php-general Digest 15 Aug 2010 09:51:33 -0000 Issue 6894
Topics (messages 307473 through 307481):
Re: Need to check pdf for xss
307473 by: Peter Lind
307474 by: Sebastian
307475 by: Peter Lind
307476 by: Sebastian
307478 by: Paul M Foster
307479 by: Peter Lind
307480 by: Ashley Sheridan
307481 by: Sebastian
Re: PHP Reference
307477 by: Karl DeSaulniers
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscr...@lists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscr...@lists.php.net
To post to the list, e-mail:
php-gene...@lists.php.net
----------------------------------------------------------------------
--- Begin Message ---
On 14 August 2010 22:36, Sebastian Ewert <seb2...@yahoo.de> wrote:
> Hi,
>
> before I allow to upload images I read them and check for several html
> tags. If they exist I don't allow the upload. Is their any need to check
> pdf files, too? At the time I'm doing this, but the result is that many
> files are denied because of unallowed html tags.
>
Reading and checking for html tags seems rather excessive - I would
rather use image extensions/pdf extensions and tools to verify that
the uploaded data was in fact one or the other. If someone uploads an
image and you cannot get the image dimensions from the file, for
instance, then it's likely not an image.
Regards
Peter
--
<hype>
WWW: http://plphp.dk / http://plind.dk
LinkedIn: http://www.linkedin.com/in/plind
BeWelcome/Couchsurfing: Fake51
Twitter: http://twitter.com/kafe15
</hype>
--- End Message ---
--- Begin Message ---
Peter Lind wrote:
> On 14 August 2010 22:36, Sebastian Ewert <seb2...@yahoo.de> wrote:
>> Hi,
>>
>> before I allow to upload images I read them and check for several html
>> tags. If they exist I don't allow the upload. Is their any need to check
>> pdf files, too? At the time I'm doing this, but the result is that many
>> files are denied because of unallowed html tags.
>>
>
> Reading and checking for html tags seems rather excessive - I would
> rather use image extensions/pdf extensions and tools to verify that
> the uploaded data was in fact one or the other. If someone uploads an
> image and you cannot get the image dimensions from the file, for
> instance, then it's likely not an image.
>
> Regards
> Peter
>
So if imagick sais its an image/pdf there is no need to check for html
tags? My upload class first checks the mime type with imagick. Do you
know other tools?
I think I can remember of a xss tutorial where the js code was included
to an image. But I haven't tried it so I couldn't test the result. He
used a programm to combine images with text. Perhaps I have undestood
something wrong.
--- End Message ---
--- Begin Message ---
I'm guessing you may have been referring to something like:
http://kestas.kuliukas.com/JavaScriptImage/ - this actually does seem
to be a valid threat to IE6 and would go undetected by the measures
proposed. Checking an image for <script> tags seems to the only way to
check if IE6 will render it as html and whether or not it will cause
problems.
I don't know if the same vulnerability exists for pdfs - you'd have to
check security sources for it.
Regards
Peter
--
<hype>
WWW: http://plphp.dk / http://plind.dk
LinkedIn: http://www.linkedin.com/in/plind
BeWelcome/Couchsurfing: Fake51
Twitter: http://twitter.com/kafe15
</hype>
--- End Message ---
--- Begin Message ---
Peter Lind wrote:
> I'm guessing you may have been referring to something like:
> http://kestas.kuliukas.com/JavaScriptImage/ - this actually does seem
> to be a valid threat to IE6 and would go undetected by the measures
> proposed. Checking an image for <script> tags seems to the only way to
> check if IE6 will render it as html and whether or not it will cause
> problems.
>
> I don't know if the same vulnerability exists for pdfs - you'd have to
> check security sources for it.
>
> Regards
> Peter
>
THX now I understand why only the first Bytes are checked for tags. I'm
not planing to support IE6. A message with an update link is displayed
if IE6 enters the site.
For other Browser the mime type check with imagick is enough security or
are there better ways?
--- End Message ---
--- Begin Message ---
On Sat, Aug 14, 2010 at 10:36:07PM +0200, Sebastian Ewert wrote:
> Hi,
>
> before I allow to upload images I read them and check for several html
> tags. If they exist I don't allow the upload. Is their any need to check
> pdf files, too? At the time I'm doing this, but the result is that many
> files are denied because of unallowed html tags.
If I'm not mistaken, more recent versions of the PDF spec allow for
embedded javascript. If so, it might be worthwhile to check for
javascript in PDFs. (Whoever first thought of embedding *code* in
documents should be shot.)
Paul
--
Paul M. Foster
--- End Message ---
--- Begin Message ---
On 15 August 2010 06:14, Paul M Foster <pa...@quillandmouse.com> wrote:
> On Sat, Aug 14, 2010 at 10:36:07PM +0200, Sebastian Ewert wrote:
>
>> Hi,
>>
>> before I allow to upload images I read them and check for several html
>> tags. If they exist I don't allow the upload. Is their any need to check
>> pdf files, too? At the time I'm doing this, but the result is that many
>> files are denied because of unallowed html tags.
>
> If I'm not mistaken, more recent versions of the PDF spec allow for
> embedded javascript. If so, it might be worthwhile to check for
> javascript in PDFs. (Whoever first thought of embedding *code* in
> documents should be shot.)
>
I personally wouldn't bother: it is the responsibility of Adobe Reader
or whichever pdf reader a user is using, to make sure that nothing
evil comes of viewing a pdf. There's very little chance you'll be able
to properly check pdfs serverside for the various security exploits
they may contain - the pdf reader would/should be much better equipped
to do this (the fact that Adobe has failed miserably at it so far is
another thing).
Sebastian, I personally think the best check for validity is, taking
images as an example, opening the image using Imagick or something
like it. After opening, verify that the image has valid dimensions and
type: a string of javascript or something like it simply won't
validate as an image. I've typically used
http://dk2.php.net/manual/en/function.getimagesize.php for this
myself, as there isn't a lot of overhead with that function - I don't
know if Imagick would be faster though, you'd have to check.
Regards
Peter
--
<hype>
WWW: http://plphp.dk / http://plind.dk
LinkedIn: http://www.linkedin.com/in/plind
BeWelcome/Couchsurfing: Fake51
Twitter: http://twitter.com/kafe15
</hype>
--- End Message ---
--- Begin Message ---
On Sun, 2010-08-15 at 08:43 +0200, Peter Lind wrote:
> On 15 August 2010 06:14, Paul M Foster <pa...@quillandmouse.com> wrote:
> > On Sat, Aug 14, 2010 at 10:36:07PM +0200, Sebastian Ewert wrote:
> >
> >> Hi,
> >>
> >> before I allow to upload images I read them and check for several html
> >> tags. If they exist I don't allow the upload. Is their any need to check
> >> pdf files, too? At the time I'm doing this, but the result is that many
> >> files are denied because of unallowed html tags.
> >
> > If I'm not mistaken, more recent versions of the PDF spec allow for
> > embedded javascript. If so, it might be worthwhile to check for
> > javascript in PDFs. (Whoever first thought of embedding *code* in
> > documents should be shot.)
> >
>
> I personally wouldn't bother: it is the responsibility of Adobe Reader
> or whichever pdf reader a user is using, to make sure that nothing
> evil comes of viewing a pdf. There's very little chance you'll be able
> to properly check pdfs serverside for the various security exploits
> they may contain - the pdf reader would/should be much better equipped
> to do this (the fact that Adobe has failed miserably at it so far is
> another thing).
>
> Sebastian, I personally think the best check for validity is, taking
> images as an example, opening the image using Imagick or something
> like it. After opening, verify that the image has valid dimensions and
> type: a string of javascript or something like it simply won't
> validate as an image. I've typically used
> http://dk2.php.net/manual/en/function.getimagesize.php for this
> myself, as there isn't a lot of overhead with that function - I don't
> know if Imagick would be faster though, you'd have to check.
>
> Regards
> Peter
>
> --
> <hype>
> WWW: http://plphp.dk / http://plind.dk
> LinkedIn: http://www.linkedin.com/in/plind
> BeWelcome/Couchsurfing: Fake51
> Twitter: http://twitter.com/kafe15
> </hype>
>
If you're that worried about PDF's, then maybe you could run them
through Clam via an exec() call. I believe a lot of the pdf holes have
been picked up by the antivirus groups out there, as Adobe does seem to
be a bit slow to plug them.
Thanks,
Ash
http://www.ashleysheridan.co.uk
--- End Message ---
--- Begin Message ---
OK THX to everyone. I will check the images with imagick and let the
pdfs in adobes responsibility. One worry less.
--- End Message ---
--- Begin Message ---
Thanks tedd.
On Aug 14, 2010, at 7:45 AM, tedd wrote:
At 1:08 AM -0500 8/14/10, Karl DeSaulniers wrote:
Hello all,
I was wondering, can you reference php in a url string like you
can javascript.
EG:
"javascript:someFunction()"
Can you do something similar in php like
"php:someFunction()"
I am thinking that you can not do this, but was wondering if there
was something like that.
Thanks,
Karl:
As others have answered, no php doesn't work that way.
However, you can still send/receive strings through a url via a
$_GET) and direct the actions of a receiving php script and you can
do the same thing via a $_POST.
As such, a "php:someFunction()" could be a:
url?php=someFunction
Where the receiving script takes the command and runs someFunction().
However, I would shorten it a bit and say
url?php=18
Where php would be the command to run a function and 18 would be
the function you want to run.
So, while you can't use the same syntax as javascript, you can get
the same performance.
Cheers,
tedd
--
-------
http://sperling.com/
Karl DeSaulniers
Design Drumm
http://designdrumm.com
--- End Message ---
