Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:60478
Return-Path: <tom@punkave.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 72375 invoked from network); 5 May 2012 17:59:29 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 May 2012 17:59:29 -0000
Authentication-Results: pb1.pair.com header.from=tom@punkave.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=tom@punkave.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain punkave.com designates 209.85.160.170 as permitted sender)
X-PHP-List-Original-Sender: tom@punkave.com
X-Host-Fingerprint: 209.85.160.170 mail-gh0-f170.google.com  
Received: from [209.85.160.170] ([209.85.160.170:61578] helo=mail-gy0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id F6/B7-30075-F7A65AF4 for <internals@lists.php.net>; Sat, 05 May 2012 13:59:28 -0400
Received: by ghbg2 with SMTP id g2so2034704ghb.29
        for <internals@lists.php.net>; Sat, 05 May 2012 10:59:25 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=references:in-reply-to:mime-version:content-transfer-encoding
         :content-type:message-id:cc:x-mailer:from:subject:date:to
         :x-gm-message-state;
        bh=nY8KoChs6/xOB68wJ3KSNFvIFKXVsyZV5x8BNR9YvxU=;
        b=GldqbmdfSuaxAicmPgTzBE4v311e6ZALeBNf4dBHgvckTjkqWu5k0FNEbcGJyYzs5o
         VJ73Y3XRlndKUrqnuAstYaJ2AIyyKR0Sygbon2szVT5OZvV2r5EafCu1IxldONAgg1ms
         1dS/T/iJe1AQx43PcqZ0hITZOOoxmPizmWR2jtkYWb6r/qgylk3PKGh8FQe+lpYqoWc/
         ReDNZjSVwFj7kSyV5/WEilgsnWoMTR8t/BkaTasKxHbd6dL0G7vYnd0xdhOP1Vbt2tif
         okLRIV7+ZgZgPe5JRd0gYpvnfIZMxERBaeB6RGUu4Xpj5BZVTras66bXYP/f+/apPCLn
         eZqA==
Received: by 10.236.136.136 with SMTP id w8mr2533531yhi.81.1336240765431;
        Sat, 05 May 2012 10:59:25 -0700 (PDT)
Received: from [10.199.4.24] (mobile-166-147-110-147.mycingular.net. [166.147.110.147])
        by mx.google.com with ESMTPS id v4sm4134129anq.22.2012.05.05.10.59.23
        (version=TLSv1/SSLv3 cipher=OTHER);
        Sat, 05 May 2012 10:59:24 -0700 (PDT)
References: <b7af37b0e8d38a500944f542b7ff234e.squirrel@www.l-i-e.com> <CAH-PCH6oBe1uVtWoLWyr3+FvEVBxaWZNK+JWtRLx6U0FzSgXDQ@mail.gmail.com> <58e8965ff524a3ff98ba3cbb5028ddba.squirrel@www.l-i-e.com>
In-Reply-To: <58e8965ff524a3ff98ba3cbb5028ddba.squirrel@www.l-i-e.com>
Mime-Version: 1.0 (1.0)
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii
Message-ID: <58DC6671-ED6F-4307-AE78-FCFF1E9B781E@punkave.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
X-Mailer: iPhone Mail (9B176)
Date: Sat, 5 May 2012 13:59:19 -0400
To: Richard Lynch <ceo@l-i-e.com>
X-Gm-Message-State: ALoCoQlmb8z/EQQQS+6yOlFrC+nwKPeo0kBba6r66kEHxMXNU7cdAVcKr7bHYbGeWxC1c83PNF4e
Subject: Re: [PHP-DEV] JPEG Upload
From: tom@punkave.com (Tom Boutell)

This whole business of bending over backwards to prevent injection of php wh=
en apache is misconfigured just encourages apache misconfiguration IMHO. Sma=
rt people are protecting you, you don't have to do these things right, don't=
 worry about it!

Sent from my iPhone

On May 5, 2012, at 1:50 PM, "Richard Lynch" <ceo@l-i-e.com> wrote:

> On Sat, May 5, 2012 12:29 pm, Ferenc Kovacs wrote:
>> On Sat, May 5, 2012 at 6:32 PM, Richard Lynch <ceo@l-i-e.com> wrote:
>>=20
>>> On Tue, April 10, 2012 1:13 pm, John Crenshaw wrote:
>>>> In
>>>> most systems you can upload *anything* with a .jpg extension and
>>> the
>>>> app will take it, so you can still include the file
>>>=20
>>> People don't use imagecreatefromjpeg() to be sure it isn't some ware
>>> or executable or PHP script disguised as a JPEG?!
>>>=20
>>> That's just crazy.
>>>=20
>>> And inexcusable in a framework.
>>>=20
>>> Somebody might be able to craft a "JPEG" that validates and still
>>> manages to somehow parse some PHP in the middle... Probably using
>>> JPEG
>>> comments so it's easier.
>>>=20
>>>=20
>> yeah, and injecting php code through the jpeg comments isn't new also,
>> see
>> http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimages=
ize/
>> but
>> I bet I could find even older posts discussing the topic.
>> so imo the correct remedy for this situation is to prevent your
>> uploaded
>> files to be executed at the first place, instead of trying to write an
>> error-prone method to detect malicious content inside your uploaded
>> media
>> files.
>=20
> getImageSize is not better than file Info...
>=20
> If the whole thing parses as an image with imagecreatefromjpeg() I
> should think that's a bit tougher to create a hack that works.
>=20
> Then one can strip off the exif info with the comments, I believe.
>=20
> And, yes, ideally one would keep images in a totally separate
> directory not even in the webtree... Which I do, but some folks can
> bear the cost of passing the image "through" PHP.
>=20
> --=20
> brain cancer update:
> http://richardlynch.blogspot.com/search/label/brain%20tumor
> Donate:
> https://www.paypal.com/cgi-bin/webscr?cmd=3D_s-xclick&hosted_button_id=3DFS=
9NLTNEEKWBE
>=20
>=20
>=20
> --=20
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>=20