Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:60473
Return-Path: <tyra3l@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 65216 invoked from network); 5 May 2012 17:30:11 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 May 2012 17:30:11 -0000
Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.170 as permitted sender)
X-PHP-List-Original-Sender: tyra3l@gmail.com
X-Host-Fingerprint: 209.85.220.170 mail-vc0-f170.google.com  
Received: from [209.85.220.170] ([209.85.220.170:48833] helo=mail-vx0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id FB/26-30075-A9365AF4 for <internals@lists.php.net>; Sat, 05 May 2012 13:30:02 -0400
Received: by vcbfo14 with SMTP id fo14so671411vcb.29
        for <internals@lists.php.net>; Sat, 05 May 2012 10:29:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=ibBjmIj3VH+fDZV2B/KcF5501PHPGQlOkhL7obZHOZQ=;
        b=H+kSFuPnhypDpiJwDiWEeVAZj6APj3Kg000xQtlFBD8r6z+BIPs3y+j46h6BCiQJJM
         Uauqdq2A+ajLl5DaieEMfwc2mH5EmngUvaDfv4YL7MhQJapjLLEVidUCLezf3ZrT5Umu
         DyFkuYrR+MkPFxwK/Z9AY4FaFkSFQOLWY49uFxpyvY7mOzVvPBjTAotmCcJJIhn4CPEk
         Y6S3Y+gMLZ6TyXbx+t9HC7sZnpKyufqFg47hp4YruE1nD7nMjS/qFUVm8I1evugDF8hX
         aNSabS6a7K3sUOxnLl449EyT6Ko/6HIz2dsvQz7OVDtNn3latZSClYKYjaXNSE9kU8hG
         QMDg==
MIME-Version: 1.0
Received: by 10.220.228.193 with SMTP id jf1mr3482183vcb.52.1336238999414;
 Sat, 05 May 2012 10:29:59 -0700 (PDT)
Received: by 10.220.124.140 with HTTP; Sat, 5 May 2012 10:29:59 -0700 (PDT)
In-Reply-To: <b7af37b0e8d38a500944f542b7ff234e.squirrel@www.l-i-e.com>
References: <b7af37b0e8d38a500944f542b7ff234e.squirrel@www.l-i-e.com>
Date: Sat, 5 May 2012 19:29:59 +0200
Message-ID: <CAH-PCH6oBe1uVtWoLWyr3+FvEVBxaWZNK+JWtRLx6U0FzSgXDQ@mail.gmail.com>
To: Richard Lynch <ceo@l-i-e.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=14dae9cdc12fe5270f04bf4d6260
Subject: Re: [PHP-DEV] JPEG Upload
From: tyra3l@gmail.com (Ferenc Kovacs)

--14dae9cdc12fe5270f04bf4d6260
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Sat, May 5, 2012 at 6:32 PM, Richard Lynch <ceo@l-i-e.com> wrote:

> On Tue, April 10, 2012 1:13 pm, John Crenshaw wrote:
> >In
> > most systems you can upload *anything* with a .jpg extension and the
> > app will take it, so you can still include the file
>
> People don't use imagecreatefromjpeg() to be sure it isn't some ware
> or executable or PHP script disguised as a JPEG?!
>
> That's just crazy.
>
> And inexcusable in a framework.
>
> Somebody might be able to craft a "JPEG" that validates and still
> manages to somehow parse some PHP in the middle... Probably using JPEG
> comments so it's easier.
>
>
yeah, and injecting php code through the jpeg comments isn't new also, see
http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesiz=
e/
but
I bet I could find even older posts discussing the topic.
so imo the correct remedy for this situation is to prevent your uploaded
files to be executed at the first place, instead of trying to write an
error-prone method to detect malicious content inside your uploaded media
files.

--=20
Ferenc Kov=C3=A1cs
@Tyr43l - http://tyrael.hu

--14dae9cdc12fe5270f04bf4d6260--