Safe upload images

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
JayBird
Admin
Posts: 4524
Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:

Post by JayBird »

neel_basu wrote:But to know weather its a valid Image or not Reading First few Characters is enough. So if you are dealing really big Images it will take time.
Not very secure that really though is it. Can be easily changed by any one

May aswel just use getimagesize() like suggested
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Post by onion2k »

neel_basu wrote:Ya I've used it before as it returns its original MIME type. Reading its first few characters. But it reads teh total Image to get its height and weight. But to know weather its a valid Image or not Reading First few Characters is enough. So if you are dealing really big Images it will take time.
2 things:

1. The size of the image makes very little difference to the time getimagesize() takes. Try it on a massive image and you'll see.

2. Reading the file header won't tell you if a file is a valid image file ... it could be a file of garbage that happens to have the header matching an image format. getimagesize() goes a bit further and actually checks the format of the file.
User avatar
neel_basu
Forum Contributor
Posts: 454
Joined: Wed Dec 06, 2006 9:33 am
Location: Picnic Garden, Kolkata, India

Post by neel_basu »

Have you ever opened any Valid Image with A Simple text Editor Or a HEX Editor ??
If opened Please see the first 1 line on that editor.
neel_basu wrote://This Function Can Check weather An Image is PNG or BMP or JPEG or Gif Image
//But If you use a Binary file That has PNG or JFIFor GIF or BM. written at the begining
//will Pass this validation . But I dint think that a mal programm can Contain
//Those texts at its begening as those are reserved for Images
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Post by nickvd »

neel_basu wrote:Have you ever opened any Valid Image with A Simple text Editor Or a HEX Editor ??
If opened Please see the first 1 line on that editor.
neel_basu wrote://This Function Can Check weather An Image is PNG or BMP or JPEG or Gif Image
//But If you use a Binary file That has PNG or JFIFor GIF or BM. written at the begining
//will Pass this validation . But I dint think that a mal programm can Contain
//Those texts at its begening as those are reserved for Images

:roll:

Guys, just give up... people just sometimes refuse to listen...
User avatar
neel_basu
Forum Contributor
Posts: 454
Joined: Wed Dec 06, 2006 9:33 am
Location: Picnic Garden, Kolkata, India

Post by neel_basu »

Hey.
I've never told that getimagesize() is bad or Not working. how can a PHP native function be bad.
I was just telling Whats the real fact and how its getting the original MIME type.
onion2k wrote:1. The size of the image makes very little difference to the time getimagesize() takes. Try it on a massive image and you'll see.
I actually focused on the
neel_basu wrote:But to know weather its a valid Image or not Reading First few Characters is enough
Image
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

That is one of getimagesize()'s intended uses, neel. You're making it far more complicated than it need be.
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Post by jayshields »

I'm not disagreeing with you. You're probably right. If the first line of an image in a hex editor always looks like that, that's fine. getimagesize() can make a similar and probably better check to make sure it's an image; and it's a built-in function.
User avatar
neel_basu
Forum Contributor
Posts: 454
Joined: Wed Dec 06, 2006 9:33 am
Location: Picnic Garden, Kolkata, India

Post by neel_basu »

jayshields wrote:I'm not disagreeing with you. You're probably right. If the first line of an image in a hex editor always looks like that, that's fine. getimagesize() can make a similar and probably better check to make sure it's an image; and it's a built-in function.
Ya in a valid Image It always look like that.
I've looped over 150 Images(PNG, GIF, JPG, BMP) To check.
But I am sorry to make it a bit complex.
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Post by onion2k »

neel_basu wrote:Ya in a valid Image It always look like that.
I've looped over 150 Images(PNG, GIF, JPG, BMP) To check.
But I am sorry to make it a bit complex.
Wrong. Wrong. Wrong. Run this:

Code: Select all

<?php

    function chk_img($img_path)
      {
        $filename = $img_path;
        $handle = fopen($filename, "r");
        $contents = fread($handle, 16);
        fclose($handle);
        if(strstr($contents, 'PNG') || strstr($contents, 'JFIF') || strstr($contents, 'GIF') || strstr($contents, 'BM.'))
          {
            return true;
          }
        else
          {
            return false;
          }
      }

    echo (chk_img("http://www.ooer.com/onion/amianimage.jpg")) ? "Yes, this is an image." : "No, this is not an image";
    echo "<br>";
    echo (getimagesize("http://www.ooer.com/onion/amianimage.jpg")) ? "Yes, this is an image." : "No, this is not an image";

?>
Then download http://www.ooer.com/onion/amianimage.jpg and open it in a text editor. To check whether a file is a valid image or not you must check more than just the file header.
User avatar
neel_basu
Forum Contributor
Posts: 454
Joined: Wed Dec 06, 2006 9:33 am
Location: Picnic Garden, Kolkata, India

Post by neel_basu »

I've told about it before
neel_basu wrote://This Function Can Check weather An Image is PNG or BMP or JPEG or Gif Image
//But If you use a Binary file That has PNG or JFIFor GIF or BM. written at the begining
//will Pass this validation .&nbsp;But I dint think that a mal programm can Contain

//Those texts at its begening as those are reserved for Images
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Post by onion2k »

Yes. If you're validating whether something is an image or not that's pretty important. Using a function that will say something is an image when it isn't is just plain wrong.
User avatar
neel_basu
Forum Contributor
Posts: 454
Joined: Wed Dec 06, 2006 9:33 am
Location: Picnic Garden, Kolkata, India

Post by neel_basu »

A different Question not part of this topic
Is it possible to make such a jpg file that can harm System if Parsed as an image File ?? Cause parsing a jpg file means there is another programm that reads the Bit patterns of that file It doesn't executes that files at all ??
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

neel_basu wrote:A different Question not part of this topic
Is it possible to make such a jpg file that can harm System if Parsed as an image File ?? Cause parsing a jpg file means there is another programm that reads the Bit patterns of that file It doesn't executes that files at all ??
Have a read: http://www.microsoft.com/technet/securi ... 4-028.mspx
User avatar
neel_basu
Forum Contributor
Posts: 454
Joined: Wed Dec 06, 2006 9:33 am
Location: Picnic Garden, Kolkata, India

Post by neel_basu »

So it may affect that programm that is reading it and if it makes any harm in system thats By that programm. So If just opened http://localhost/image.jpg its not directly interacting with any programm then it cant make any harm in the Server.
Am I right ??
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Post by onion2k »

neel_basu wrote:So If just opened http://localhost/image.jpg its not directly interacting with any programm then it cant make any harm in the Server.
In order to run the buffer overflow exploit you'd have to view the image, so something on a server opening the image (like PHP with GD2, or imagemajick or something) should be safe. However, you don't just have images uploaded to the server and end there. You do something with them. Usually that's serving them as part of your website or letting users download them. If a user viewed or downloaded an image that was infected with something nasty that could seriously damage your business.

At the end of the day it's very simple: use getimagesize() to validate images. Don't rely on the file header because it might pass that check and still not be a valid image. Your chk_image() function is not good enough.
Post Reply