检查图像是否有恶意代码并将其删除

时间:2014-02-03 10:41:10

标签: php image upload tmp

如何检测上传的图片是否包含恶意代码并将其从临时文件夹中删除?

代码:

$_FILES['file']['tmp_name']

据我所知,没有办法阻止它访问/ tmp文件夹

我读到我可以使用

$file_data = getimagesize($_FILES['file']['tmp_name']);        
if(is_array($file_data) && strpos($file_data['mime'],'image') !== false)
{
    echo "Image";
}

但这有多可靠?

3 个答案:

答案 0 :(得分:0)

尝试使用函数imagecopyresized调整上传图像的大小。如果重新调整成功,则表示文件是图像。如果不删除它。

答案 1 :(得分:0)

仅检查类似的文件类型是不够的,因为恶意代码可以注入jpeg标头。以下是一些有用的参考资料:

http://josephkeeler.com/2009/04/php-upload-security-the-1x1-jpeg-hack/

How to prevent every malicious file upload on my server? (check file type)?

我将发布OWASP的另外两个链接,因为我没有足够的声誉这样做。

您还可以使用正则表达式函数或grep命令检查上传的文件中的某些关键字

#!/bin/bash
SEARCH_DIR="/tmp"  # change this to your upload dir
PATTERNS="preg_replace\(\.\*\/e|passthru|shell_exe|my_delimdelimUploaded|myshellexec|PHPShell|FilesMan"

egrep --color -Rli --include=*.{jpg,jpeg,gif,png} "$PATTERNS" $SEARCH_DIR

希望脚本有助于清理某些恶意代码,您可以触发IP黑洞并相应地发出警报消息。

此外,您还可以使用' noexec'关闭/ tmp或上传文件夹上的可执行权限。和' nosuid' / etc / fstab中的选项(这适用于FreeBSD)。

答案 2 :(得分:0)

这个问题是大约1年前的问题,但也许还有其他人有这个问题,所以我在这里提出一个解决方案,它对我有用,希望对你也有用

<?php
if(isset($_POST['submit']) && !empty($_FILES['ufile']['name'])) {
        $fileext = explode(".",$_FILES['ufile']['name']);
        $fileext = $fileext[sizeof($fileext)-1]; // fetching extension of temp file
        $filename = $_FILES['ufile']['name'];

        if (strtolower($fileext) == "jpg" || strtolower($fileext) == "jpeg" || strtolower($fileext) == "gif" || strtolower($fileext) == "png") {
            $f=fopen($_FILES['ufile']['tmp_name'],'r');
            $content="";
            echo $f;
            while(!feof($f))
            {
                $content .= fgets($f);
            }

            /* Add the words(tages) or any suspect words you wanna to block uploading based on them */
            $forbidden = array("html",
                                "php",
                                "form",
                                "script",
                                "java",
                                "div",
                                "table",
                                "span",
                                "tr",
                                "td",
                                "th",
                                "submit",
                                "body",
                                "head",
                                "var",
                                "function");
            foreach($forbidden as $forbidword)
                if(strpos($content, $forbidword) !== false)
                    die("Error: Malicious image cannot upload!");

            if (move_uploaded_file($_FILES['ufile']['tmp_name'], "./".$filename)) {

                echo "
                The file was uploaded succesfully <br/>

                    Details : <br>

                    Link : ".$filename."<br />

                    File Name : ".$filename." <br>

                    File Size : ".($_FILES['ufile']['size']/1000)." KB <br>

                    File Type : ".$_FILES['ufile']['type'];
                      } else{
                      echo "An unexpected error : ".error_log();
                      }

    } else {
        echo "Only file with this extentions allow to upload :"."JPG, JPEG, GIF, PNG";

    }
}
?>
<!DOCTYPE html>
<html>
<body>
<form action="" method="POST" name="addnews" enctype="multipart/form-data">
 <input type="hidden" name="MAX_FILE_SIZE" value="4000000" /> 
    <label class="title">Choose an image file:
    <input type="file" name="ufile" />
    </label>
    <br />
    <input name="submit" type="submit" value="Upload Media" />
</form>
</body>
</html>
相关问题
最新问题