检测机制
白名单检测顾名思义就是只允许上传白名单规定的后缀名文件
检测绕过
Content-Type
Content-Type
Content-Type检测属于白名单检测的一种,它会对上传文件请求包中Content-Type的内容进行校验,判断是否属于白名单,如果不属于则不允许上传
白名单检测代码
下面的代码取自upload-labs的Pass-02:
<?php
include '../config.php';
include '../head.php';
include '../menu.php';
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name'];