Shulou(Shulou.com)06/03 Report--

This article will explain in detail how to store secure files in web. The editor thinks it is very practical, so I share it for you as a reference. I hope you can get something after reading this article.

This kind of loophole, mainly can read the user incoming path name, uses the incorrect filtering method, causes the malicious user, saves the file to the unexpected place, brings the security hidden danger.

In fact, we can grasp a few places, let's first analyze, since the user wants to save the file, and the file will be in a variety of formats; there may be file content and user input format is not consistent, some file content is also mixed with Trojan code. So, we let the user save the file, do a separate authorization with the site file, and do isolation.

Let the saved directory be independent, and the directory permissions cannot be executed only

This step is authorized from the system design, no matter what file you last time, it is impossible to perform it. Even if I don't do any tests, your files will be saved here, and it won't be safe for my system. (if a user stores some pictures of reactionary words, it needs to be dealt with in addition.)

Do not directly use the server to pass in values, all must be detected

This is the same as the principle that we do all input is harmful, for the client input: type, name, should be judged, not directly used. For a directory to be generated, a file name.

The best way to write a file name is to write a dead directory (do not read the incoming directory), the file name, preferably randomly generated by yourself, and not read the user file name. File extension, you can take the rightmost "." The trailing character.

The above two methods just make an overall constraint on the upper memory from two aspects.

Method 2: save the file name, write it according to the directory you specify, and generate the file name yourself.

Method 1: as long as make sure that the file is written in the right location, and then from the configuration, the permission to write to the directory is controlled, which is a permanent cure. It can be done, no matter what file you save, you don't have the permission to jump out and run it.

The above two methods, used together, can ensure that the file is saved correctly, and then the permissions can be controlled. By the way, to judge whether the user uploads the file meets the required type, check the file extension directly and let it be saved as long as the extension is met. Anyway, it doesn't hurt if you don't upload the content as required after you have made the restrictions on the executive authority. In any case, if it cannot be implemented, it will not do much harm.

Correct steps:

1. Read the file name and verify that the extension is in scope

two。 Define the generated file name, directory, and extension from the file name extension. Other values are configured by themselves and do not read the contents of the memory.

3. Move files to a new directory (this directory permission setting is read-only)

This is the end of this article on "how to achieve secure file storage in web". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it out for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.