Ashley Sheridan am Montag, 23. September 2013 - 21:35:

> No, no, no! That is not a good stand-in for fundamental security
> principles!
> This is a better method for ensuring an image is really an image:
> <?php
> if(isset($_FILES['file']))
> {
>       list($width, $height) = getimagesize($_FILES['file']['tmp_name']);
>       if($width && $height)
>       {
>               $source = imagecreatefromjpeg($_FILES['file']['tmp_name']);
>               $dest = imagecreatetruecolor($width, $height);
>               imagecopyresampled($dest, $source,
>               0, 0, 0, 0,
>               $width, $height, $width, $height);
>               imagejpeg($dest, basename($_FILES['file']['tmp_name']));
>       }
>       else
>               echo "{$_FILES['file']['name']} is not a jpeg";
> }
> ?>
> <form enctype="multipart/form-data" method="post">
>       <input type="file" name="file"/>
>       <input type="submit" name="submit" value="submit"/>
> </form>
> Obviously it's only rough, and checks only for jpeg images, but
> easy to alter. I've just tested this with a regular jpeg, the same
> with PHP code concatenated onto the end (which still appears to be a
> valid image to viewing/editing software) and a pure PHP file with a
> extension. In the case of the first 2, a new jpeg is generated with
> same image and without the code. The third example just echoes out an
> error.

Dear Ashley, nice, but useless for this problem!

First, because users may upload other things than images! PDF's, audio
files, videos etc! And on behalf images: GD you are using handles only
jpeg, gif and png. There are about hunderd other image types on the way,
users can upload! How to detect them, if the extension is missleading?

And even if we succeed: As your script demonstrates very well, malicious
code does not affect the rendering of the image. The hacker says: Hi,
this is a nice picture, play it, and then, please do this--follows his
code, that can be a desaster for the whole system.

Yes, your script seems to purge the image file, simply because GD does
not copy the malware code. But why are you sure about that? You cannot
see that code, OK, but may be it was executed in the plain GD
environement? What you are doing is dangerous, because you force the
execution of things that should be never executed!

"no no no" forget it. After all we cannot exclude that users come in
with malware. But we MUST exclude, it is executed on the web server.
That is the Apache chainsaw massacre as Steward whould say. And probably
it can be avoided by purging the filenames (not the files!). 

Nevertheless, the standard configuration of the Apache servers is
basically unacceptable. It must execute user requests and never ever
user files! Period.

Have nice days,

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to