24

Recently I have worked on a number of applications that need to process user uploaded images steps have been taken to validate the extension and the mime type.

But what else can be done to ensure the image is valid?

In my case the upload is handled by PHP and then passed to GD or ImageMagick both of which suffer from vulnerabilities that can result in denial of service and possibly the execution of arbitrary code.

I would be interested in any suggestions people could offer to improve the validation process both specifically to PHP and also to any web or non-web application in general.


From my example question on Area51 Proposal

AviD
  • 72,138
  • 22
  • 136
  • 218
Mark Davidson
  • 9,367
  • 6
  • 43
  • 61

3 Answers3

13

Even it sounds simple to be done, image check could be tricky. At least following actions should be done:

  • check size of image - width, height and size of itself;
  • check extension and name of image;
  • check content type;
  • limit amount of uploaded images;
  • limit access to uploaded images - better if user don't know where it is stored;
  • limit types of image extensions;
  • preferably change name of image;

Also, I would recommend change type of image explicitly after those checks, e.g. from PNG to JPG. Simple, but works well.

  • 2
    Another common recommendation is to run all the uploaded files through anti-virus and anti-malware checks (à la http://www.virustotal.com/). This does not mitigate a skilled attacker from uploading a malicious file which may evade detection, but it does make it more difficult. – Tate Hansen Nov 12 '10 at 21:08
  • 1
    Another important point is to not let the user define name and path of the file, but explicitly define that server side. (I recommend you add this and the AV recommendation from @Tate in your answer...) – AviD Nov 14 '10 at 10:18
  • Also, if users can then download the uploaded files, there are other steps you should take: redirect to the file and not have a e.g. `download.php?file=whatever` ; generate a long random filename, if you need to prevent other users from finding it; and more. – AviD Nov 14 '10 at 10:20
8

I disagree with the answers put forward so far.

You would definitely need to rewrite the image (perhaps by forcing the user to resize it) using an image manipulation library, such as the ones that you suggested.

Extra care is needed to remove EXIF data, etc, because of vulnerabilities such as GIFAR, XSS, and File Inclusion -- which can enable attack chaining.

atdre
  • 18,885
  • 6
  • 58
  • 107
1

You could put a size limit on it to make it does not exceed 2 MB or something. It would help with storage space and keep users from upload high res images.

Jeremy
  • 291
  • 2
  • 4
  • A valid point but unfortunately in my case high-res need to be kept and processed I believe the limit at the moment is 50MB. – Mark Davidson Nov 12 '10 at 15:01