After reading http://dsecrg.com/files/pub/pdf/XSS_in_images_evasion_bypass_(eng).pdf, it is clear that allowing image uploads from users opens you to XSS attacks.
阅读http://dsecrg.com/files/pub/pdf/XSS_in_images_evasion_bypass_(eng).pdf后,很明显允许用户上传图片会让您受到XSS攻击。
I wasn't able to find any PHP examples of how to screen an uploaded image for XSS attacks.
我无法找到任何关于如何筛选上传图像以进行XSS攻击的PHP示例。
I found one for CodeIgniter, which I am using. The function is xss_clean($file, IS_IMAGE), but there is only 1 sentence of documentation for it, so I have no idea how it works and a comment in their forum said it had an unreasonably high rate of false positives, so it's not usable in production.
我找到了一个CodeIgniter,我正在使用它。该函数是xss_clean($ file,IS_IMAGE),但是它只有一个文档的句子,所以我不知道它是如何工作的,并且在他们的论坛中的评论说它有一个不合理的高误报率,所以它不是可用于生产。
What do you recommend to prevent XSS attacks within an uploaded image?
您建议在上传的图像中防止XSS攻击?
2 个解决方案
#1
4
As long as you keep the extension correct (and your users are diligent about updating their browser) image injection should not be possible.
只要您保持扩展名正确(并且您的用户都在努力更新其浏览器),就不应该进行图像注入。
For instance, if someone uploads alert('xss'); as an image and you have <img src='that-image.png'>, it will be emitted as a png and the JavaScript won't execute (at least back to IE7). What's important is that you rename the images appropriately.
例如,如果有人上传警报('xss');作为一个图像,你有
,它将作为一个png发出,JavaScript将不会执行(至少回到IE7)。重要的是你要适当地重命名图像。
If you have php > 5.3 and the finfo PECL extension, you can use it to get the mime type of the file and have a whitelist of types you will allow (png, jpg, gif I would imagine). If you are on a Linux machine, file may help you with that as well.
如果您有php> 5.3和finfo PECL扩展,您可以使用它来获取文件的mime类型并具有您允许的类型的白名单(png,jpg,我想象的gif)。如果你在Linux机器上,文件也可以帮助你。
#2
0
In CodeIgniter there's many way to prevent the XSS. You can enable it when getting the value like ->post('data', true). The second parameter is the XSS bool.
在CodeIgniter中,有很多方法可以阻止XSS。您可以在获取值时启用它,例如 - > post('data',true)。第二个参数是XSS bool。
Also, don't use the HTML IMG tag. Use the CodeIgniter one that will clean, look and make it easier to display the image.
另外,请勿使用HTML IMG标记。使用CodeIgniter,它将清理,查看并更容易显示图像。
Just my two cents!
只是我的两分钱!
#1
4
As long as you keep the extension correct (and your users are diligent about updating their browser) image injection should not be possible.
只要您保持扩展名正确(并且您的用户都在努力更新其浏览器),就不应该进行图像注入。
For instance, if someone uploads alert('xss'); as an image and you have <img src='that-image.png'>, it will be emitted as a png and the JavaScript won't execute (at least back to IE7). What's important is that you rename the images appropriately.
例如,如果有人上传警报('xss');作为一个图像,你有,它将作为一个png发出,JavaScript将不会执行(至少回到IE7)。重要的是你要适当地重命名图像。
If you have php > 5.3 and the finfo PECL extension, you can use it to get the mime type of the file and have a whitelist of types you will allow (png, jpg, gif I would imagine). If you are on a Linux machine, file may help you with that as well.
如果您有php> 5.3和finfo PECL扩展,您可以使用它来获取文件的mime类型并具有您允许的类型的白名单(png,jpg,我想象的gif)。如果你在Linux机器上,文件也可以帮助你。
#2
0
In CodeIgniter there's many way to prevent the XSS. You can enable it when getting the value like ->post('data', true). The second parameter is the XSS bool.
在CodeIgniter中,有很多方法可以阻止XSS。您可以在获取值时启用它,例如 - > post('data',true)。第二个参数是XSS bool。
Also, don't use the HTML IMG tag. Use the CodeIgniter one that will clean, look and make it easier to display the image.
另外,请勿使用HTML IMG标记。使用CodeIgniter,它将清理,查看并更容易显示图像。
Just my two cents!
只是我的两分钱!