tedd wrote: > At 11:45 PM +1100 12/16/08, Tim Starling wrote: >> I thought the list might be interested in a tutorial for secure >> web-based file uploads that I just wrote: >> >> http://tstarling.com/blog/2008/12/secure-web-uploads/ >> >> -- Tim Starling > > Tim: > > That's a good read -- thanks -- but it's more of an article than a > tutorial. > > In any event, instead of posting to your blog, I though starting a > dialog here might serve the php community better. So here goes: > > In your blog you suggest looking for the magic number in image files > and not using getimagesize(). So what about this approach? > > 1. Restrict the File-Type. > 2. Pass the file through exif_read_data() and see if File-Type and > MimeType match. > 3. Resize the image. > > Do you see any security problems this? > > I can't imagine evil code still working after someone resizes the file. > That depends on whether the resize preserves metadata. ImageMagick's -resize does. Internet Explorer will search the metadata looking for HTML tags and other indications of file type, if it's in the first 255 bytes. exif_read_data() only works for JPEG and TIFF, and IE is fairly secure for JPEG, so it's not a problem if you restrict uploads to JPEG. But if you extended your scheme to PNG, it's easy to imagine a vulnerability being exposed for IE 6 clients. The image data is another issue. Whether it's possible to construct an image such that, when resized by a certain factor and then compressed by a known algorithm, the resulting compressed stream contains given text, is an open question. I suspect it is, but it probably won't be a technique within reach of the average spammer until some security researcher publishes a script. -- Tim Starling -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
