Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
julian_lp wrote:
To every other user in this forum:
If you think you know where could be the risk, (with a real example) just post your reply.
We've already told you of one potential exploit, have you fixed that yet?
Please excuse me but I'm lost now, what are your talking about? The use of getimagesize()? The default switch value?
In both cases I did use your advice, of course
I was advocating the use OF getimagesize() as it's far more secure than relying on ['type'] sent by the browser. However, that article is pretty interesting. Makes me re-think my upload code design, but I think i'm pretty safe with my naming scheme.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
a very uneficient way to get rid of php code that I'm gonna add to my "upload avatar" part of the code
...added to the renaming, the check por getimagesize (useless?), and a resize
$valid = true;
$lines = file(file_uploaded to a path outside the html root);
foreach ($lines as $line) {
$findme = '<?php';
$pos = strpos($line, $findme);
if ($pos !== false) {
$valid = false;
break;
}
}
I'm not sure whether there could be some valid image with "<?php" string in it, and if so, how probable it would be (guess very unlikely, and I pretty much preffer to lose an user rather than the whole site)
Last edited by julian_lp on Thu Oct 04, 2007 12:48 am, edited 1 time in total.
Nice reading and glad to have thought almost the same before keeping an eye on the article
VladSun wrote:
I read somewhere that using imagecreatefromjpeg and related functions should be secure enough ..
.
I'll try to find some proofs of that.
BTW I've been doing (in the working code) a rezise over every image upload, that gets me an additional protection I guess
julian_lp wrote:Including a file remotely (from another host) wouldn't be a problem to my site I guess.
Suppose you have a file inclusion vulnerability in your web application. In this case, having allow_url_include=false will protect you from RFI, but not from LFI... Thus, having both of these issues would result in having RFI
There are 10 types of people in this world, those who understand binary and those who don't
boo wrote:Does anyone know if resizing the image would effect the php code within the image? Would it remove some of it?
Resizing is done by using a low pass filter, thus every image byte (in none homogeneous areas) will be changed.
This is true for the raw image data, but not so for image headers and color maps, etc.
I can hardly remember embedding PHP code in JPEG header - comments section. As far as I know PHP code insertion in GIF image is done in raw image data.
There are 10 types of people in this world, those who understand binary and those who don't