I recently implemented a security system where we check MIME types and file extensions against a list of acceptable ones. If the scanned file has a MIME and an extension in this list, we move forward. I have included the function where we scan the file below. The ALLOWED_EXTENSIONS
and ALLOWED_MIME_TYPES
are just strings such as "txt,pdf,jpeg....".
我最近实现了一个安全系统,我们根据可接受的列表检查MIME类型和文件扩展名。如果扫描的文件在此列表中有MIME和扩展名,我们继续前进。我已经包含了我们扫描下面文件的功能。 ALLOWED_EXTENSIONS和ALLOWED_MIME_TYPES只是字符串,例如“txt,pdf,jpeg ....”。
I will assume you know what and how MIME types work, but lately we have been getting PDF uploads with no MIME type at all. This code works most of the time by the way. I have seen PDFs go through fine, as well as images, text files, ect.
我将假设您知道MIME类型的工作原理和方式,但最近我们一直在获取没有MIME类型的PDF上传。顺便提一下,此代码大部分时间都可以使用。我已经看到PDF很好,以及图像,文本文件等。
Is it possible a file would not have a MIME type at all?
是否有可能文件根本没有MIME类型?
/**
* scan the file before upload to do our various security checks
*
* @param tmpName the file's location in /tmp, used for MIME type scan
* @param name the filename as it was uploaded, used for extension scan
* @param oid the order id, passed along to notifyStaffIllegalFileUpload() if email needs to be sent
* @return true on success, error string on failure
*/
function scanFile($tmpName, $name, $oid) {
global $_email;
// get lists from config
$allowedExtensions = explode(",", ALLOWED_EXTENSIONS);
$allowedMIMEs = explode(",", ALLOWED_MIME_TYPES);
// get extension
$ext = pathinfo($name, PATHINFO_EXTENSION);
// get MIME type
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, $tmpName);
finfo_close($finfo);
// check against allowed
if (!in_array(strtolower($ext), $allowedExtensions) || !in_array(strtolower($mime), $allowedMIMEs)) {
capDebug(__FILE__, __LINE__, "Order #" . $oid . " - A user attempted to upload a file with extension '" . $ext . "' and MIME type '" . $mime . "'. The attempt was blocked.\n", "/tmp/file_errors.log");
$_email->notifyStaffIllegalFileUpload($oid, $name, $ext, $mime);
return "Our security systems detected an illegal file type/mime type. The file upload was cancelled.";
}
return true;
}
2 个解决方案
#1
1
The OP's own answer (which doesn't attempt to answer the actual question) aside, this isn't really well-defined. The content type application/octet-stream
is generic, and so can be assigned to every file. On the other hand, it is obviously possible to create files which have no useful content type; how would you label the output of dd if=/dev/urandom
in terms of a MIME type?
OP自己的答案(不试图回答实际问题)除此之外,这不是真正明确的定义。内容类型application / octet-stream是通用的,因此可以分配给每个文件。另一方面,显然可以创建没有有用内容类型的文件;如何根据MIME类型标记dd if = / dev / urandom的输出?
In the frame of the question here I'm leaning towards "no" -- it is not possible to assign a useful MIME type to every possible file.
在这里问题的框架中,我倾向于“不” - 不可能为每个可能的文件分配有用的MIME类型。
#2
0
After a few days of research and advice, the answer to the question is kind of irrelevant due to the fact that checking for MIME types as a security feature is not feasible in the first place. There are too many issues with MIME types on different operating systems, different applications saving files differently, some files not having a MIME at all, and lastly, the fact that the extension and MIME could be altered by a malicious user or program. Closing.
经过几天的研究和建议后,问题的答案有点无关紧要,因为首先检查MIME类型作为安全功能是不可行的。不同操作系统上的MIME类型存在太多问题,不同的应用程序以不同的方式保存文件,一些文件根本没有MIME,最后,恶意用户或程序可能会更改扩展名和MIME。关闭。
#1
1
The OP's own answer (which doesn't attempt to answer the actual question) aside, this isn't really well-defined. The content type application/octet-stream
is generic, and so can be assigned to every file. On the other hand, it is obviously possible to create files which have no useful content type; how would you label the output of dd if=/dev/urandom
in terms of a MIME type?
OP自己的答案(不试图回答实际问题)除此之外,这不是真正明确的定义。内容类型application / octet-stream是通用的,因此可以分配给每个文件。另一方面,显然可以创建没有有用内容类型的文件;如何根据MIME类型标记dd if = / dev / urandom的输出?
In the frame of the question here I'm leaning towards "no" -- it is not possible to assign a useful MIME type to every possible file.
在这里问题的框架中,我倾向于“不” - 不可能为每个可能的文件分配有用的MIME类型。
#2
0
After a few days of research and advice, the answer to the question is kind of irrelevant due to the fact that checking for MIME types as a security feature is not feasible in the first place. There are too many issues with MIME types on different operating systems, different applications saving files differently, some files not having a MIME at all, and lastly, the fact that the extension and MIME could be altered by a malicious user or program. Closing.
经过几天的研究和建议后,问题的答案有点无关紧要,因为首先检查MIME类型作为安全功能是不可行的。不同操作系统上的MIME类型存在太多问题,不同的应用程序以不同的方式保存文件,一些文件根本没有MIME,最后,恶意用户或程序可能会更改扩展名和MIME。关闭。