将忽略具有指定内容类型的s3直接上载

时间:2018-05-24 02:11:44

标签: amazon-web-services amazon-s3

我正在尝试用php直接上传s3。我希望在上传文件时执行内容类型限制,但s3似乎忽略了s3策略,但没有显示错误消息。

这是我的政策设置

 return new \Aws\S3\PostObjectV4($s3_client, $bucket,
        [
            'acl' => 'public-read', 
            'key' => 'files/shop_manager/' . $merchant_id . '/${filename}',
            'success_action_redirect' => $redirect_url,
            'Content-Type' => 'text/plain',
        ],
        [
            [ 'acl'     => 'public-read' ],
            [ 'bucket'  =>  $bucket ],
            [ 'starts-with', '$key', 'files/shop_manager/' . $merchant_id],
            [ 'starts-with', '$success_action_redirect', $redirect_url],
            [ 'starts-with', '$Content-Type', 'text/'], 
            [ 'content-length-range', 1, 10485760] //10MB
        ]
    );

这是生成的表单

<form id="formUpload" action="https://uboux-dev.s3.ap-southeast-1.amazonaws.com" method="POST" enctype="multipart/form-data">               
    <input type="hidden" name="acl" value="public-read" />
    <input type="hidden" name="key" value="files/shop_manager/274/${filename}" />
    <input type="hidden" name="success_action_redirect" value="https://merchants.uboux.com/management/media/?uboux_merchant_s3=7711ddf885" />
    <input type="hidden" name="Content-Type" value="text/" />
    <input type="hidden" name="X-Amz-Credential" value="AKIAI4X5PXQ5KUE5RCXA/20180524/ap-southeast-1/s3/aws4_request" />
    <input type="hidden" name="X-Amz-Algorithm" value="AWS4-HMAC-SHA256" />
    <input type="hidden" name="X-Amz-Date" value="20180524T020742Z" />
    <input type="hidden" name="Policy" value="eyJleHBpcmF0aW9uIjoiMjAxOC0wNS0yNFQwMzowNzo0MloiLCJjb25kaXRpb25zIjpbeyJhY2wiOiJwdWJsaWMtcmVhZCJ9LHsiYnVja2V0IjoidWJvdXgtZGV2In0sWyJzdGFydHMtd2l0aCIsIiRrZXkiLCJmaWxlc1wvc2hvcF9tYW5hZ2VyXC8yNzQiXSxbInN0YXJ0cy13aXRoIiwiJHN1Y2Nlc3NfYWN0aW9uX3JlZGlyZWN0IiwiaHR0cHM6XC9cL21lcmNoYW50cy51Ym91eC5jb21cL21hbmFnZW1lbnRcL21lZGlhXC8/dWJvdXhfbWVyY2hhbnRfczM9NzcxMWRkZjg4NSJdLFsic3RhcnRzLXdpdGgiLCIkQ29udGVudC1UeXBlIiwidGV4dFwvIl0sWyJjb250ZW50LWxlbmd0aC1yYW5nZSIsMSwxMDQ4NTc2MF0seyJYLUFtei1EYXRlIjoiMjAxODA1MjRUMDIwNzQyWiJ9LHsiWC1BbXotQ3JlZGVudGlhbCI6IkFLSUFJNFg1UFhRNUtVRTVSQ1hBXC8yMDE4MDUyNFwvYXAtc291dGhlYXN0LTFcL3MzXC9hd3M0X3JlcXVlc3QifSx7IlgtQW16LUFsZ29yaXRobSI6IkFXUzQtSE1BQy1TSEEyNTYifV19" /><input type="hidden" name="X-Amz-Signature" value="caadf7304062acb32ef82b08988e72801b368758dc32549ff4d2bbf08134f028" />       
    <input type="file" id="fileupload" name="file" />

1 个答案:

答案 0 :(得分:0)

您的代码按预期工作。

表单包含<input type="hidden" name="Content-Type" value="text/" />,该值与策略[ 'starts-with', '$Content-Type', 'text/']匹配。

问题是你假设这个功能做了一些它实际上没做的事情。

此功能并非旨在实际限制可上传的内容类型。它旨在通过表单中的值限制您声明上传的内容类型。换句话说,用户(或Javascript)无法将表单字段更改为与策略冲突的值。

相关问题
最新问题