This is the second day of my participation in the November Gwen Challenge. Check out the details: the last Gwen Challenge 2021

1. Determine the file type by the suffix of the file name

var filePath = "file://images/abc.png"; Var dotIdx= filePath. LastIndexOf ("."); // Get the last one. Var suffix = filePath. Substr (dotIdx+1); Function isImage(suffix) {return [' PNG ', 'JPG ', 'jpeg',' GIF '].indexof (suffix.tolowerCase ())! = = 1; }Copy the code
  1. Get file path
  2. Gets the location of the last dot “.” in the file path
  3. Intercepts the file suffix at the point in the file path
  4. Determine if it is a picture, or if it is the required file type, and use case to determine.

Can be forged and can only be easily verified on the front end

Determine the content-type of the file

The principle of this is that the content-typed value is determined by the file extension. When you change the file suffix, the content-type will change as well.

And the Content-Type can be forged, for example by changing the ContentType information to upload using Postman.

3. Confirm file format through binary information

  1. Install a hexDump plugin using VsCode, right click on the image to view Show hexDump to see the binary source file
  2. Each image has its own format, not.png,.jpg,.gif format judgment (can be forged)

PNG format: The first eight hexadecimal codes are 89 50 4E 47 0D 0A 1A 0A

JPG format: the first two bases are FF D8 and the last two bases are FF D9

Ps: There are many file types have fixed hexadecimal code for verification, here is just an example, you can baidu take a look.

This code can be used to verify the file, which is more accurate, because the suffix can be changed, but the file name suffix changes these codes will not change, so it is more accurate verification. But this is generally implemented through the back end, but also ** can be forged, ** is basically penetration everywhere, less experience only know this step.

Four,

1. The front-end can filter the file type for the first time by judging the filename suffix (although not very useful)

2. The backend obtains the content-type of the file to determine whether it is the required file type for the second filtering

3, obtain the binary information of the file prefix and suffix code judgment

Finally, if there is a better validation file type to make it more secure and reliable, please leave a comment. Thank you for reading.