[21038] in bugtraq
Re: The Dangers of Allowing Users to Post Images
daemon@ATHENA.MIT.EDU (Ben Gollmer)
Fri Jun 15 14:02:40 2001
Message-ID: <20010614224052.13589.qmail@securityfocus.com>
Date: Thu, 14 Jun 2001 17:39:31 -0500
Content-Type: text/plain;
format=flowed;
charset=us-ascii
From: Ben Gollmer <ben@jatosoft.com>
To: <bugtraq@securityfocus.com>
Mime-Version: 1.0 (Apple Message framework v388)
In-Reply-To: <04f901c0f437$4911b610$9701a8c0@wellingtoncollege.berks.sch.uk>
Content-Transfer-Encoding: 7bit
This is not a big deal if you use some validation on images (in PHP at
least).
Try the function getImageSize(); it will return an array containing the
size of the image, as well as the format. If the file specified is not a
GIF, JPEG, PNG, or SWF, getImageSize() returns null.
This is also beneficial if you don't want users posting huge images to
your forum. In this code, the image must be 800x600 or less.
<?php
//quick sample code follows
//$imagePath is the URL provided; doesn't matter if its via GET or POST
$imageInfo = getImageSize($imagePath);
if(!$imageInfo)
{
print("Sorry, image cannot be opened or is not a valid image type.");
}
elseif($imageInfo[0] >= 800 || $imageInfo[1] >= 600)
{
print("Sorry, image too big");
}
//and so on
?>
More info here: http://www.php.net/manual/en/function.getimagesize.php
Ben Gollmer
Jatosoft, LLC
