On Sat, May 5, 2012 12:29 pm, Ferenc Kovacs wrote: > On Sat, May 5, 2012 at 6:32 PM, Richard Lynch <c...@l-i-e.com> wrote: > >> On Tue, April 10, 2012 1:13 pm, John Crenshaw wrote: >> >In >> > most systems you can upload *anything* with a .jpg extension and >> the >> > app will take it, so you can still include the file >> >> People don't use imagecreatefromjpeg() to be sure it isn't some ware >> or executable or PHP script disguised as a JPEG?! >> >> That's just crazy. >> >> And inexcusable in a framework. >> >> Somebody might be able to craft a "JPEG" that validates and still >> manages to somehow parse some PHP in the middle... Probably using >> JPEG >> comments so it's easier. >> >> > yeah, and injecting php code through the jpeg comments isn't new also, > see > http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/ > but > I bet I could find even older posts discussing the topic. > so imo the correct remedy for this situation is to prevent your > uploaded > files to be executed at the first place, instead of trying to write an > error-prone method to detect malicious content inside your uploaded > media > files.
getImageSize is not better than file Info... If the whole thing parses as an image with imagecreatefromjpeg() I should think that's a bit tougher to create a hack that works. Then one can strip off the exif info with the comments, I believe. And, yes, ideally one would keep images in a totally separate directory not even in the webtree... Which I do, but some folks can bear the cost of passing the image "through" PHP. -- brain cancer update: http://richardlynch.blogspot.com/search/label/brain%20tumor Donate: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=FS9NLTNEEKWBE -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php