默認的上傳沒有 mime頭驗證,會有被人上傳腳本的風險;
/** * 上傳文件 \app\admin\controller\Ajax.php */ public function upload() { $data = [ 'upload_type' => $this->request->post('upload_type'), 'file' => $this->request->file('file'), ]; $uploadConfig = sysconfig('upload'); empty($data['upload_type']) && $data['upload_type'] = $uploadConfig['upload_type']; $rule = [ 'upload_type|指定上傳類型有誤' => "in:{$uploadConfig['upload_allow_type']}", // 'file|文件' => "require|file|fileExt:{$uploadConfig['upload_allow_ext']}|fileSize:{$uploadConfig['upload_allow_size']}", 'file|文件' => "require|file|fileExt:{$uploadConfig['upload_allow_ext']}|fileMime:{$uploadConfig['upload_allow_mime']}|fileSize:{$uploadConfig['upload_allow_size']}", ]; $this->validate($data, $rule); try { $upload = Uploadfile::instance() ->setUploadType($data['upload_type']) ->setUploadConfig($uploadConfig) ->setFile($data['file']) ->save(); } catch (\Exception $e) { $this->error($e->getMessage()); } if ($upload['save'] == true) { $this->success($upload['msg'], ['url' => $upload['url']]); } else { $this->error($upload['msg']); } }
舊的上傳只是驗證文件后綴,容易被hacker 利用上傳test.php.jpg 增加mime 頭判斷增強上傳 文件的格式驗證;
注意:增加后需要在配置文件中,配置相關的 mime文件頭;
文章來源:劉俊濤的博客歡迎關注公眾號、留言、評論,一起學習。
__________________________________________________________________________________
若有幫助到您,歡迎點擊推薦,您的支持是對我堅持最好的肯定(*^_^*)