Antivirus check for image upload in PHP or not?
Do I need to crawl images uploaded by users via html form using PHP?
Are the following security measures sufficient:
- the MIME file / getimagesize () is checked
- original filename is not used
- the image is resized - the original is not saved
- htaccess forbids execution of anything that is not JPEG / PNG
Do I need to scan a file from a user using an antivirus? How can I do this with PHP?
I am using Ubuntu 14.04 LTS
source to share
Why using an antivirus can be helpful:
It is technically possible that the image exploits a vulnerability in the system, not just as metadata, but in different ways depending on the software that opens the image.
For example, one of the first PSP vulnerabilities related to how the image viewer parsed the TIFF image ( http://www.makeuseof.com/tag/how-to-downgrade-your-psp-and-upgrade-to-a-custom -firmware-part-one / # 2.00 ).
While it is probably unlikely there might be a bug / vulnerability / backdoor in the library that resizes the image, so if you want to go an extremely careful route, the order would be:
- Transfer the image to antivirus
- Process / save the image in any way.
You can use a library that offers PHP antivirus integration, for example: http://sourceforge.net/projects/php-clamav/ (but keep in mind that DoS can also happen if queue requests for a long time while transferring files in AV, security often involves trade-offs!).
NB. The availability of updated library packages will be longer than AV since after modifying the original image any work with vulnerabilities will likely be corrupted / lost.
source to share
No need for antivirus scan images. While you can technically put a virus in your image data, it will not execute as code anywhere. What you can do is metadata in the strip to make sure it is not being used to exploit any bugs that exist in image viewers.
Depending on which program you are using to process the image, there may be options to remove meta tags in your transformations.
I personally use pngcrush or pngquant (for retina images) for images that I have posted on the internet. If you are using imagemagick you can use the "-strip" option.
source to share