默认的上传没有 mime头验证,会有被人上传脚本的风险;
/** * 上传文件 \app\admin\controller\Ajax.php */ public function upload() { $data = [ ‘upload_type‘ => $this->request->post(‘upload_type‘), ‘file‘ => $this->request->file(‘file‘), ]; $uploadConfig = sysconfig(‘upload‘); empty($data[‘upload_type‘]) && $data[‘upload_type‘] = $uploadConfig[‘upload_type‘]; $rule = [ ‘upload_type|指定上传类型有误‘ => "in:{$uploadConfig[‘upload_allow_type‘]}", // ‘file|文件‘ => "require|file|fileExt:{$uploadConfig[‘upload_allow_ext‘]}|fileSize:{$uploadConfig[‘upload_allow_size‘]}", ‘file|文件‘ => "require|file|fileExt:{$uploadConfig[‘upload_allow_ext‘]}|fileMime:{$uploadConfig[‘upload_allow_mime‘]}|fileSize:{$uploadConfig[‘upload_allow_size‘]}", ]; $this->validate($data, $rule); try { $upload = Uploadfile::instance() ->setUploadType($data[‘upload_type‘]) ->setUploadConfig($uploadConfig) ->setFile($data[‘file‘]) ->save(); } catch (\Exception $e) { $this->error($e->getMessage()); } if ($upload[‘save‘] == true) { $this->success($upload[‘msg‘], [‘url‘ => $upload[‘url‘]]); } else { $this->error($upload[‘msg‘]); } }
旧的上传只是验证文件后缀,容易被hacker 利用上传test.php.jpg 增加mime 头判断增强上传 文件的格式验证;
注意:增加后需要在配置文件中,配置相关的 mime文件头;
文章来源:刘俊涛的博客欢迎关注公众号、留言、评论,一起学习。
__________________________________________________________________________________
若有帮助到您,欢迎点击推荐,您的支持是对我坚持最好的肯定(*^_^*)