Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:60475 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 68397 invoked from network); 5 May 2012 17:50:22 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 May 2012 17:50:22 -0000 Authentication-Results: pb1.pair.com smtp.mail=ceo@l-i-e.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=ceo@l-i-e.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain l-i-e.com designates 67.139.134.202 as permitted sender) X-PHP-List-Original-Sender: ceo@l-i-e.com X-Host-Fingerprint: 67.139.134.202 o2.hostbaby.com FreeBSD 4.7-5.2 (or MacOS X 10.2-10.3) (2) Received: from [67.139.134.202] ([67.139.134.202:4626] helo=o2.hostbaby.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 5F/C6-30075-D5865AF4 for ; Sat, 05 May 2012 13:50:21 -0400 Received: (qmail 24462 invoked by uid 98); 5 May 2012 17:50:21 -0000 Received: from localhost by o2.hostbaby.com (envelope-from , uid 1013) with qmail-scanner-2.05 ( Clear:RC:1(127.0.0.1):. Processed in 0.08516 secs); 05 May 2012 17:50:21 -0000 Received: from localhost (HELO www.l-i-e.com) (127.0.0.1) by localhost with SMTP; 5 May 2012 17:50:21 -0000 Received: from webmail (SquirrelMail authenticated user ceo@l-i-e.com) by www.l-i-e.com with HTTP; Sat, 5 May 2012 12:50:21 -0500 Message-ID: <58e8965ff524a3ff98ba3cbb5028ddba.squirrel@www.l-i-e.com> In-Reply-To: References: Date: Sat, 5 May 2012 12:50:21 -0500 To: "internals@lists.php.net" User-Agent: SquirrelMail/1.4.21 [SVN] MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: Re: [PHP-DEV] JPEG Upload From: ceo@l-i-e.com ("Richard Lynch") On Sat, May 5, 2012 12:29 pm, Ferenc Kovacs wrote: > On Sat, May 5, 2012 at 6:32 PM, Richard Lynch wrote: > >> On Tue, April 10, 2012 1:13 pm, John Crenshaw wrote: >> >In >> > most systems you can upload *anything* with a .jpg extension and >> the >> > app will take it, so you can still include the file >> >> People don't use imagecreatefromjpeg() to be sure it isn't some ware >> or executable or PHP script disguised as a JPEG?! >> >> That's just crazy. >> >> And inexcusable in a framework. >> >> Somebody might be able to craft a "JPEG" that validates and still >> manages to somehow parse some PHP in the middle... Probably using >> JPEG >> comments so it's easier. >> >> > yeah, and injecting php code through the jpeg comments isn't new also, > see > http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/ > but > I bet I could find even older posts discussing the topic. > so imo the correct remedy for this situation is to prevent your > uploaded > files to be executed at the first place, instead of trying to write an > error-prone method to detect malicious content inside your uploaded > media > files. getImageSize is not better than file Info... If the whole thing parses as an image with imagecreatefromjpeg() I should think that's a bit tougher to create a hack that works. Then one can strip off the exif info with the comments, I believe. And, yes, ideally one would keep images in a totally separate directory not even in the webtree... Which I do, but some folks can bear the cost of passing the image "through" PHP. -- brain cancer update: http://richardlynch.blogspot.com/search/label/brain%20tumor Donate: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=FS9NLTNEEKWBE