“This is the third day of my participation in the First Challenge 2022, for more details: First Challenge 2022”.

directory

  • Project background
  • The problem
  • To solve

Project background

A cloud object storage service is developed to store all file resources in a project.

The problem

While doing security testing, I ran into a problem: I couldn’t limit the upload of the image files that the Trojan simulated. Seems to be a picture suffix file, is actually a Trojan script. For example, the image file: muma.jpeg, we use UltraEdit to open this file, as shown below:

However, a normal JPEG image file would look like this:

To solve

So how to solve this problem? There is no doubt that what we need to do is distinguish between real pictures and Trojan horses.

After a fierce investigation, I finally found a solution, which is to use the Golang language standard library ———— Image.

However, there is a problem, image library does not support all image types of verification, currently only supports JPEG, GIF, PNG three image formats. We package a method that supports three image formats for authenticity verification.

The reference code is as follows:

func CheckImageFile(path, style string) (string, error) {
	f, err := os.Open(path)
	iferr ! =nil {
		fmt.Errorf("Failed to open file %s", err.Error())
	}
	switch strings.ToUpper(style) {
	case "JPG"."JPEG":
		_, err = jpeg.Decode(f)
	case "PNG":
		_, err = png.Decode(f)
	case "GIF":
		_, err = gif.Decode(f)
	}
	iferr ! =nil {
		fmt.Errorf("Failed to verify file type %s", err.Error())
		return "", err
	}
	return "".nil
}
Copy the code

When you call the above method, you simply pass in the image path and the suffix type to verify the authenticity of the file. Very convenient, I have been verified.

At the end

Good, the method that restricts Trojan horse picture file uploads is over to introduce, thank “one key three connect”!


About the author: 😄 Hello everyone, MY name is Data-Mining (Liuzhen007). I am a typical audio and video technology enthusiast. I have worked for traditional broadcasting giants and audio and video Internet companies before and after, and I have rich experience in audio and video live broadcast and on-demand. Have a very deep understanding of WebRTC, FFmpeg and Electron, 😄 public account: Play with audio and video. Also CSDN blog expert, Huawei cloud sharing expert (co-create editor), InfoQ contract author, welcome to follow me to share more dry goods! 😄