Are you afraid of someone embedding PHP in a .jpg file? That's not really an issue as your web server is probably configured to only serve up PHP as .php files. Likewise, your web server config is likely such that any .jpg file is served up as content-type image/jpeg and as such it really doesn't matter what sort of junk is embedded in the image. At most it will show up as a broken image icon in your browser.
-Rasmus On Tue, 14 May 2002, Andre Dubuc wrote: > Thanks Rasmus, > > I thought there had to be function out there that could examine the actual > contents. > > Now the question remains, would an ereg/eregi check for html/code/commands > work on a "jpg/jpeg" type file? From a brief examination of one, I note that > it's not text, but code. I tried writing some text commands into a jpeg file > to see what would happen, and wasn't too surprised that the file didn't load > -- but then again, I don't know what I'm doing:> > > I suppose, following what I saw in a movie "Along Came a Spider" -- > manipulating image files with hidden text files, etc. -- sort of put me on > guard. I have no idea whether this is even possible. . . sounds probable > though. Would be great to find out before the site is compromised. > > Tia, > Andre > > > On Tuesday 14 May 2002 10:32 pm, you wrote: > > Have a look at the getimagesize() function. This function looks at the > > actual file data, not the mime type nor the file's extension but the data > > itself and tells you what sort of image file it is. > > > > And no, it wouldn't really be after the fact because because stores the > > file with a temporary random filename in /tmp ensuring not to overwrite > > anything that is already there. It is then your job to perform the check > > and copy the file to some appropriate directory on your server. If you > > don't do anything with the file, PHP will automatically delete it at the > > end of the request. > > > > -Rasmus > > > > On Tue, 14 May 2002, Andre Dubuc wrote: > > > My question will probably expose my woeful lack understanding of security > > > breaches, but perhaps someone can enlighten me. > > > > > > On my site, registered members will be allowed to upload jpg/jpeg > > > pictures. I'm concerned about possible security problems. First, is there > > > a way to ensure that a picture (and not some other malicious stuff) has > > > been uploaded? > > > > > > Aside from checking the mime type info associated with the file, is there > > > any way of verifying what's in the file that has been uploaded? (I'm > > > using Linux LM8.2) Would it be possible to fake info to fool this check? > > > Would verification checks for html/scripts/commands be of any use? > > > > > > Secondly, since the file in question is already uploaded and saved to > > > disk in /tmp or wherever, wouldn't any verification scheme be sort of, > > > 'after-the-fact'? > > > > > > I would appreciate any input, suggestions, or ideas on what to do here. > > > Am I being overly-paranoid about this, or do I have legitimate security > > > concern. > > > > > > Using: Apache 1.3.23 + PHP 4.1.2 + PostgreSQL 7.2 > > > > > > Tia, > > > Andre > > > > > > > > > -- > > > Please pray the Holy Rosary to end the holocaust of abortion. > > > Remember in your prayers the Holy Souls in Purgatory. > > > > > > May God bless you abundantly in His love! > > > For a free Cenacle Scriptural Rosary Booklet: > > > http://www.webhart.net/csrb/ > > > > > > -- > > > PHP General Mailing List (http://www.php.net/) > > > To unsubscribe, visit: http://www.php.net/unsub.php > > -- > Please pray the Holy Rosary to end the holocaust of abortion. > Remember in your prayers the Holy Souls in Purgatory. > > May God bless you abundantly in His love! > For a free Cenacle Scriptural Rosary Booklet: http://www.webhart.net/csrb/ > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
