文件内容的验证存在缺陷
Flawed validation of the file's contents
更安全的服务器不会隐式信任请求中指定的Content-Type内容,而是尝试验证文件的内容是否确实与预期内容匹配。
Instead of implicitly trusting the Content-Type specified in a request, more secure servers try to verify that the contents of the file actually match what is expected.
在图像上传功能的情况下,服务器可能会尝试验证图像的某些固有属性,例如其尺寸。例如,如果您尝试上传 PHP 脚本,它根本不会有任何维度。因此,服务器可以推断出它不可能是图像,并相应地拒绝上传。
In the case of an image upload function, the server might try to verify certain intrinsic properties of an image, such as its dimensions. If you try uploading a PHP script, for example, it won't have any dimensions at all. Therefore, the server can deduce that it can't possibly be an image, and reject the upload accordingly.
同样,某些文件类型的页眉或页脚可能始终包含特定的字节序列。这些可以像指纹或签名一样使用,以确定内容是否与预期的类型匹配。例如,JPEG 文件始终以字节 FF D8 FF开头。
Similarly, certain file types may always contain a specific sequence of bytes in their header or footer. These can be used like a fingerprint or signature to determine whether the contents match the expected type. For example, JPEG files always begin with the bytes FF D8 FF.
这是一种更可靠的验证文件类型的方法,但即使这样也不是万无一失的。使用特殊工具(例如 ExifTool),在其元数据中创建包含恶意代码的多语言 JPEG 文件可能很简单。
This is a much more robust way of validating the file type, but even this isn't foolproof. Using special tools, such as ExifTool, it can be trivial to create a polyglot JPEG file containing malicious code within its metadata.
