Jump to content
php.lv forumi

faila tipa pārbaude.


peehaa
 Share

Recommended Posts

Laikam pa pusmiegam nevaru kārtīgi domāt :/ andrisp taisnība, viltot var vienkārši padodot šķībus datus serverim.

 

Aptuveni šāds kods tiek padots serveri, kad augšuplādē failu. Content-Type: `application/x-httpd-php` samaini uz `image/jpeg` un drošība apieta :(

 

http://localhost/uploader.php

POST /uploader.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: xxx
Content-Type: multipart/form-data; boundary=---------------------------275194524102
Content-Length: 377
-----------------------------275194524102
Content-Disposition: form-data; name="MAX_FILE_SIZE"

100000
-----------------------------275194524102
Content-Disposition: form-data; name="uploadedfile"; filename="index.php"
Content-Type: application/x-httpd-php

<?php
php faila saturs
?>
-----------------------------275194524102--

Link to comment
Share on other sites

ja tev vajag parliecinaaties ka taas ir bildes tad vari parbaudiit to izmeru Px. ;)

getimagesize()

+ taads ka vareesi parliecinaaties vai ta bilde nav paaraak maza/liela....

------------

Vel papeeti:

exif_imagetype()

----------------

Link to comment
Share on other sites

Aptuveni šāds kods tiek padots serveri, kad augšuplādē failu. Content-Type: `application/x-httpd-php` samaini uz `image/jpeg` un drošība apieta :(

 

Kurš tev ir teicis, ka tas ir domāts drošībai !? tas Content-Type tāds pats kā `file extension`...

Ja bildes, - getimagesize(), vai cita lib-a

Ja teksts, - konvertējam uz htmlspecialchars

Ja cits, - tad ar COM-iem vai lib-iem mēģinam atvērt (pārsvarā tie visi atgriež kļūdas kodu ja tiek padots nepareizs datu fails)

Link to comment
Share on other sites

 Share

×
×
  • Create New...