Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:60480
Return-Path: <keisial@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 77007 invoked from network); 5 May 2012 18:52:48 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 May 2012 18:52:48 -0000
Authentication-Results: pb1.pair.com header.from=keisial@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=keisial@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.42 as permitted sender)
X-PHP-List-Original-Sender: keisial@gmail.com
X-Host-Fingerprint: 74.125.82.42 mail-wg0-f42.google.com  
Received: from [74.125.82.42] ([74.125.82.42:48690] helo=mail-wg0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 24/78-30075-FF675AF4 for <internals@lists.php.net>; Sat, 05 May 2012 14:52:48 -0400
Received: by wgbds11 with SMTP id ds11so306924wgb.5
        for <internals@lists.php.net>; Sat, 05 May 2012 11:52:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=message-id:date:from:user-agent:mime-version:to:cc:subject
         :references:in-reply-to:content-type:content-transfer-encoding;
        bh=aDECmhjtV1xbuG7fOTxk1ndIiutTWRd2ULB6m2UVD24=;
        b=nPec1FUhQc/6olFlofEiphch2QKdTtLfJL4RcEY7JSs16RLDTeT34zL9PP6iV1MY5R
         OIJ1Pq0drsdUjKqJHwGAvsar/XFH2T/LJCPApbm1yCYX9i+OKlG3yVYAAdI8QftTPwvs
         KHK3UiHs1nwSLjqzLEGk5gWD/DQPRPYrVVS3n6kagJw5nqMazVj0hjksgugBlQZq7qHz
         5eoTzztPFlWnUYiIM+Jm8RHhcTTbzQKrgiN3YylmPu+nYievEsoHGadL5EsxfbXTFC5e
         drmGKhFhEYpGcd6rAmjWGsCauBaGWWdAQDLYbsdmjiDUKwnxwyNUwewABr5exbtLOtpk
         wVuQ==
Received: by 10.180.79.72 with SMTP id h8mr22943569wix.1.1336243965521;
        Sat, 05 May 2012 11:52:45 -0700 (PDT)
Received: from [192.168.1.26] (55.Red-83-54-100.dynamicIP.rima-tde.net. [83.54.100.55])
        by mx.google.com with ESMTPS id ff2sm12118759wib.9.2012.05.05.11.52.43
        (version=SSLv3 cipher=OTHER);
        Sat, 05 May 2012 11:52:43 -0700 (PDT)
Message-ID: <4FA576EB.5040907@gmail.com>
Date: Sat, 05 May 2012 20:52:27 +0200
User-Agent: Thunderbird
MIME-Version: 1.0
To: Sanford Whiteman <swhitemanlistens-software@cypressintegrated.com>
CC: "internals@lists.php.net" <internals@lists.php.net>
References: <b7af37b0e8d38a500944f542b7ff234e.squirrel@www.l-i-e.com> <CAH-PCH6oBe1uVtWoLWyr3+FvEVBxaWZNK+JWtRLx6U0FzSgXDQ@mail.gmail.com> <58e8965ff524a3ff98ba3cbb5028ddba.squirrel@www.l-i-e.com> <CAH-PCH7O=ZNJrxpybSULOdGLHi-nnNk6e9tdW9ko7RPDygpHVA@mail.gmail.com> <613522097.20120505140848@cypressintegrated.com>
In-Reply-To: <613522097.20120505140848@cypressintegrated.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] JPEG Upload
From: keisial@gmail.com (=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?=)

On 05/05/12 20:08, Sanford Whiteman wrote:
> This presupposes that your users don't expect embedded metadata to be
> preserved when people redownload the images.
>
> Not only do photo professionals/hobbyists expect you to keep the
> metadata, you also should leave it in for reasons of legality. Hosting
> a bunch of stripped images can make you look really bad. We only strip
> metadata that is known to cause browser display problems (mostly old
> IE6/Adobe comment bugs).
>
> Bottom line is you have to make sure PHP never parses the files.
>
> -- S.
Moreover, that still doesn't protect you, as it would be possible to
make a valid image where the payload happened in the image data. I
haven't tried to create such malicious image, but I have found legit
images that tripped bad-image-detection heuristics looking for a 4-byte
magic.
Image contents are "a bunch of random bytes", but 'DROP TABLE Students;'
is binary data, too.