What are the difficulties/issues to consider when allowing ZIP file uploads?_问答_开发者

What are the difficulties/issues to consider when allowing ZIP file uploads?

开发者 https://www.devze.com 2023-02-21 22:06 出处：网络

I allow PDF files to be uploaded to my site (PHP). I would like to offer the ability to also allow .zip files which c开发者_如何转开发ontain PDF files in directories so it is easier for users to simp

I allow PDF files to be uploaded to my site (PHP).

I would like to offer the ability to also allow .zip files which c开发者_如何转开发ontain PDF files in directories so it is easier for users to simply zip a directory and upload one file instead of uploading multiple zip files individual.

For those of you who offer a .zip file upload feature to your (PHP) website, what are the technical, security, and other issues you have faced?

Be careful how you unpack the zip, you could find yourself consuming far more resources than you expected. Perhaps some setrlimit(2) resource limits before unpacking would be wise.

The unzip(1) utility has several nice safety features built in; the -^ command line option turns off control-character filtering, so make sure you don't touch this :) and the -: command line option allows stupid pathnames like ../../../../etc/passwd. Make sure you're on at least version 5.50, so that those stupid pathnames are forbidden by default. (And don't use that command line option. I mention the options just so you can more easily find the documentation for them. :)

If you use an API, make sure it has options to prevent both kinds of silly filenames.

Assuming the .zip gets unpacked eventually you would have to make sure the directory they get unpacked in is unreachable by the the clients' browsers (with .htaccess or by placing it outside the web root directory), and even in that case I'd still monitor the contents of the unpacked .zip to make sure they didn't contain anything that might prove harmful (php or other files run by the server, html spoofs).

Another issue is i guess the upload_max_filesize set in php.ini, you can make sure it can be set big enough to suit your purposes before you start coding.

edit: also read sarnold's answer ;)

AFAIK, php can handle zip files pretty efficiently. Difficulties/Issues that I can think of is, while accessing the file where We need to extract the zip first, and then retrieve the actual needed file. Due to that reason, extracting a zip, might consume additional amount of server time, depending on the size of the file itself.

Where As, during uploads, I do not suppose there is any difficulties or issues specially emphasized on zip types.