tags:

views:

190

answers:

3
+1  Q: 

Looking for a managed image parser library (JPEG, BMP, PNG, GIF)

I am writing a discussion board software that will have "avatar" images for the users. I want to resize any picture that gets uploaded to a reasonable size. I could easily do that with System.Drawing but that is relying on GDI+ which has hat security problems before. The problem is that the images are untrusted. So I thought of using a fully managed lib to solve that problem because managed code cannot escape the sandbox (of course it can, but only if the code is user-supplied which it is not in my case). So does anybody know of a managed image parser library for JPEG, BMP, PNG and GIF? If some format is missing than I will have to live with that.

Edit: Paint.NET also relies on GDI+.

You might be interested in the discussion below, too.

+1  A: 

Well, what do you prefer? Do you want to use a library that has been put to the test by billions of hack attacks, found wanting but patched up? Or do you prefer some obscure library that hasn't been exposed to such attacks? Yet.

There is zero security in obscurity.

Hans Passant  2010-06-16 14:42:17
Managed code is invulnerable to buffer overruns. I expect to get exactly 0 vulnerabilities by using a fully managed parser. It might have bugs but they will deterministically result in an exception.
usr  2010-06-16 14:43:45
Erm, no, the image decoders are 100% unmanaged code. In *all* libraries.
Hans Passant  2010-06-16 14:55:43
I am looking for a completely managed image parser. Somebody must have done this... I am not sure if GDI+ works in medium trust and a managed parser would. Maybe somebody has created it.
usr  2010-06-16 14:57:58
You are not going to find one, image codecs are written in C. C code is *not* insecure by design, it is merely more likely to be exploitable because of a bug. Existing codec code is secure by virtue of it being exposed for so long. Replacing that code with managed code would make it *less* secure. As well as quite slow. For examples how managed code is not secure by design look for exploit stories of Flash and Java, popular attack targets.
Hans Passant  2010-06-16 15:12:33
Flash and Java can be attacked because the attacker controls the code (in the browser). I do not allow to upload .NET assemblies to my server. I do not see any way an attacker could exploit my managed image codecs. He can make them crash but not corrupt memory. I consider this to be quite secure in contrast to unmanaged code. No mistake a programmer can make does lead to a security hole.
usr  2010-06-16 15:24:58
The reason I am so paranoid about security in this case is that an attacker can actually take over the server by uploading forged images. Last time an exploit existed for GDI+ there were easy to use tools to embed any .exe inside of an image.
usr  2010-06-16 15:26:25
"There is zero security in obscurity." Actually it is non-zero because the obscurity is like a password - you have to know it in order to succeed in your hacking attempts. And cracking it can be time-consuming.
usr  2010-07-13 18:36:33
+3  A: 

What about VintaSoftImaging.NET? It's a fully-managed .NET library that can resize/resample various image formats (and much more).

It's certainly not the case that all image libraries have unmanaged code--image decoders are written in whatever language the author feels like writing them in. And some do feel like writing them in a managed language; for example, there's also LibTiff.NET and LibJpeg.NET, both 100% managed code. Those are strictly codec libraries though, and won't do any resizing.

Dave Huang  2010-06-23 05:59:20
Great answer, thanks. It is enough to have the codec managed IMHO as I can then copy the decoded bits back to System.Drawing.Bitmap and resize and save as usual. Exploits commonly occur in the decoder-part of the stack which now cannot happen anymore (at all).
usr  2010-06-29 12:45:27
+1  A: 
Will  2010-06-23 06:05:11
A very good answer. I won't be doing that because I first would have to find out how to correctly sandbox a process. I deemed it too much work (for now).
usr  2010-07-13 18:34:42

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?