I want my site to have a feature for users to upload images, but I want to do it safely. Namely, I want to strip the EXIF data and any malicious code that could be in their image. I was thinking of a way to do this involving direct manipulation of the file, but it struck me, would it make more sense to just convert the image they provide to BMP and then convert that back to the original format? It would suffer a generational loss, but I believe that would meet my project's requirements. BMP doesn't contain EXIF, does it? And the reprocessing should strip any malicious content.
It wouldn't even have to be BMP: You could use PHP's GD functions, open the image using imagecreatefrom[xyz]
, copy it unresized, and write it back out in the original format.
That should be pretty watertight, save for the remote (and negligeable) possibility of course that a vulnerability is one day discovered in GD itself.
Limitations and caveats I can think of:
Images with transparency may be an issue, especially transparent GIFs would probably require special treatment (allocating the transparent colour in the new image etc., not sure)
Animated GIFs would be destroyed this way, GD can't deal with them
This method would be limited by PHP's memory limit (you'll need at least {image width} x { image height } x 3 bytes for the resize operation)
More exotic sub-formats like progressive JPG, CMYK JPG may cause trouble, but that's okay IMO - the latter woulnd't show in IE anyway