Hi Dan, On Wed, Feb 25, 2015 at 9:38 AM, Dan Ackroyd <dan...@basereality.com> wrote:
> On 25 February 2015 at 00:09, Pádraic Brady <padraic.br...@gmail.com> > wrote: > > > > Your example omitted the image validation step which would have > > noticed your attempt to upload a phar immediately. Add that and try > > again. > > Image validation is no defense against this type of attack: > > > http://php.webtutor.pl/en/2011/05/13/php-code-injection-a-simple-virus-written-in-php-and-carried-in-a-jpeg-image/ > > As soon as you have any possibility of including a file uploaded by an > attacker, you are probably going to lose. I know, and Padraic knows also, attacker can make image file that cannot remove "embedded PHP script" even with image resize. Even tool called "Image Fight" exists to fight against PHP script embedded images. I proposed to include/require to load specific file extensions, but I've got many objections for the idea. Therefore, I've tried to "detect" embedded "PHP script". However, it's complex and I cannot make sure there isn't embedded "PHP script" in a file. Current RFC is based on the original idea with additional move_uploaded_file() protection. It works well for the objective. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
