PHP image uploads. how do I protect against images containning code?

Question

From what I understand, images (jpeg, gif, etc.) might contain valid PHP/Python/Perl etc. code. So - anyone can create file that will be valid jpeg at the same time can be executed by PHP interpreter (here is a description).

So, I was wondering - is there a way to strip malicious code from images? would recoding images with GD or ImageMagick work?

Answer 1

Actual images will not contain code. But there's nothing stopping someone from trying to get an "image" file uploaded, and then try and get it to execute.

Your interpreters (Perl, PHP, whatever) should be set up so that they only execute certain file types (i.e. .php or .php5). There's no reason Perl or PHP should be parsing image files.

Just use the following common sense to protect yourself:

1) Verify the mime type of the document
2) Enforce policies that only allow uploading files of a certain extension
3) Don't accept filenames at face value. Generate your own internal file name and use a database table to keep the mapping.
4) If you're truly paranoid, find some code to check that the byte signatures are valid for the given file type upload.