didn't already do so. 该存储设备是在服务器上配置的,因此,将路径信息放入文件名的任何尝试也应被服务器的文件上传实现阻止,如果浏览器尚未这样做,则应该再次对文件名进行清理。
If there's a bug then all bets are off though. 如果有错误,那么所有的选择都关闭。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.