0

我一直在研究图像文件上传安全性,但似乎无法破解它。我想通过在保存到服务器之前检查文件是否实际上是图像来为出色的Valums Ajax Uploader添加一些安全性。唯一允许的扩展名是 .jpg、.png 和 .gif,当然会检查扩展名,但我希望通过 GD 处理来验证它是一个图像文件。我对这个主题知之甚少,所以我从这篇文章和这篇文章中得到启示. 就目前而言,我可以轻松地保存带有图像扩展名的随机文件,并将其保存在服务器上,这是我想要阻止的。这是迄今为止我提出的脚本,我已将其添加到 php.php 文件中的 handleUpload 函数中。不幸的是,无论我上传什么文件、有效图像与否,它都会返回错误。请原谅我完全的新手。

            $newIm = @imagecreatefromjpeg($uploadDirectory . $filename . '.' . $ext);
            $newIm2 = @imagecreatefrompng($uploadDirectory . $filename . '.' . $ext);
            $newIm3 = @imagecreatefromgif($uploadDirectory . $filename . '.' . $ext);
            if (!$newIm && !$newIm2 && !$newIm3) {
                return array('error' => 'File is not an image.  Please try again');
            }else{ 
                imagedestroy($newIm);
                imagedestroy($newim2);
                imagedestroy($newIm3);
}

这是我的大部分 php.php 文件。顺便说一句,我的文件不是通过常规表单提交的,而是通过默认上传器提交的:

    class qqUploadedFileXhr {
        /**
         * Save the file to the specified path
         * @return boolean TRUE on success
         */
        function save($path) {    
            $input = fopen("php://input", "r");
            $temp = tmpfile();
            $realSize = stream_copy_to_stream($input, $temp);
            fclose($input);

            if ($realSize != $this->getSize()){            
                return false;
            }

            $target = fopen($path, "w");        
            fseek($temp, 0, SEEK_SET);
            stream_copy_to_stream($temp, $target);
            fclose($target);

            return true;
        }
        function getName() {
            return $_GET['qqfile'];
        }
        function getSize() {
            if (isset($_SERVER["CONTENT_LENGTH"])){
                return (int)$_SERVER["CONTENT_LENGTH"];            
            } else {
                throw new Exception('Getting content length is not supported.');
            }      
        }   
    }

    /**
     * Handle file uploads via regular form post (uses the $_FILES array)
     */
    class qqUploadedFileForm {  
        /**
         * Save the file to the specified path
         * @return boolean TRUE on success
         */  
        function save($path) {
            if(!move_uploaded_file($_FILES['qqfile']['tmp_name'], $path)){
                return false;
            }
            return true;
        }
        function getName() {
            return $_FILES['qqfile']['name'];
        }
        function getSize() {
            return $_FILES['qqfile']['size'];
        }

    }

    class qqFileUploader {
        private $allowedExtensions = array();
        private $sizeLimit = 2097152;
        private $file;

        function __construct(array $allowedExtensions = array(), $sizeLimit = 2097152){        
            $allowedExtensions = array_map("strtolower", $allowedExtensions);

            $this->allowedExtensions = $allowedExtensions;        
            $this->sizeLimit = $sizeLimit;

            $this->checkServerSettings();       

            if (isset($_GET['qqfile'])) {
                $this->file = new qqUploadedFileXhr();
            } elseif (isset($_FILES['qqfile'])) {
                $this->file = new qqUploadedFileForm();
            } else {
                $this->file = false; 
            }
        }

        private function checkServerSettings(){        
            $postSize = $this->toBytes(ini_get('post_max_size'));
            $uploadSize = $this->toBytes(ini_get('upload_max_filesize'));        

            if ($postSize < $this->sizeLimit || $uploadSize < $this->sizeLimit){
                $size = max(1, $this->sizeLimit / 1024 / 1024) . 'M';             
                die("{'error':'increase post_max_size and upload_max_filesize to $size'}");    
            }        
        }

        private function toBytes($str){
            $val = trim($str);
            $last = strtolower($str[strlen($str)-1]);
            switch($last) {
                case 'g': $val *= (1024 * 1024 * 1024);
                case 'm': $val *= (1024 * 1024);
                case 'k': $val *= 1024;        
            }
            return $val;
        }

        /**
         * Returns array('success'=>true) or array('error'=>'error message')
         */
        function handleUpload($uploadDirectory, $replaceOldFile = FALSE){
            if (!is_writable($uploadDirectory)){
                return array('error' => "Server error. Upload directory isn't writable.");
            }

            if (!$this->file){
                return array('error' => 'No files were uploaded.');
            }

            $size = $this->file->getSize();

            if ($size == 0) {
                return array('error' => 'File is empty');
            }

            if ($size > $this->sizeLimit) {
                return array('error' => 'File is too large, please upload files that are less than 2MB');
            }

            $pathinfo = pathinfo($this->file->getName());
            $filename = $pathinfo['filename'];
            //$filename = md5(uniqid());
            $ext = $pathinfo['extension'];

            if($this->allowedExtensions && !in_array(strtolower($ext), $this->allowedExtensions)){
                $these = implode(', ', $this->allowedExtensions);
                return array('error' => 'File has an invalid extension, it should be one of '. $these . '.');
            }

            if(!$replaceOldFile){
                /// don't overwrite previous files that were uploaded
                while (file_exists($uploadDirectory . $filename . '.' . $ext)) {
                    $filename .= rand(10, 99);
                }
            }
            $newIm = @imagecreatefromjpeg($uploadDirectory . $filename . '.' . $ext);
            $newIm2 = @imagecreatefrompng($uploadDirectory . $filename . '.' . $ext);
            $newIm3 = @imagecreatefromgif($uploadDirectory . $filename . '.' . $ext);
            if (!$newIm && !$newIm2 && !$newIm3) {
                return array('error' => 'File is not an image.  Please try again');
            }else{ 
                imagedestroy($newIm);
                imagedestroy($newim2);
                imagedestroy($newIm3);
}   

            if ($this->file->save($uploadDirectory . $filename . '.' . $ext)){
                // At this point you could use $result to do resizing of images or similar operations
            if(strtolower($ext) == 'jpg' || strtolower($ext) == 'jpeg' || strtolower($ext) == 'gif' || strtolower($ext) == 'png'){

                $imgSize=getimagesize($uploadDirectory . $filename . '.' . $ext);

                if($imgSize[0] > 100 || $imgSize[1]> 100){  
                $thumbcheck = make_thumb($uploadDirectory . $filename . '.' . $ext,$uploadDirectory . "thumbs/" . $filename ."_thmb" . '.' . $ext,100,100);
                    if($thumbcheck == "true"){
                        $thumbnailPath = $uploadDirectory . "thumbs/" . $filename ."_thmb". '.' . $ext;
                    }
                }else{
                $this->file->save($uploadDirectory . "thumbs/" . $filename ."_thmb" . '.' . $ext);  
                $thumbnailPath = $uploadDirectory . "thumbs/" . $filename ."_thmb". '.' . $ext;
                }

                if($imgSize[0] > 500 || $imgSize[1] > 500){
                resize_orig($uploadDirectory . $filename . '.' . $ext,$uploadDirectory . $filename .  '.' . $ext,500,500);
                $imgPath = $uploadDirectory . $filename . '.' . $ext;
                $newsize = getimagesize($imgPath);
                $imgWidth = ($newsize[0]+30);
                $imgHeight = ($newsize[1]+50);
                }else{
                $imgPath = $uploadDirectory . $filename . '.' . $ext;
                $newsize = getimagesize($imgPath);
                $imgWidth = ($newsize[0]+30);
                $imgHeight = ($newsize[1]+50);
                }

            }
                return array('success'=>true,
                'thumbnailPath'=>$thumbnailPath,
                'imgPath'=>$imgPath,
                'imgWidth'=>$imgWidth,
                'imgHeight'=>$imgHeight
                );
            } else {
                return array('error'=> 'Could not save uploaded file.' .
                    'The upload was cancelled, or server error encountered');
            }

        }    
    }

    // list of valid extensions, ex. array("jpeg", "xml", "bmp")
    $allowedExtensions = array();
    // max file size in bytes
    $sizeLimit = 2097152;

    $uploader = new qqFileUploader($allowedExtensions, $sizeLimit);
    $result = $uploader->handleUpload('uploads/');

    // to pass data through iframe you will need to encode all html tags
    echo htmlspecialchars(json_encode($result), ENT_NOQUOTES);

如果有人能指出我做错了什么的正确方向,那将不胜感激。

编辑

感谢 Mark B 的帮助和澄清。所以无论我上传什么,新代码(我粘贴在与旧代码相同的位置,handleUpload 函数)仍然会引发错误,所以我想知道它是否需要在不同的地方——我只是没有确定把它放在哪里。

$newIm = getimagesize($uploadDirectory . $filename . '.' . $ext);
            if ($newIm === FALSE) {
               return array('error' => 'File is not an image.  Please try again');

        }

第二次编辑:

我相信答案就在这里,仍在尝试实施。

4

2 回答 2

0

只需使用getimagesize()

$newIm = getimagesize$uploadDirectory . $filename . '.' . $ext');
if ($newIm === FALSE) {
    die("Hey! what are you trying to pull?");
}

您的代码的问题是 3 次 imagecreate 调用和随后的 if() 语句。它应该写成一个OR从句。“如果任何图像加载尝试失败,请抱怨”。你的写成“如果所有图像尝试都失败”,如果实际上传了 gif/jpg/png,这是不可能的。

于 2012-03-21T18:45:45.557 回答
0

这里详细的答案就像一个魅力,我希望我在发布之前看到它。我希望我正确地实现了它......正如我所拥有的那样,它可以工作!

class qqUploadedFileXhr {
    /**
     * Save the file to the specified path
     * @return boolean TRUE on success
     */
function save($path) { 
// Store the file in tmp dir, to validate it before storing it in destination dir
$input = fopen('php://input', 'r');
$tmpPath = tempnam(sys_get_temp_dir(), 'upload'); // upl is 3-letter prefix for upload
$tmpStream = fopen($tmpPath, 'w'); // For writing it to tmp dir
$realSize = stream_copy_to_stream($input, $tmpStream);
fclose($input);
fclose($tmpStream);

if ($realSize != $this->getSize()){            
            return false;
        }
$newIm = getimagesize($tmpPath);
if ($newIm === FALSE) {
    return false;

}else{      
// Store the file in destination dir, after validation
$pathToFile = $path . $filename;
$destination = fopen($pathToFile, 'w');
$tmpStream = fopen($tmpPath, 'r'); // For reading it from tmp dir
stream_copy_to_stream($tmpStream, $destination);
fclose($destination);
fclose($tmpStream);

        return true;
}
    }
    function getName() {
        return $_GET['qqfile'];
    }
    function getSize() {
        if (isset($_SERVER["CONTENT_LENGTH"])){
            return (int)$_SERVER["CONTENT_LENGTH"];            
        } else {
            throw new Exception('Getting content length is not supported.');
        }      
    }   
}
于 2012-03-22T02:38:54.057 回答