Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:60481
Return-Path: <swhitemanlistens-software@cypressintegrated.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 90026 invoked from network); 5 May 2012 22:16:13 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 May 2012 22:16:13 -0000
Authentication-Results: pb1.pair.com header.from=swhitemanlistens-software@cypressintegrated.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=swhitemanlistens-software@cypressintegrated.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain cypressintegrated.com designates 69.28.242.152 as permitted sender)
X-PHP-List-Original-Sender: swhitemanlistens-software@cypressintegrated.com
X-Host-Fingerprint: 69.28.242.152 rproxy1-a.cypressintegrated.com  
Received: from [69.28.242.152] ([69.28.242.152:1026] helo=rproxy1-a.cypressintegrated.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 11/4A-30075-CA6A5AF4 for <internals@lists.php.net>; Sat, 05 May 2012 18:16:13 -0400
Received: from bad.dop.co ([192.168.87.152])
        by rproxy1-a.cypressintegrated.com (Brand New Heavy v1.0) with ASMTP id PBV64008
        for <internals@lists.php.net>; Sat, 05 May 2012 18:16:08 -0400
Date: Sat, 5 May 2012 18:16:23 -0400
Reply-To: Sanford Whiteman <swhitemanlistens-software@cypressintegrated.com>
X-Priority: 3 (Normal)
Message-ID: <1756391667.20120505181623@cypressintegrated.com>
To: "internals@lists.php.net" <internals@lists.php.net>
In-Reply-To: <4FA576EB.5040907@gmail.com>
References: <b7af37b0e8d38a500944f542b7ff234e.squirrel@www.l-i-e.com> <CAH-PCH6oBe1uVtWoLWyr3+FvEVBxaWZNK+JWtRLx6U0FzSgXDQ@mail.gmail.com> <58e8965ff524a3ff98ba3cbb5028ddba.squirrel@www.l-i-e.com> <CAH-PCH7O=ZNJrxpybSULOdGLHi-nnNk6e9tdW9ko7RPDygpHVA@mail.gmail.com> <613522097.20120505140848@cypressintegrated.com> <4FA576EB.5040907@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] JPEG Upload
From: swhitemanlistens-software@cypressintegrated.com (Sanford Whiteman)

> Moreover, that still doesn't protect you, as it would be possible to
> make a valid image where the payload happened in the image data...

Agreed. But sanitizing input by silently removing blocks of data your
users rightfully expect to be preserved? That's egregious, even if it
"worked."

(Like many such discussions, I almost can't believe we're having this
one... I mean, executing images is just not normal whether or not you
can "bear the (performance) cost." Who is doing this on purpose?)

-- S.