程序體(10) '判斷文件類型是否合格
Private Function CheckFileExt (fileEXT)
dim Forumupload
Forumupload="gif,jpg,bmp,jpeg"
Forumupload=split(Forumupload,",")
for i=0 to ubound(Forumupload)
if lcase(fileEXT)=lcase(trim(Forumupload(i))) then
CheckFileExt=true
exit Function
else
CheckFileExt=false
end if
next
End Function
‘驗證文件內(nèi)容的合法性
set MyFile = server.CreateObject ("Scripting.FileSystemObject")
set MyText = MyFile.OpenTextFile (sFile, 1) ' 讀取文本文件
sTextAll = lcase(MyText.ReadAll): MyText.close
'判斷用戶文件中的危險操作
sStr ="8.getfolder.createfolder.deletefolder.createdirectory
.deletedirectory"
sStr = sStr & ".saveaswscript.shellscript.encode"
sNoString = split(sStr,"")
for i = 1 to sNoString(0)
if instr(sTextAll, sNoString(i)) <> 0 then
sFile = Upl.Path & sFileSave: fs.DeleteFile sFile
Response.write "
"& sFileSave &"文件中含有與操作目錄等有關(guān)的命令"&_
"
"& mid(sNoString(i),2) &",為了安全原因,不能上傳。"&_"
"
Response.end
end if
next
把他們加到你的上傳程序里做一次驗證,那么你的上傳程序安全性將會大大提高.
什么?你還不放心?拿出殺手锏,請你的虛擬主機服務(wù)商來幫忙吧。登陸到服務(wù)器,將PROG ID 中的"shell.application"項和"shell.application.1"項改名或刪除。再將”WSCRIPT.SHELL”項和”WSCRIPT.SHELL.1”這兩項都要改名或刪除。呵呵,我可以大膽的說,國內(nèi)可能近半以上的虛擬主機都沒改過。只能慶幸你們的用戶很合作,否則……我刪,我刪,我刪刪刪……