View Full Version : Image safety.

11-13-2007, 05:51 AM
Okay, so I've got a script to write but a concern that i can't figure out.

I'm writing an image upload script but want to make sure that the images uploaded don't have a Trojan in them. There has been word of jpeg images especially that are the cause of this.

So, is there some kind of image scrubbing php module or script that I need to ensure that the pictures are bug free?

FYI, this system will use the imagemagic extension of php.

Thanks for the help all.

11-13-2007, 06:04 AM
You can use getimagesize() (http://php.net/getimagesize) to start with, or the Imagick identifyimage function (http://php.net/imagick-identifyimage).

11-13-2007, 11:54 PM
I'm sorry, I still really don't under stand it all. Those functions will verify that the jpeg image is just a jpeg?
Sorry for the bother, and thanks for the help.

11-14-2007, 04:33 AM
you will need to do a scan with whatever antivirus is available on your server, many linux hosts will have clamav or similar which can be exec()'d

11-14-2007, 04:40 AM
Damn, I don't think my go daddy host has an anti virus scanner.
Thus fare they've told me that they have none of the many things i'd consider key for truly robust websites.

11-14-2007, 05:42 AM
You might want to check out the link in post #2 in this thread - http://www.codingforums.com/showthread.php?t=127318

It is possible for a file to contain a valid image AND contain php code. The image content prior to the <?php tag is simply content that php would output, then the php code would be parsed and executed. There are some conditions that must be true for this exploit to be possible, such as allowing an upload file name to be completely specified from the upload form, so that such an image/php code file could be placed on the server with a file name that could be browsed to and be parsed as php code.

The various image functions (getimagesize and imagecreatefromjpeg...) will find and happily return the image portion of such an image/php code file.

Since an image would not normally contain data that looks like php code, this type of exploit could be discovered by scanning the file for php only keywords that would be used by malicious code, such as <? exec shell echo print print_r...

11-14-2007, 05:46 AM
If you use the getimagesize(), check the file type of the file being uploaded it should narrow down the field of what files are uploaded.

Also if you expect the images to be a certain size you can also limit the size of the uploads.

Otherwise, the virus scanner is your best bet, but if you don't have that, you have to do a detailed check on every part of the file to make sure it is a jpeg file.

11-14-2007, 05:57 AM
Wow, thanks guys, I've learned a bit in the past few minutes.
I still have one question, now that i know that the image can be more than just binary or hex, how exactly do i extract the file into a readable format?

Or am i just asking a pointless question on this one.
Thus i would only have to use some thing like this:

if($_FILE['imagefile']['name']=='<?php' || $_FILE['imagefile']['name']== '<?')
// Either parse with imagecreatefromjpeg or throw out and ask for another file.