Secure image upload

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
julian_lp
Forum Contributor
Posts: 121
Joined: Sun Jul 09, 2006 1:00 am
Location: la plata - argentina

Post by julian_lp »

Jcart wrote:
julian_lp wrote: To every other user in this forum:
If you think you know where could be the risk, (with a real example) just post your reply.
We've already told you of one potential exploit, have you fixed that yet?
Please excuse me but I'm lost now, what are your talking about? The use of getimagesize()? The default switch value?
In both cases I did use your advice, of course :)
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

There are 10 types of people in this world, those who understand binary and those who don't
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

I was advocating the use OF getimagesize() as it's far more secure than relying on ['type'] sent by the browser. However, that article is pretty interesting. Makes me re-think my upload code design, but I think i'm pretty safe with my naming scheme.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
julian_lp
Forum Contributor
Posts: 121
Joined: Sun Jul 09, 2006 1:00 am
Location: la plata - argentina

Post by julian_lp »

a very uneficient way to get rid of php code that I'm gonna add to my "upload avatar" part of the code
...added to the renaming, the check por getimagesize (useless?), and a resize

Code: Select all

$valid = true;
$lines = file(file_uploaded to a path outside the html root);
foreach ($lines as $line) {
	$findme   = '<?php';
	$pos = strpos($line, $findme);
	if ($pos !== false) {
		$valid = false;
		break;
	}
}
I'm not sure whether there could be some valid image with "<?php" string in it, and if so, how probable it would be (guess very unlikely, and I pretty much preffer to lose an user rather than the whole site)
Last edited by julian_lp on Thu Oct 04, 2007 12:48 am, edited 1 time in total.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

Another article.

I read somewhere that using imagecreatefromjpeg and related functions should be secure enough ...
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
julian_lp
Forum Contributor
Posts: 121
Joined: Sun Jul 09, 2006 1:00 am
Location: la plata - argentina

Post by julian_lp »

VladSun wrote:Another article.
.
Nice reading and glad to have thought almost the same before keeping an eye on the article :D
VladSun wrote: I read somewhere that using imagecreatefromjpeg and related functions should be secure enough ..
.
I'll try to find some proofs of that.
BTW I've been doing (in the working code) a rezise over every image upload, that gets me an additional protection I guess
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

julian_lp wrote:Including a file remotely (from another host) wouldn't be a problem to my site I guess.
Suppose you have a file inclusion vulnerability in your web application. In this case, having allow_url_include=false will protect you from RFI, but not from LFI... Thus, having both of these issues would result in having RFI :)
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
boo
Forum Commoner
Posts: 42
Joined: Mon Jul 02, 2007 11:30 am
Location: NY

Post by boo »

Does anyone know if resizing the image would effect the php code within the image? Would it remove some of it?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

boo wrote:Does anyone know if resizing the image would effect the php code within the image? Would it remove some of it?
Resizing is done by using a low pass filter, thus every image byte (in none homogeneous areas) will be changed.
This is true for the raw image data, but not so for image headers and color maps, etc.
I can hardly remember embedding PHP code in JPEG header - comments section. As far as I know PHP code insertion in GIF image is done in raw image data.
There are 10 types of people in this world, those who understand binary and those who don't
Post Reply