Re: JPEG Upload

From:	Ferenc Kovacs	Date:	Sat, 05 May 2012 17:29:59 +0000
Subject:	Re: JPEG Upload
References:	1	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

On Sat, May 5, 2012 at 6:32 PM, Richard Lynch <[email protected]> wrote:

> On Tue, April 10, 2012 1:13 pm, John Crenshaw wrote:
> >In
> > most systems you can upload *anything* with a .jpg extension and the
> > app will take it, so you can still include the file
>
> People don't use imagecreatefromjpeg() to be sure it isn't some ware
> or executable or PHP script disguised as a JPEG?!
>
> That's just crazy.
>
> And inexcusable in a framework.
>
> Somebody might be able to craft a "JPEG" that validates and still
> manages to somehow parse some PHP in the middle... Probably using JPEG
> comments so it's easier.
>
>
yeah, and injecting php code through the jpeg comments isn't new also, see
http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/
but
I bet I could find even older posts discussing the topic.
so imo the correct remedy for this situation is to prevent your uploaded
files to be executed at the first place, instead of trying to write an
error-prone method to detect malicious content inside your uploaded media
files.

-- 
Ferenc Kovács
@Tyr43l - http://tyrael.hu


   

Thread (11 messages)

• Richard LynchSat, 05 May 2012 16:32:55 +0000
  • Ferenc KovacsSat, 05 May 2012 17:29:59 +0000
    • Richard LynchSat, 05 May 2012 17:50:21 +0000
      • Ferenc KovacsSat, 05 May 2012 17:58:10 +0000
        • Sanford WhitemanSat, 05 May 2012 18:08:48 +0000
          • Ángel GonzálezSat, 05 May 2012 18:52:27 +0000
            • Sanford WhitemanSat, 05 May 2012 22:16:23 +0000
            • Richard LynchSat, 05 May 2012 23:48:26 +0000
              • Paul ReinheimerSun, 06 May 2012 00:40:22 +0000
              • Sanford WhitemanSun, 06 May 2012 04:13:45 +0000
      • Tom BoutellSat, 05 May 2012 17:59:19 +0000