There is a website (in php) on which I want to upload / display photos and videos. What security measures should I adhere to and what should I do for this (I am specifically interested in security, that is, protection against hacker attacks)
- oneLook here for example: habr.com/post/44610 - AIex
|
3 answers
The question is extensive. Attack vectors may be several and all of them can be considered for a long time.
But perhaps the main thing that you should pay attention to is that instead of a picture you are not transferred to the server something else: a php script, html page, or other content that when published on the server can potentially cause a problem: I think php script should not be commented upon; but the html page may contain for example js code to steal a cookie.
Artem Malahov Artem Malahov
94 6
|
I will touch on a slightly more extensive topic - itβs better to take it as a rule to check all entered fields in order to avoid unwanted injections and infiltrations on the site. Here is an example of regulars who will help you in these checks:
ΠΠ°Π±ΠΎΡ ΠΈΠ· Π±ΡΠΊΠ² ΠΈ ΡΠΈΡΡ (Π»Π°ΡΠΈΠ½ΠΈΡΠ°): ^[a-zA-Z0-9]+$ ΠΠ°Π±ΠΎΡ ΠΈΠ· Π±ΡΠΊΠ² ΠΈ ΡΠΈΡΡ (Π»Π°ΡΠΈΠ½ΠΈΡΠ° + ΠΊΠΈΡΠΈΠ»Π»ΠΈΡΠ°): ^[Π°-ΡΠ-Π―ΡΠa-zA-Z0-9]+$ ΠΠΎΠΌΠ΅Π½ (Π½Π°ΠΏΡΠΈΠΌΠ΅Ρ abcd.com): ^([a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,6}$ IPv4: ((25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(25[0-5]|2[0-4]\d|[01]?\d\d?) IPv6: ((^|:)([0-9a-fA-F]{0,4})){1,8}$ ΠΠΌΡ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ (Ρ ΠΎΠ³ΡΠ°Π½ΠΈΡΠ΅Π½ΠΈΠ΅ΠΌ 2-20 ΡΠΈΠΌΠ²ΠΎΠ»ΠΎΠ², ΠΊΠΎΡΠΎΡΡΠΌΠΈ ΠΌΠΎΠ³ΡΡ Π±ΡΡΡ Π±ΡΠΊΠ²Ρ ΠΈ ΡΠΈΡΡΡ, ΠΏΠ΅ΡΠ²ΡΠΉ ΡΠΈΠΌΠ²ΠΎΠ» ΠΎΠ±ΡΠ·Π°ΡΠ΅Π»ΡΠ½ΠΎ Π±ΡΠΊΠ²Π°): ^[a-zA-Z][a-zA-Z0-9-_\.]{1,20}$ ΠΠ°ΡΠΎΠ»Ρ (Π‘ΡΡΠΎΡΠ½ΡΠ΅ ΠΈ ΠΏΡΠΎΠΏΠΈΡΠ½ΡΠ΅ Π»Π°ΡΠΈΠ½ΡΠΊΠΈΠ΅ Π±ΡΠΊΠ²Ρ, ΡΠΈΡΡΡ): ^(?=.*\d)(?=.*[az])(?=.*[AZ])(?!.*\s).*$ ΠΠ°ΡΠΎΠ»Ρ (Π‘ΡΡΠΎΡΠ½ΡΠ΅ ΠΈ ΠΏΡΠΎΠΏΠΈΡΠ½ΡΠ΅ Π»Π°ΡΠΈΠ½ΡΠΊΠΈΠ΅ Π±ΡΠΊΠ²Ρ, ΡΠΈΡΡΡ, ΡΠΏΠ΅ΡΡΠΈΠΌΠ²ΠΎΠ»Ρ. ΠΠΈΠ½ΠΈΠΌΡΠΌ 8 ΡΠΈΠΌΠ²ΠΎΠ»ΠΎΠ²): (?=^.{8,}$)((?=.*\d)|(?=.*\W+))(?![.\n])(?=.*[AZ])(?=.*[az]).*$ ΠΠ°ΡΠ° Π² ΡΠΎΡΠΌΠ°ΡΠ΅ YYYY-MM-DD: [0-9]{4}-(0[1-9]|1[012])-(0[1-9]|1[0-9]|2[0-9]|3[01]) UPD. ΠΠΎΠ»Π΅Π΅ ΡΡΡΠΎΠ³Π°Ρ ΠΏΡΠΎΠ²Π΅ΡΠΊΠ°, ΠΏΡΠ΅Π΄Π»ΠΎΠΆΠ΅Π½Π½Π°Ρ runcore: (19|20)\d\d-((0[1-9]|1[012])-(0[1-9]|[12]\d)|(0[13-9]|1[012])-30|(0[13578]|1[02])-31) ΠΠ°ΡΠ° Π² ΡΠΎΡΠΌΠ°ΡΠ΅ DD/MM/YYYY: (0[1-9]|[12][0-9]|3[01])[- /.](0[1-9]|1[012])[- /.](19|20)\d\d Π¦Π΅Π»ΡΠ΅ ΡΠΈΡΠ»Π° ΠΈ ΡΠΈΡΠ»Π° Ρ ΠΏΠ»Π°Π²Π°ΡΡΠ΅ΠΉ ΡΠΎΡΠΊΠΎΠΉ (ΡΠ°Π·Π΄Π΅Π»ΠΈΡΠ΅Π»Ρ ΡΠΎΡΠΊΠ°): \-?\d+(\.\d{0,})? UUID: ^[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}$ Π¨ΠΈΡΠΎΡΠ° ΠΈΠ»ΠΈ Π΄ΠΎΠ»Π³ΠΎΡΠ°: -?\d{1,3}\.\d+ UPD. E-mail (ΠΎΡ kvf77): ^[-\w.]+@([A-z0-9][-A-z0-9]+\.)+[Az]{2,4}$ 
Mastas Mastas
71 9
- It is better to organize the architecture of the site so that such checks are basically not needed, especially in frankly inappropriate places such as a password, mail, domain, and free-text fields like this comment - andreymal
- What kind of information security are you writing if there are gross errors in the regexp code?) for example, "^ [- \ w.] + @ ([A-z0-9] [- A-z0-9] + \.) + [ Az] {2,4} $ "- the point in the first quotes is not screened (that is, you can drive anything into this field at all. - Dmitry Maslennikov
|
Be sure to check the file contents by mime type. In php there is a built-in function mime_content_type or third-party developments . This is certainly not the only thing that will help avoid the actions of persons with reduced social responsibility :)
Newview newview
1,943 five 18
- Well, the avatarka.png.php.png file with RCE inside will be loaded with the image / png type, and what's the use?) In general, the file name doesnβt necessarily indicate the contents of the file, and mime_content_type may well lie and - andmal
- From this point of view, everything can lie, rely on the file name and the extension is definitely not worth it, but the contents need to be analyzed. This is the first step. The second step, for example, if we are talking about an image, try to resize it, ImageMagic for example, if it gives an error, then the file is in the firebox, the sender is banned :) There are many test options, everyone chooses the optimal one for himself. - NewView
- I completely agree, but your answer is still not about the content, but about the name) At least the second link is andreymal
- But ImageMagic is a good thing, it would have been worth mentioning in the answer) - andreymal
- 'Be sure to check the file contents by mime type' - or is it published differently from you? - NewView
|