PHP Classes

GIF security

Recommend this page to a friend!

      PHP Classes blog  >  PHP security exploit ...  >  All threads  >  GIF security  >  (Un) Subscribe thread alerts  
Subject:GIF security
Summary:Slower image serving problem
Messages:4
Author:Luis Ferro
Date:2007-06-20 07:37:57
Update:2011-05-25 01:12:33
 

  1. GIF security   Reply   Report abuse  
Picture of Luis Ferro Luis Ferro - 2007-06-20 07:39:26
The solution proposed, the sending of the image with readfile is "slow".

Instead of using the direct web server file service, it's used a script and then the php file functions and passing thru the image content to the browser. That may be way too slow.

Taking into account that we are talking about gif images, you can always do a simple thing after the upload and prior to the move of the file from the temp directory to the destination directory:

- use GD to reimplement the image and save it from the GD image space.

This not only will avoid any PHP "injected" code, but also will allow that the time spend for the security to be used only once and upon the content generation.

Only problem is that you need to have a GD gif compliant server (which any new PHP setup should have by now).

Cheers,
Luis Ferro
Portugal

  2. Re: GIF security   Reply   Report abuse  
Picture of Manuel Lemos Manuel Lemos - 2007-06-20 08:26:01 - In reply to message 1 from Luis Ferro
Using readfile is just an alternative solution for people that want to preserve the original file names of the uploaded files.

When that is not important, renaming the image files as 1.gif, 2.gif, and so on, is suficient to avoid this security problem. That way the files may be served directly the Web server.

That is what the PHPClasses site does to serve pictures of the users that they upload. Such pictures are served by a separate multithreaded Web server, which can handle much more simultaneous requests with much less memory.

As for the use of GD to remove the injected code, it may not work because the PHP code can be hidden in the image palette.

  3. Re: GIF security   Reply   Report abuse  
Picture of Aston Gutman Aston Gutman - 2011-05-23 22:54:08 - In reply to message 2 from Manuel Lemos
I can't find reference to image pallete embeddable anywhere. Can you point me to some source that has more information on this one?

  4. Re: GIF security   Reply   Report abuse  
Picture of Manuel Lemos Manuel Lemos - 2011-05-25 01:12:33 - In reply to message 3 from Aston Gutman
Look at this page about the GIF format in Wikipedia:

en.wikipedia.org/wiki/Graphics_Inte ...