Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Malicious Code Through Image Upload

There is a part of my website that allows users to upload profile photos. I'm worried about people uploading malicious code. I'm planning on limiting the the file types to .jpg/.png/.gif/.jpeg

I'm worried that it won't be enough. I'm going to be resize thing images on the server. Would the process of resizing the photos be enough to ensure that the image is actually an image not malicious files?

I'll be using the following to resize the photos. I won't be storing the originals on the server and the files names will be changed.

imagecopyresampled($thumb, $source, 0, 0, 0, 0, $newwidth, $newheight, $width, $height);

    imagejpeg($thumb, $fullpath, 90);
like image 418
Jason Small Avatar asked May 31 '11 09:05

Jason Small


People also ask

Can an image contain malicious code?

Cybercriminals can quickly embed malicious content in a photograph and send that image out across the web. The simplest way of embedding malware is to add it to the image overlay (image end). All this requires is taking an image file and adding malicious content.

Can malware spread through images?

How Can An Image Carry Viruses? Theoretically, an image can't contain a virus since PNG, JPG, and WEBP files can only contain graphical data, not executable codes. However, an advanced malware programmer can exploit different techniques to infect your PC through an image file.

Can you send virus through photo?

Viruses, malware, or ransomware can be downloaded to your machine through video and photo files, but they need access (your permission) and opportunity (a vulnerability in the program).

Can image files be infected?

A virus can store information in an image, and can exploit a vulnerability in an image-viewing program. It can not "infect" an image, so much as maliciously alter an image such that the program that is likely to open it will be subverted and trigger an exploit in that process.


1 Answers

Simply doing this will ensure you're working on an image :

if (getimagesize($sourcePath) === false)
{
   die("Not an image !");
}

For more safety you should disable PHP execution in the upload folder. In .htaccess:

php_value engine off
like image 51
user703016 Avatar answered Nov 15 '22 07:11

user703016