[转载]Secure file upload in PHP web applications

文章作者：Alla Bezroutchko
信息来源：邪恶八进制信息安全团队（www.eviloctal.com）

Various web applications allow users to upload files. Web forums let users upload avatars.
Photo galleries let users upload pictures. Social networking web sites may allow uploading
pictures, videos, etc. Blog sites allow uploading avatars and/or pictures.
Providing file upload function without opening security holes proved to be quite a challenge
in PHP web applications. The applications we have tested suffered from a variety of
security problems, ranging from arbitrary file disclosure to remote arbitrary code execution.
In this article I am going to point out various security holes occurring in file upload
implementations and suggest a way to implement a secure file upload.
The examples shown in this article can be downloaded from
http://www.scanit.be/uploads/php-file-upload-examples.zip. If you want to test the
examples please make sure that the server you are using is not accessible from the
Internet or any other untrusted networks. The examples are provided to demonstrate
various security holes. Installing them on a server where those holes can be exploited is
not a good idea.