tags:

views:

103

answers:

3
Q: 

100% safe photo upload script

+3  A: 

It's really rather simple. Run all uploaded images through an image filter that is known to be safe. If it kicks back with a "Not an image error", you have shenanigans. (A simple example would be an identity transform, or a JPEG quality normalization technique.) An important point, tho', is to actually use the output from the filter, not the original file.

Williham Totland  2010-06-24 21:51:31
Note that WMF's were both images and executables. Which led to malware guys embedding stuff inside valid "images"..but that was a while back.
Chris Lively  2010-06-24 21:54:44
+2  A: 

As you mentioned, there's another question that addresses the issue. The author notes that he should be safe as long as he only accepts genuine image files and keeps down the filesize, which is about the only thing you can do. Check extension and MIME type and reject anything that does not match the formats you want. There's still RFI (well, more like LFI here), but as long as you aren't haphazardly including files without performing sanity checks, you should be good to go.

Matchu  2010-06-24 21:53:09
+1  A: 

Things you need to consider and watch out for:

File extensions: Webservers use the file extension to determine the MIME-Type sent to the client. You should use a whitelisting of extensions that you allow. In your case this would be image extensions.

LFI: As already mentioned by Matchu, local file inclusion can be an issue. If your application has dynamic includes that allow you to include an arbitrary file, eg. include($_GET['myfile']); it can lead to arbitrary PHP execution. So you need to secure such includes by using basename(). This can even happen with images, since they can contain embedded comments.

MIME-Type-Detection: This is actually not very well known, and there's not much information about it. IE<8 has a feature called MIME-Type-Detection which will, if the Content-Type does not match with the content, try to guess the type by looking at the first 256 bytes. This means, if you have a PNG file called image.gif with a comment at the top that reads <script>alert('hello');</script>, then IE<8 will think it is HTML and execute the JavaScript, leading to an XSS attack.

To prevent this issue for images you can use the approach mentioned by Williham Totland. I would suggest using getimagesize() to detect if the image is valid and to ensure that the extension matches the type.

$image_filename = 'uploaded_image.gif';
$image_extension = substr(strrchr($image_filename, '.'), 1);

$mime_mapping = array('png' => 'image/png', 'gif' => 'image/gif', 'jpg' => 'image/jpeg', 'jpeg' => 'image/jpeg');
$info = getimagesize($image_filename);

if (!$info) {
    exit('not an image');
}

if ($info['mime'] != $mime_mapping[$image_extension]) {
    exit('wrong extension given');
}

// all checks passed
// image can be saved now

There is an article written about this issue here.

igorw  2010-06-24 23:17:51
Note that it's possible to make an file that contains `<script>` that IE will execute as HTML but is still a valid image and will be passed by `getimagesize()`, so the above isn't safe. This is what Williham was talking about with using a processed output image rather than the original file supplied. Whilst it is theoretically possible to create an image that, when filtered/recompressed/saved by a known target function, would result in something containing unsafe HTML content, this is quite an impractical attack.
bobince  2010-06-25 11:32:41
Also there are other types you might try to smuggle into an image, in particular Java and Flash code. These allow scripting but do not abide by the exact ‘same origin policy’ that JavaScript does, so by planting a JAR or SWF on a target server it is partially possible to cross-site-script into it from another page. See the ‘GIFAR’ attack for an example of this. For these reasons it is difficult to guarantee that file upload will be ‘safe’ even with precautions. A good response is to put all user-uploaded content on a separate hostname that does not share a security context with the main site.
bobince  2010-06-25 11:36:58
IE will only use MIME-Type-Detection if image content and headers don't match, which my implementation checks. The issue is that there is no such signature for PNG images in older versions. And you are right, GIFAR and flash are quite an issue that require a custom serving script. [Possible solution for GIFAR][1]. Flash attacks require the serving script to be in a separate directory and if possible without public filenames. Or your solution, of course. [1]: http://github.com/phpbb/phpbb3/commit/bf59a749c3346ed7341d03946b8ecd0701af9eb8
igorw  2010-06-25 12:11:54
I would give unique name to an image, so I guess I will prevent attacks such as XSS.
hey  2010-06-25 12:19:00

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases