[PHP] Secure uploads tutorial

2008-12-16 Thread Tim Starling 
I thought the list might be interested in a tutorial for secure
web-based file uploads that I just wrote:

http://tstarling.com/blog/2008/12/secure-web-uploads/

-- Tim Starling

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Secure uploads tutorial

2008-12-16 Thread Tim Starling 
tedd wrote:
> At 11:45 PM +1100 12/16/08, Tim Starling wrote:
>> I thought the list might be interested in a tutorial for secure
>> web-based file uploads that I just wrote:
>>
>> http://tstarling.com/blog/2008/12/secure-web-uploads/
>>
>> -- Tim Starling
>
> Tim:
>
> That's a good read -- thanks -- but it's more of an article than a
> tutorial.
>
> In any event, instead of posting to your blog, I though starting a
> dialog here might serve the php community better. So here goes:
>
> In your blog you suggest looking for the magic number in image files
> and not using getimagesize(). So what about this approach?
>
> 1. Restrict the File-Type.
> 2. Pass the file through exif_read_data() and see if File-Type and
> MimeType match.
> 3. Resize the image.
>
> Do you see any security problems this?
>
> I can't imagine evil code still working after someone resizes the file.
>

That depends on whether the resize preserves metadata. ImageMagick's
-resize does. Internet Explorer will search the metadata looking for
HTML tags and other indications of file type, if it's in the first 255
bytes.

exif_read_data() only works for JPEG and TIFF, and IE is fairly secure
for JPEG, so it's not a problem if you restrict uploads to JPEG. But if
you extended your scheme to PNG, it's easy to imagine a vulnerability
being exposed for IE 6 clients.

The image data is another issue. Whether it's possible to construct an
image such that, when resized by a certain factor and then compressed by
a known algorithm, the resulting compressed stream contains given text,
is an open question. I suspect it is, but it probably won't be a
technique within reach of the average spammer until some security
researcher publishes a script.

-- Tim Starling

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Secure uploads tutorial

2008-12-16 Thread Tim Starling 
Peter Ford wrote:
> tedd wrote:
>   
>> I can't imagine evil code still working after someone resizes the file.
>>
>> 
>
> Yeah, but the uploaded OpenOffice Writer doc won't look too good either... :)
>
> I prefer to move files to an off-line store, run them through a unix 'file'
> command (with a mime-type magic file) to get the mime-type, use that to decide
> whether or not to accept, and then serve them back to clients through a 
> script.
> As an optional step, on really paranoid systems, I run a virus scan over the
> upload (with clamav, usually).

There are some file types, such as .png and .wav, where that approach is
not at all secure. The file command will tell you that the file is
image/png, but IE 6 will detect it as text/html and run scripts in it.

The ClamAV step is almost pointless. It does nothing to deter an
attacker who is targeting your site specifically.

-- Tim Starling

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php