更新时间:2023-12-05 19:56:22
其实很简单.通过已知安全的图像过滤器运行所有上传的图像.如果它返回不是图像错误",那么您就有恶作剧了.(一个简单的例子是身份转换,或 JPEG 质量标准化技术.)重要的一点是,实际上使用过滤器的输出,而不是原始文件.
It's really rather simple. Run all uploaded images through an image filter that is known to be safe. If it kicks back with a "Not an image error", you have shenanigans. (A simple example would be an identity transform, or a JPEG quality normalization technique.) An important point, tho', is to actually use the output from the filter, not the original file.