LeonanCarvalho/safe_display_images.php

## safe_display_images.php
/* =========================================================
  * My way to safely display external pictures
 * =========================================================
 * Copyright 2015 Leonan Carvalho @leonancarvalho
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 * ========================================================= */

$filename = "http://s13.postimg.org/f7728bnqv/php_logo_virus.jpg"; //Unsafe image in a external hosting
// The "virus" message as taken from here http://php.webtutor.pl/en/2011/05/13/php-code-injection-a-simple-virus-written-in-php-and-carried-in-a-jpeg-image/
// Its not a real virus, It's execute php_info() using eval.


/* Remove path information and dots around the filename, to prevent uploading
 * into different directories or replacing hidden system files.
 * Also remove control characters and spaces (\x00..\x20) around the filename:
 *
 */
$safefilename = trim(basename(stripslashes($filename)), ".\x00..\x20");


//$imgcontent = file_get_contents($filename); //Be carefull its could be a nuclear bomb!

//$exif = exif_read_data($filename);//Be carefull its could be a letter with antrax!


//$imagesize = getimagesize($filename); //Safe

//Try to get possible reall extention by imagem type

$tempSafeFile = tempnam(sys_get_temp_dir(), "JLC"); //Create a Temp File to store content in a static env.
//Must have PHP GD lib do execute Details: http://php.net/manual/en/book.image.php
switch (exif_imagetype($safefilename)) {
    case IMAGETYPE_JPEG:
        $safefilecontent = imagejpeg(imagecreatefromjpeg($safefilename), $tempSafeFile, 100); //Get only file content created a new image and storeing it on my tempfile
        $extensions = array('jpg', 'jpeg');
        $mime = "image/jpeg";
        break;
    case IMAGETYPE_PNG:
        $safefilecontent = imagepng(imagecreatefrompng($safefilename), $tempSafeFile, 100);
        $extensions = array('png');
        $mime = "image/png";
        break;
    case IMAGETYPE_GIF:
        $safefilecontent = imagegif(imagecreatefromgif($safefilename), $tempSafeFile, 100);
        $extensions = array('gif');
        $mime = "image/gif";
        break;
    case IMAGETYPE_BMP:
        $safefilecontent = image2wbmp(imagecreatefromwbmp($safefilename), $tempSafeFile, 100);
        $extensions = array('bmp');
        $mime = "image/x-MS-bmp";
        break;
    //There is a lot of other image types... I use this 4 just for a example
    default :
        throw new Exception("May its a unsafe image file!",500,null);
        break;
}


// Adjust incorrect image file extensions:
if (!empty($extensions)) {
    $parts = explode('.', $safefilename);
    $extIndex = count($parts) - 1;
    $ext = strtolower(@$parts[$extIndex]);
    if (!in_array($ext, $extensions)) {
        $parts[$extIndex] = $extensions[0];
        $safefilename = implode('.', $parts);
    }
}

//Now you can save, move, store this file in a safe place or just display it:

header("Pragma: public");
header("Expires: -1");
header("Cache-Control: public, must-revalidate, post-check=0, pre-check=0");
//header("Content-Disposition: attachment; filename=\"$safefilename\""); //Download instead
header("Content-Type: " . $mime);
echo file_get_contents($tempSafeFile);
//var_dump($exif); //Uncomment do got sick
//var_dump($imgcontent); // uncomment to destroy the world!
//var_dump($safefilename);//Execute in a function: Safe
//var_dump($extensions); //Execute in a function: Safe
//var_dump($imagesize); //Execute in a function: Safe
//var_dump($safefilecontent);//Safe content you can do anything with it now..
exit;
	/* =========================================================
	* My way to safely display external pictures
	* =========================================================
	* Copyright 2015 Leonan Carvalho @leonancarvalho
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	* ========================================================= */

	$filename = "http://s13.postimg.org/f7728bnqv/php_logo_virus.jpg"; //Unsafe image in a external hosting
	// The "virus" message as taken from here http://php.webtutor.pl/en/2011/05/13/php-code-injection-a-simple-virus-written-in-php-and-carried-in-a-jpeg-image/
	// Its not a real virus, It's execute php_info() using eval.



	/* Remove path information and dots around the filename, to prevent uploading
	* into different directories or replacing hidden system files.
	* Also remove control characters and spaces (\x00..\x20) around the filename:
	*
	*/
	$safefilename = trim(basename(stripslashes($filename)), ".\x00..\x20");


	//$imgcontent = file_get_contents($filename); //Be carefull its could be a nuclear bomb!

	//$exif = exif_read_data($filename);//Be carefull its could be a letter with antrax!


	//$imagesize = getimagesize($filename); //Safe

	//Try to get possible reall extention by imagem type

	$tempSafeFile = tempnam(sys_get_temp_dir(), "JLC"); //Create a Temp File to store content in a static env.
	//Must have PHP GD lib do execute Details: http://php.net/manual/en/book.image.php
	switch (exif_imagetype($safefilename)) {
	case IMAGETYPE_JPEG:
	$safefilecontent = imagejpeg(imagecreatefromjpeg($safefilename), $tempSafeFile, 100); //Get only file content created a new image and storeing it on my tempfile
	$extensions = array('jpg', 'jpeg');
	$mime = "image/jpeg";
	break;
	case IMAGETYPE_PNG:
	$safefilecontent = imagepng(imagecreatefrompng($safefilename), $tempSafeFile, 100);
	$extensions = array('png');
	$mime = "image/png";
	break;
	case IMAGETYPE_GIF:
	$safefilecontent = imagegif(imagecreatefromgif($safefilename), $tempSafeFile, 100);
	$extensions = array('gif');
	$mime = "image/gif";
	break;
	case IMAGETYPE_BMP:
	$safefilecontent = image2wbmp(imagecreatefromwbmp($safefilename), $tempSafeFile, 100);
	$extensions = array('bmp');
	$mime = "image/x-MS-bmp";
	break;
	//There is a lot of other image types... I use this 4 just for a example
	default :
	throw new Exception("May its a unsafe image file!",500,null);
	break;
	}



	// Adjust incorrect image file extensions:
	if (!empty($extensions)) {
	$parts = explode('.', $safefilename);
	$extIndex = count($parts) - 1;
	$ext = strtolower(@$parts[$extIndex]);
	if (!in_array($ext, $extensions)) {
	$parts[$extIndex] = $extensions[0];
	$safefilename = implode('.', $parts);
	}
	}

	//Now you can save, move, store this file in a safe place or just display it:

	header("Pragma: public");
	header("Expires: -1");
	header("Cache-Control: public, must-revalidate, post-check=0, pre-check=0");
	//header("Content-Disposition: attachment; filename=\"$safefilename\""); //Download instead
	header("Content-Type: " . $mime);
	echo file_get_contents($tempSafeFile);
	//var_dump($exif); //Uncomment do got sick
	//var_dump($imgcontent); // uncomment to destroy the world!
	//var_dump($safefilename);//Execute in a function: Safe
	//var_dump($extensions); //Execute in a function: Safe
	//var_dump($imagesize); //Execute in a function: Safe
	//var_dump($safefilecontent);//Safe content you can do anything with it now..
	exit;