PHP Classes

image uploads

Recommend this page to a friend!

      PHP Classes blog  >  PHP security exploit ...  >  All threads  >  image uploads  >  (Un) Subscribe thread alerts  
Subject:image uploads
Summary:use GD to copy image
Messages:2
Author:Tom Pimienta
Date:2007-06-20 02:16:28
Update:2007-06-20 02:43:51
 

  1. image uploads   Reply   Report abuse  
Picture of Tom Pimienta Tom Pimienta - 2007-06-20 02:36:40
FWIW, In addition to normal security practices regarding uploaded images, I use GD to copy the original image to the final destination. If its not an image, GD will fail to copy the file. For animated gifs you wil loose the animation with this technique.

  2. Re: image uploads   Reply   Report abuse  
Picture of Manuel Lemos Manuel Lemos - 2007-06-20 02:43:51 - In reply to message 1 from Tom Pimienta
I am not sure if that would avoid the problem.

From what I understood the PHP code can be hidden in the GIF image color map. I think in that case the image is still read with making GD fail.

Maybe GD packs the palette and ditches unused colors when the image is saved. If it does not do anything to the original palette the PHP code remains there.