Limit resample image path with get request.

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
WaldoMonster
Forum Contributor
Posts: 225
Joined: Mon Apr 19, 2004 6:19 pm
Contact:

Limit resample image path with get request.

Post by WaldoMonster »

I want to limit resample images from a website or a local images directory.
The $image variable is coming from a get request.

Is it enough to check the left side (line 4 & 5) of the $image request?
Can this be tricked with some escape characters?
If so is there something similar to mysqli_real_escape_string or escapeshellarg() for the ImageCreateFromJpeg() function?

Code: Select all

function ResampleImage($image, $size)
{
authenticate('access_config');
if (substr($image, 0, 7) != 'http://' &&
    substr($image, 0, 7) != 'images/') exit();

header('Content-type: image/jpeg');

$extension = substr(strrchr($image, '.'), 1);
$extension = strtolower($extension);
if ($extension == 'jpg')	$src_image = @ImageCreateFromJpeg($image) or exit();
elseif ($extension == 'png') $src_image = @ImageCreateFromPng($image) or exit();
elseif ($extension == 'gif') $src_image = @ImageCreateFromGif($image) or exit();
else exit();

// etc…
}
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

What if it's https or ftp or some other protocol?

realpath() should be useful.
User avatar
WaldoMonster
Forum Contributor
Posts: 225
Joined: Mon Apr 19, 2004 6:19 pm
Contact:

Post by WaldoMonster »

I don’t need another protocol for my program.
Manly I want to resample images from some websites like http://images.amazon.com/images/….
And some local images like image/image.gif.
Mabe it is better to sum up the local images in a array() an use in_array().
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

I fail to see the purpose of this check, feyd already pointed the problem with the local filenames, and checking if something comes from this or that protocol is pretty useless.

Forget about "local images in a array()", just make sure (realpath + dirname) that it's the correct directory and that the file is is_readable()
User avatar
WaldoMonster
Forum Contributor
Posts: 225
Joined: Mon Apr 19, 2004 6:19 pm
Contact:

Post by WaldoMonster »

Mordred wrote:I fail to see the purpose of this check, feyd already pointed the problem with the local filenames,
Ok
Mordred wrote:and checking if something comes from this or that protocol is pretty useless.
This is needed because I want to resample images from other web sites like:
http://images-eu.amazon.com/...
http://images.amazon.com/...
etc..
Mordred wrote:Forget about "local images in a array()", just make sure (realpath + dirname) that it's the correct directory and that the file is is_readable()
Ok, now I see it is indeed a goog idea :oops:
Post Reply