Ferenc Kovacs | 5 May 19:29 2012
Picon

Re: [PHP-DEV] JPEG Upload

On Sat, May 5, 2012 at 6:32 PM, Richard Lynch <ceo <at> l-i-e.com> wrote:

> On Tue, April 10, 2012 1:13 pm, John Crenshaw wrote:
> >In
> > most systems you can upload *anything* with a .jpg extension and the
> > app will take it, so you can still include the file
>
> People don't use imagecreatefromjpeg() to be sure it isn't some ware
> or executable or PHP script disguised as a JPEG?!
>
> That's just crazy.
>
> And inexcusable in a framework.
>
> Somebody might be able to craft a "JPEG" that validates and still
> manages to somehow parse some PHP in the middle... Probably using JPEG
> comments so it's easier.
>
>
yeah, and injecting php code through the jpeg comments isn't new also, see
http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/
but
I bet I could find even older posts discussing the topic.
so imo the correct remedy for this situation is to prevent your uploaded
files to be executed at the first place, instead of trying to write an
error-prone method to detect malicious content inside your uploaded media
files.

--

-- 
Ferenc Kovács
 <at> Tyr43l - http://tyrael.hu

Gmane