“This is the third day of my participation in the First Challenge 2022, for more details: First Challenge 2022”.
directory
- Project background
- The problem
- To solve
Project background
A cloud object storage service is developed to store all file resources in a project.
The problem
While doing security testing, I ran into a problem: I couldn’t limit the upload of the image files that the Trojan simulated. Seems to be a picture suffix file, is actually a Trojan script. For example, the image file: muma.jpeg, we use UltraEdit to open this file, as shown below:
However, a normal JPEG image file would look like this:
To solve
So how to solve this problem? There is no doubt that what we need to do is distinguish between real pictures and Trojan horses.
After a fierce investigation, I finally found a solution, which is to use the Golang language standard library ———— Image.
However, there is a problem, image library does not support all image types of verification, currently only supports JPEG, GIF, PNG three image formats. We package a method that supports three image formats for authenticity verification.
The reference code is as follows:
func CheckImageFile(path, style string) (string, error) {
f, err := os.Open(path)
iferr ! =nil {
fmt.Errorf("Failed to open file %s", err.Error())
}
switch strings.ToUpper(style) {
case "JPG"."JPEG":
_, err = jpeg.Decode(f)
case "PNG":
_, err = png.Decode(f)
case "GIF":
_, err = gif.Decode(f)
}
iferr ! =nil {
fmt.Errorf("Failed to verify file type %s", err.Error())
return "", err
}
return "".nil
}
Copy the codeWhen you call the above method, you simply pass in the image path and the suffix type to verify the authenticity of the file. Very convenient, I have been verified.
At the end
Good, the method that restricts Trojan horse picture file uploads is over to introduce, thank “one key three connect”!
About the author: 😄 Hello everyone, MY name is Data-Mining (Liuzhen007). I am a typical audio and video technology enthusiast. I have worked for traditional broadcasting giants and audio and video Internet companies before and after, and I have rich experience in audio and video live broadcast and on-demand. Have a very deep understanding of WebRTC, FFmpeg and Electron, 😄 public account: Play with audio and video. Also CSDN blog expert, Huawei cloud sharing expert (co-create editor), InfoQ contract author, welcome to follow me to share more dry goods! 😄