Page 2 of 2
Posted: Wed May 02, 2007 8:07 am
by JayBird
neel_basu wrote:But to know weather its a valid Image or not Reading First few Characters is enough. So if you are dealing really big Images it will take time.
Not very secure that really though is it. Can be easily changed by any one
May aswel just use
getimagesize() like suggested
Posted: Wed May 02, 2007 9:50 am
by onion2k
neel_basu wrote:Ya I've used it before as it returns its original MIME type. Reading its first few characters. But it reads teh total Image to get its height and weight. But to know weather its a valid Image or not Reading First few Characters is enough. So if you are dealing really big Images it will take time.
2 things:
1. The size of the image makes very little difference to the time getimagesize() takes. Try it on a massive image and you'll see.
2. Reading the file header won't tell you if a file is a valid image file ... it could be a file of garbage that happens to have the header matching an image format. getimagesize() goes a bit further and actually checks the format of the file.
Posted: Wed May 02, 2007 10:14 am
by neel_basu
Have you ever opened any Valid Image with A Simple text Editor Or a HEX Editor ??
If opened Please see the first 1 line on that editor.
neel_basu wrote://This Function Can Check weather An Image is PNG or BMP or JPEG or Gif Image
//But If you use a Binary file That has PNG or JFIFor GIF or BM. written at the begining
//will Pass this validation . But I dint think that a mal programm can Contain
//Those texts at its begening as those are reserved for Images
Posted: Wed May 02, 2007 10:35 am
by nickvd
neel_basu wrote:Have you ever opened any Valid Image with A Simple text Editor Or a HEX Editor ??
If opened Please see the first 1 line on that editor.
neel_basu wrote://This Function Can Check weather An Image is PNG or BMP or JPEG or Gif Image
//But If you use a Binary file That has PNG or JFIFor GIF or BM. written at the begining
//will Pass this validation . But I dint think that a mal programm can Contain
//Those texts at its begening as those are reserved for Images
Guys, just give up... people just sometimes refuse to listen...
Posted: Wed May 02, 2007 11:47 am
by neel_basu
Hey.
I've never told that getimagesize() is bad or Not working. how can a PHP native function be bad.
I was just telling Whats the real fact and how its getting the original MIME type.
onion2k wrote:1. The size of the image makes very little difference to the time getimagesize() takes. Try it on a massive image and you'll see.
I actually focused on the
neel_basu wrote:But to know weather its a valid Image or not Reading First few Characters is enough

Posted: Wed May 02, 2007 11:52 am
by feyd
That is one of
getimagesize()'s intended uses, neel. You're making it far more complicated than it need be.
Posted: Wed May 02, 2007 11:54 am
by jayshields
I'm not disagreeing with you. You're probably right. If the first line of an image in a hex editor always looks like that, that's fine. getimagesize() can make a similar and probably better check to make sure it's an image; and it's a built-in function.
Posted: Wed May 02, 2007 12:00 pm
by neel_basu
jayshields wrote:I'm not disagreeing with you. You're probably right. If the first line of an image in a hex editor always looks like that, that's fine. getimagesize() can make a similar and probably better check to make sure it's an image; and it's a built-in function.
Ya in a valid Image It always look like that.
I've looped over 150 Images(PNG, GIF, JPG, BMP) To check.
But I am sorry to make it a bit complex.
Posted: Wed May 02, 2007 12:43 pm
by onion2k
neel_basu wrote:Ya in a valid Image It always look like that.
I've looped over 150 Images(PNG, GIF, JPG, BMP) To check.
But I am sorry to make it a bit complex.
Wrong. Wrong. Wrong. Run this:
Code: Select all
<?php
function chk_img($img_path)
{
$filename = $img_path;
$handle = fopen($filename, "r");
$contents = fread($handle, 16);
fclose($handle);
if(strstr($contents, 'PNG') || strstr($contents, 'JFIF') || strstr($contents, 'GIF') || strstr($contents, 'BM.'))
{
return true;
}
else
{
return false;
}
}
echo (chk_img("http://www.ooer.com/onion/amianimage.jpg")) ? "Yes, this is an image." : "No, this is not an image";
echo "<br>";
echo (getimagesize("http://www.ooer.com/onion/amianimage.jpg")) ? "Yes, this is an image." : "No, this is not an image";
?>
Then download
http://www.ooer.com/onion/amianimage.jpg and open it in a text editor. To check whether a file is a valid image or not you
must check more than just the file header.
Posted: Wed May 02, 2007 12:49 pm
by neel_basu
I've told about it before
neel_basu wrote://This Function Can Check weather An Image is PNG or BMP or JPEG or Gif Image
//But If you use a Binary file That has PNG or JFIFor GIF or BM. written at the begining
//will Pass this validation . But I dint think that a mal programm can Contain
//Those texts at its begening as those are reserved for Images
Posted: Wed May 02, 2007 12:53 pm
by onion2k
Yes. If you're validating whether something is an image or not that's pretty important. Using a function that will say something is an image when it isn't is just plain wrong.
Posted: Wed May 02, 2007 12:58 pm
by neel_basu
A different Question not part of this topic
Is it possible to make such a jpg file that can harm System if Parsed as an image File ?? Cause parsing a jpg file means there is another programm that reads the Bit patterns of that file It doesn't executes that files at all ??
Posted: Wed May 02, 2007 1:09 pm
by feyd
neel_basu wrote:A different Question not part of this topic
Is it possible to make such a jpg file that can harm System if Parsed as an image File ?? Cause parsing a jpg file means there is another programm that reads the Bit patterns of that file It doesn't executes that files at all ??
Have a read:
http://www.microsoft.com/technet/securi ... 4-028.mspx
Posted: Wed May 02, 2007 1:25 pm
by neel_basu
So it may affect that programm that is reading it and if it makes any harm in system thats By that programm. So If just opened
http://localhost/image.jpg its not directly interacting with any programm then it cant make any harm in the Server.
Am I right ??
Posted: Wed May 02, 2007 3:12 pm
by onion2k
neel_basu wrote:So If just opened
http://localhost/image.jpg its not directly interacting with any programm then it cant make any harm in the Server.
In order to run the buffer overflow exploit you'd have to view the image, so something on a server opening the image (like PHP with GD2, or imagemajick or something) should be safe. However, you don't just have images uploaded to the server and end there. You do something with them. Usually that's serving them as part of your website or letting users download them. If a user viewed or downloaded an image that was infected with something nasty that could seriously damage your business.
At the end of the day it's very simple:
use getimagesize() to validate images. Don't rely on the file header because it might pass that check and still not be a valid image. Your chk_image() function is not good enough.