I'm currently developing a site where users can upload images to use as avatars, I know this makes me sound a little paranoid but I was wondering what if a malicious user uploads an image with incredibly large dimensions that will eat the server memory (as a DOS attack), I already have a limit on the file size that can be uploaded (250 k) but even that size can allow for an image with incredibly large dimensions if the image for example is a JPEG that contains one color and created with a very low quality setting. Taking into consideration that the image is uploaded as a bitmap in memory when being resized (ie. not compressed), I wonder if such DOS attacks occur, even to check the image dimensions it has to be uploaded in memory first, did you hear about any attacks that exploited this? Am I too worried?
views:
276answers:
4I think you should simply check the image dimensions. Having only a few formats, this isn't that hard and you can then easily filter large images out. Usually sites where you can upload avatars tell you to not only have a image smaller than a specific file size, but also give image dimension borders, so it's usual to check this.
The dimensions should be able to get at without loading the entire image map into memory? Maybe you can find out more on the issue at wotsit.org.
You have to validate that image files really ARE image files. The issue isn't an attack on your server. The issue is someone uploading an ActiveX control instead of an image. This file then downloads and installs and ruins every Windows machine that does the download.
The threat is not to you. The threat is that you will become a carrier for a virus.
You must validate each file to confirm that it is a real image file. You can check dimensions and what-not if you want. Most image-processing libraries can read the headers off the image, check the dimensions and number of pixels and what-not.
Often, folks make thumbnails from images, you can do that, also, once you've opened the image.
DoS may or may not be an issue - it depends on if someone decides to target your site.
However, for your site to scale to 1000s of concurrent users, you may consider handling the image processing in a separate process.
When the image processing is handled by page code, you run the risk of exhausting: memory, CPU, or ASP.NET threads --- the bottleneck depends on your server configuration.
Possible solution:
- User uploads image.
- Image is saved to shared directory.
- Image path is saved to a queue in database.
- Page returns with message "thanks for uploading, your avatar will be ready soon".
- A Windows Service* wakes up periodically and checks the database queue.
- The service resizes any images waiting in the queue, saves the outputs to a shared directory, and removes them from the queue.
- Service updates the database indicating that the user's avatar is ready. So, next time they visit their profile page, they are shown the resized image.
*Ideally, the Windows Service runs on a separate server from the web server, which could be scaled up to meet future demands.
Whether this effort is worth it depends on your expected traffic. You could use load testing tools to script and simulate these actions, to see if your site can handle the load.