在laravel 4.2中上传文件,上传恶意文件!! (文件类型检查和文件类型扩展检查不起作用)

时间:2018-01-24 01:24:09

标签: php laravel file-upload

我有一个应用程序,允许用户以.jpg .png .jpeg格式上传图像文件。一位用户上传了一个jpg.php文件,在与他交谈后,他告诉我他编辑了图像后包含PHP代码后的图像内容然后访问图像运行代码,我的文件夹权限是755和文件权限是644,用户和组是www:data。该应用程序是在laravel 4.2框架中编写的。

我可以在此代码中添加任何内容以防止再次发生这种情况吗?我不是专业编码员,也不是自称是。

public function doCreateListing(){
    $user = User::find(Auth::user()->id);
    $rules = array(
        'title'     =>'required',
        'description'   =>'required',
        'tags'          => 'required',
        'category'      => 'required',
        'price'         => 'required|numeric|min:0',
        'image_1' => 'mimes:jpg,jpeg,png',
        'image_2' => 'mimes:jpg,jpeg,png',
        'image_3' => 'mimes:jpg,jpeg,png',
        'image_4' => 'mimes:jpg,jpeg,png',
    );


//save image
        $destinationPath = public_path().'/uploads/';
        $j=1;
        for ($i=1; $i <=4 ; $i++) {
            if (Input::hasFile('image_'.$i)){
                $primary_image=0;
                if($j==1) $primary_image=1; //For default, the first image is the primary image. 

                $file = Input::file('image_'.$i);

                $filename_ = str_random(8);
                $filename = str_replace(" ", "-", $file->getClientOriginalName());
                $file_uploaded=$filename_.'_'.$filename;
                $upload_success  = $file->move($destinationPath, $file_uploaded); 
                if( $upload_success ) {
                    $listing_image = new ListingImage();
                    $listing_image->listing_id = $listing->id;
                    $listing_image->image =  $file_uploaded;
                    $listing_image->primary_image =  $primary_image; 
                    $listing_image->save();                                            
                }
                $j++;  
            }
        }           
    }
    return Redirect::to('listings')->with('success','Your image was set.');
}

0 个答案:

没有答案