Shulou(Shulou.com)05/31 Report--

This article mainly introduces "web development file upload function needs to pay attention to what", in daily operation, I believe many people in web development file upload function need to pay attention to what problems there are doubts, Xiaobian consulted all kinds of information, sorted out simple and easy to use operation methods, hope to answer "web development file upload function needs to pay attention to what" doubts help! Next, please follow the small series to learn together!

1. preface

File uploads are common in day-to-day development, but potential security issues are easy to overlook. If these problems are ignored during development, it will lead to system security vulnerabilities.

2. Security advice for file upload development

Usually the files we upload are controlled by the client, which gives the wrong person an opportunity. Some dangerous executable scripts will likely be injected into the server. So fat brother summed up the following suggestions.

File type filtering

Developers should have a filtered list of file types allowed to be uploaded that is limited to those required for business functionality, do not accept file names and extensions directly without an allowed list filter, and the front end should explain the list. This is a necessary step, and most developers do it well.

File name processing

Original file name cannot be used! This is a problem that is easily overlooked. Many developers prefer to dump uploaded files directly with their original file names.

// Spring boot development does not recommend using this as a transfer name, you should generate a new name to map this name String originalFilename = MultipartFile.getOriginalFilename();

This is not safe. Although most of them/? The characters have been filtered out, but. * % $, regulars in these scripts can still be included in the filename, so you should not use the original filename, you should specify an algorithm to rename, it is recommended to use a digest algorithm to determine the filename. For example, a file name can be an MD5 hash of the file name plus the date.

If the business needs the original file name, store the new name and the mapping of the original name.

digest check

Whether uploading, modifying or downloading files, the server needs to perform digest verification (MD5, SHA256) to prevent file inconsistency with the preset. It is also recommended that the client perform digest verification if necessary.

limit size

This point has been restricted if you use Spring for development. If the restriction does not meet the business needs, you can modify it, but you cannot remove the restriction, otherwise it will lead to denial of service attacks.

access restrictions

Only authenticated and authorized users can use the file upload feature if not required by the business. Otherwise your system becomes someone else's free graph bed.

behavior audit

We can only passively defend against security, so audit logs are recommended for file upload operations, and audit logs should not be affected by the file system, so that problems can be quickly located when security incidents occur. At this point, on the "web development file upload function needs to pay attention to what" the study is over, I hope to solve everyone's doubts. Theory and practice can better match to help everyone learn, go and try it! If you want to continue learning more relevant knowledge, please continue to pay attention to the website, Xiaobian will continue to strive to bring more practical articles for everyone!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.