My server must only accept pdf files. I am using php to upload files. Currently, I am checking if the file starts with %PDF to ensure the uploaded file really is a pdf file. Are there other checks to ensure 100%(or at least very strongly) that it is a pdf file. Can malicious users upload executable files beginning with %PDF? I'd appreciate any help.
可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效,请关闭广告屏蔽插件后再试):
问题:
回答1:
You can use the PECL FileInfo extension to detect the MIME type. (I suspect however, that internally, it just does the same thing you're already doing.) Alternatively, you might use FPDI to see if you can successfully read the file. With PDF files though, I think embedded malware is a bigger concern than misnamed executables. Any time you're accepting uploads from users, it's probably a good idea to run the file through ClamAV or similar.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 啃猪蹄的小仙女 的文章《Authenticity of uploaded pdf files》','https://www.manongdao.com/article-487150.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}