All geek questions in one place

Malicious code using image upload

There is a part of my site that allows users to upload profile photos. I worry about people downloading malicious code. I plan to limit the file types .jpg / .png / .gif / .jpeg

I worry that this will not be enough. I am going to resize images on the server. Will the process of resizing photos be sufficient to ensure that the image is actually an image of non-malicious files?

I will use the following to resize photos. I will not store the originals on the server, and the file names will be changed.

imagecopyresampled($thumb, $source, 0, 0, 0, 0, $newwidth, $newheight, $width, $height); imagejpeg($thumb, $fullpath, 90);
+6
source share
3 answers

Just do this to make sure you are working with the image:

 if (getimagesize($sourcePath) === false) { die("Not an image !"); }

For added security, you should disable PHP execution in the download folder. In .htaccess:

 php_value engine off
+9
source
Good question. I found the link that is being discussed here:

http://www.phpclasses.org/blog/post/67-PHP-security-exploit-with-GIF-images.html

From personal experience, I basically only allow images to be uploaded with password protection, so I “know” my users, but I almost always do resizing, as my gut feeling would be enough that it would be enough because it destroys the original file and replaces it with its own resampling version.

+1
source

This is not a problem, because I do not see how this can happen. However, I do not know what your functions are (you did not publish the source code).

As long as I know, it's impossible to introduce PHP. You can add SQL, Javascript, HTML, ...

-1
source

Source: https://habr.com/ru/post/889431/

More articles:


All Articles