PHP Security-File Upload Attack

File Upload Attack

Sometimes in addition to standard form data, you also need to allow users to upload files. Since files are transferred in a form differently than other form data, you must specify a special encoding multipart/form-data:

CODE:

<form action="upload.php" method="POST"
enctype="multipart/form-data">

A form with both ordinary form data and files is a special format, and specifying the encoding method allows the browser to process it according to the requirements of the format .

The form element that allows users to select files and upload them is very simple:

CODE:

<input type="file" name="attachment" />

The appearance of this element varies in various browsers. Traditionally, the interface includes a standard text box and a browse button, so that the user can directly enter the path of the file manually or select it through browsing. In Safari browser there is only browse button. Fortunately, their functions and behaviors are the same.

To better demonstrate the file upload mechanism, the following is an example that allows users to upload attachments:

CODE:

<form action="upload.php" method="POST"
enctype="multipart/form-data">
  
Please choose a file to upload:
  
  

  
  

The hidden form variable MAX_FILE_SIZE tells the browser the maximum allowed upload file size. Like many client restrictions, this one can be easily bypassed by an attacker, but it provides guidance for legitimate users. This restriction is only reliable if done on the server.

Among the PHP configuration variables, upload_max_filesize controls the maximum file size allowed to be uploaded. At the same time, post_max_size (the maximum submitted data size of the POST form) can also potentially be controlled, because the file is uploaded through the form data.

The receiving program upload.php displays the contents of the super global array $_FILES:

CODE:

<?php
 
  header(&#39;Content-Type: text/plain&#39;);
  print_r($_FILES);
 
  ?>

In order to understand the upload process, we use a file named author.txt for testing. Here is its content:

CODE:

  Chris Shiflett
  http://www.php.cn/

When you upload this file to the upload.php program, you can see output similar to the following in the browser:

CODE:

 Array
  (
      [attachment] => Array
          (
              [name] => author.txt
              [type] => text/plain
              [tmp_name] => /tmp/phpShfltt
              [error] => 0
              [size] => 36
          )
 
  )

## Although it can be seen from the above that PHP is actually super global The content provided in the array $_FILES, but it cannot give the original information of the form data. As a security-focused developer who needs to identify input to know what the browser is actually sending, it’s worth taking a look at the following HTTP request information:

CODE:

POST /upload.php HTTP/1.1
  Host: example.org
  Content-Type: multipart/form-data;
boundary=----------12345
  Content-Length: 245
 
  ----------12345
  Content-Disposition: form-data; name="attachment";
filename="author.txt"
  Content-Type: text/plain
 
  Chris Shiflett
  http://www.php.cn/
 
  ----------12345
  Content-Disposition: form-data;
name="MAX_FILE_SIZE"
 
  1024
  ----------12345--

##Although you do not need to understand the format of the request, you must be able to Files and associated metadata are identified. The user only provides the name and type, so tmp_name, error and size are all provided by PHP.

Since PHP saves the uploaded file in the temporary file area of ​​the file system (/tmp/phpShfltt in this example), the usual operation is to move it to other places for saving and reading it into memory. There is a theoretical risk if you don't check tmp_name to make sure it's an uploaded file (and not something like /etc/passwd). It is called a theoretical risk because there is no known attack method that allows an attacker to modify the value of tmp_name. However, just because there are no means of attack doesn’t mean you don’t need to take some simple security measures. New attacks appear every day, and one simple step can protect your system.

PHP provides two convenient functions to mitigate these theoretical risks: is_uploaded_file() and move_uploaded_file( ). If you need to ensure that the file in tmp_name is an uploaded file, you can use is_uploaded_file():

CODE:

 <?php
 
  $filename = $_FILES[&#39;attachment&#39;][&#39;tmp_name&#39;];
 
  if (is_uploaded_file($filename))
  {
    /* $_FILES[&#39;attachment&#39;][&#39;tmp_name&#39;] is an
uploaded file. */
  }
 
  ?>

如果你希望只把上传的文件移到一个固定位置，你可以使用move_uploaded_file( )：

CODE:

 <?php
 
  $old_filename =
$_FILES[&#39;attachment&#39;][&#39;tmp_name&#39;];
  $new_filename = &#39;/path/to/attachment.txt&#39;;
 
  if (move_uploaded_file($old_filename,
$new_filename))
  {
    /* $old_filename is an uploaded file, and the
move was successful. */
  }
 
  ?>

最后你可以用 filesize( ) 来校验文件的大小：

CODE:

 <?php
 
  $filename = $_FILES[&#39;attachment&#39;][&#39;tmp_name&#39;];
 
  if (is_uploaded_file($filename))
  {
    $size = filesize($filename);
  }
 
  ?>

这些安全措施的目的是加上一层额外的安全保护层。最佳的方法是永远尽可能少地去信任。 

以上就是PHP安全-文件上传攻击的内容，更多相关内容请关注PHP中文网（www.php.cn）！