Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
My way to safely display external pictures
/* =========================================================
* My way to safely display external pictures
* =========================================================
* Copyright 2015 Leonan Carvalho @leonancarvalho
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
* ========================================================= */
$filename = "http://s13.postimg.org/f7728bnqv/php_logo_virus.jpg"; //Unsafe image in a external hosting
// The "virus" message as taken from here http://php.webtutor.pl/en/2011/05/13/php-code-injection-a-simple-virus-written-in-php-and-carried-in-a-jpeg-image/
// Its not a real virus, It's execute php_info() using eval.
/* Remove path information and dots around the filename, to prevent uploading
* into different directories or replacing hidden system files.
* Also remove control characters and spaces (\x00..\x20) around the filename:
*
*/
$safefilename = trim(basename(stripslashes($filename)), ".\x00..\x20");
//$imgcontent = file_get_contents($filename); //Be carefull its could be a nuclear bomb!
//$exif = exif_read_data($filename);//Be carefull its could be a letter with antrax!
//$imagesize = getimagesize($filename); //Safe
//Try to get possible reall extention by imagem type
$tempSafeFile = tempnam(sys_get_temp_dir(), "JLC"); //Create a Temp File to store content in a static env.
//Must have PHP GD lib do execute Details: http://php.net/manual/en/book.image.php
switch (exif_imagetype($safefilename)) {
case IMAGETYPE_JPEG:
$safefilecontent = imagejpeg(imagecreatefromjpeg($safefilename), $tempSafeFile, 100); //Get only file content created a new image and storeing it on my tempfile
$extensions = array('jpg', 'jpeg');
$mime = "image/jpeg";
break;
case IMAGETYPE_PNG:
$safefilecontent = imagepng(imagecreatefrompng($safefilename), $tempSafeFile, 100);
$extensions = array('png');
$mime = "image/png";
break;
case IMAGETYPE_GIF:
$safefilecontent = imagegif(imagecreatefromgif($safefilename), $tempSafeFile, 100);
$extensions = array('gif');
$mime = "image/gif";
break;
case IMAGETYPE_BMP:
$safefilecontent = image2wbmp(imagecreatefromwbmp($safefilename), $tempSafeFile, 100);
$extensions = array('bmp');
$mime = "image/x-MS-bmp";
break;
//There is a lot of other image types... I use this 4 just for a example
default :
throw new Exception("May its a unsafe image file!",500,null);
break;
}
// Adjust incorrect image file extensions:
if (!empty($extensions)) {
$parts = explode('.', $safefilename);
$extIndex = count($parts) - 1;
$ext = strtolower(@$parts[$extIndex]);
if (!in_array($ext, $extensions)) {
$parts[$extIndex] = $extensions[0];
$safefilename = implode('.', $parts);
}
}
//Now you can save, move, store this file in a safe place or just display it:
header("Pragma: public");
header("Expires: -1");
header("Cache-Control: public, must-revalidate, post-check=0, pre-check=0");
//header("Content-Disposition: attachment; filename=\"$safefilename\""); //Download instead
header("Content-Type: " . $mime);
echo file_get_contents($tempSafeFile);
//var_dump($exif); //Uncomment do got sick
//var_dump($imgcontent); // uncomment to destroy the world!
//var_dump($safefilename);//Execute in a function: Safe
//var_dump($extensions); //Execute in a function: Safe
//var_dump($imagesize); //Execute in a function: Safe
//var_dump($safefilecontent);//Safe content you can do anything with it now..
exit;
@LeonanCarvalho

This comment has been minimized.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.