Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Ferenc Kovacs <tyra3l <at> gmail.com>
Subject: Re: [PHP-DEV] JPEG Upload
Newsgroups: gmane.comp.php.devel
Date: Saturday 5th May 2012 17:29:59 UTC (over 4 years ago)
On Sat, May 5, 2012 at 6:32 PM, Richard Lynch  wrote:

> On Tue, April 10, 2012 1:13 pm, John Crenshaw wrote:
> >In
> > most systems you can upload *anything* with a .jpg extension and the
> > app will take it, so you can still include the file
>
> People don't use imagecreatefromjpeg() to be sure it isn't some ware
> or executable or PHP script disguised as a JPEG?!
>
> That's just crazy.
>
> And inexcusable in a framework.
>
> Somebody might be able to craft a "JPEG" that validates and still
> manages to somehow parse some PHP in the middle... Probably using JPEG
> comments so it's easier.
>
>
yeah, and injecting php code through the jpeg comments isn't new also, see
http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/
but
I bet I could find even older posts discussing the topic.
so imo the correct remedy for this situation is to prevent your uploaded
files to be executed at the first place, instead of trying to write an
error-prone method to detect malicious content inside your uploaded media
files.

-- 
Ferenc Kovács
@Tyr43l - http://tyrael.hu
 
CD: 3ms