On Sat, June 25, 2005 8:41 am, Jack Jackson said:
> Thanks for telling me about that, Edward. I apprecate it. Actually in
> this case I was using it only to verify that it was something like an
> image to validate the file type before allowing it on the server. But
> you raise a very good point and I appreciate it.
Just to be sure we aren't providing a false sense of security through
silence...
It *IS* possible (remotely, theoretically) somebody could construct an
image that passes getimagesize() and is a really nasty binary trojan
software hack to destroy your site.
It's even possible (very remotely, very theoretically) that it would look
like a perfectly fine image in Photoshop or any other application.
getimagesize() does not magically make you 100% "safe" -- It just means
that at least they took SOME effort to disguise the malware, and will have
to make a great deal of effort to make that malware execute and actually
*do* something, much less do something destructive.
Feel free to try chmod-ing your JPGs to be executable and then do
/full/path/to/images/silly.jpg from the command line...
Errr. Maybe you'd better do this on a computer you don't care about JUST
IN CASE. You'd have to stumble across the 1 in a zillion chance this
would actually do anything, but it's there...
I think the first few bytes alone of a valid image are, by definition, not
a valid binary executable file, but don't quote me on that.
Throw PHP into the picture, though, and imagine they manage to get their
JPG file to be passed through the PHP parser, and they have a "comment" in
their JPG that says:
<?php exec("rm -rf /");?>
Granted, your application would have to be pretty screwed up to let them
run that JPEG through as if it were HTML/PHP, but it's not impossible to
find "holes" in well-known applications that let Bad Guys run arbitrary
files through PHP...
I'm not saying anybody has or hasn't developed such an image yet ; Only
that it COULD be developed.
Take a valid JPEG, keep the first N bytes that getimagesize() looks at,
and cram some PHP code on the end. Voila!
Note that anybody smart enough to develop that image, would probably be
able to break into your site (or at least most sites) a lot easier some
other way. :-) :-) :-)
Also note that once that image existed, any idiot could upload it and take
advantage of it. :-( :-( :-(
Tip:
Nothing beats the human eye for finding bad stuff.
If you are worried about this, give your users a "feedback" link to notify
you of images that "look wrong"
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
