Last active
October 11, 2019 08:05
-
-
Save LeonanCarvalho/8064a5d66b990b1dafc9 to your computer and use it in GitHub Desktop.
My way to safely display external pictures
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* ========================================================= | |
* My way to safely display external pictures | |
* ========================================================= | |
* Copyright 2015 Leonan Carvalho @leonancarvalho | |
* | |
* Licensed under the Apache License, Version 2.0 (the "License"); | |
* you may not use this file except in compliance with the License. | |
* You may obtain a copy of the License at | |
* | |
* http://www.apache.org/licenses/LICENSE-2.0 | |
* | |
* Unless required by applicable law or agreed to in writing, software | |
* distributed under the License is distributed on an "AS IS" BASIS, | |
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
* See the License for the specific language governing permissions and | |
* limitations under the License. | |
* ========================================================= */ | |
$filename = "http://s13.postimg.org/f7728bnqv/php_logo_virus.jpg"; //Unsafe image in a external hosting | |
// The "virus" message as taken from here http://php.webtutor.pl/en/2011/05/13/php-code-injection-a-simple-virus-written-in-php-and-carried-in-a-jpeg-image/ | |
// Its not a real virus, It's execute php_info() using eval. | |
/* Remove path information and dots around the filename, to prevent uploading | |
* into different directories or replacing hidden system files. | |
* Also remove control characters and spaces (\x00..\x20) around the filename: | |
* | |
*/ | |
$safefilename = trim(basename(stripslashes($filename)), ".\x00..\x20"); | |
//$imgcontent = file_get_contents($filename); //Be carefull its could be a nuclear bomb! | |
//$exif = exif_read_data($filename);//Be carefull its could be a letter with antrax! | |
//$imagesize = getimagesize($filename); //Safe | |
//Try to get possible reall extention by imagem type | |
$tempSafeFile = tempnam(sys_get_temp_dir(), "JLC"); //Create a Temp File to store content in a static env. | |
//Must have PHP GD lib do execute Details: http://php.net/manual/en/book.image.php | |
switch (exif_imagetype($safefilename)) { | |
case IMAGETYPE_JPEG: | |
$safefilecontent = imagejpeg(imagecreatefromjpeg($safefilename), $tempSafeFile, 100); //Get only file content created a new image and storeing it on my tempfile | |
$extensions = array('jpg', 'jpeg'); | |
$mime = "image/jpeg"; | |
break; | |
case IMAGETYPE_PNG: | |
$safefilecontent = imagepng(imagecreatefrompng($safefilename), $tempSafeFile, 100); | |
$extensions = array('png'); | |
$mime = "image/png"; | |
break; | |
case IMAGETYPE_GIF: | |
$safefilecontent = imagegif(imagecreatefromgif($safefilename), $tempSafeFile, 100); | |
$extensions = array('gif'); | |
$mime = "image/gif"; | |
break; | |
case IMAGETYPE_BMP: | |
$safefilecontent = image2wbmp(imagecreatefromwbmp($safefilename), $tempSafeFile, 100); | |
$extensions = array('bmp'); | |
$mime = "image/x-MS-bmp"; | |
break; | |
//There is a lot of other image types... I use this 4 just for a example | |
default : | |
throw new Exception("May its a unsafe image file!",500,null); | |
break; | |
} | |
// Adjust incorrect image file extensions: | |
if (!empty($extensions)) { | |
$parts = explode('.', $safefilename); | |
$extIndex = count($parts) - 1; | |
$ext = strtolower(@$parts[$extIndex]); | |
if (!in_array($ext, $extensions)) { | |
$parts[$extIndex] = $extensions[0]; | |
$safefilename = implode('.', $parts); | |
} | |
} | |
//Now you can save, move, store this file in a safe place or just display it: | |
header("Pragma: public"); | |
header("Expires: -1"); | |
header("Cache-Control: public, must-revalidate, post-check=0, pre-check=0"); | |
//header("Content-Disposition: attachment; filename=\"$safefilename\""); //Download instead | |
header("Content-Type: " . $mime); | |
echo file_get_contents($tempSafeFile); | |
//var_dump($exif); //Uncomment do got sick | |
//var_dump($imgcontent); // uncomment to destroy the world! | |
//var_dump($safefilename);//Execute in a function: Safe | |
//var_dump($extensions); //Execute in a function: Safe | |
//var_dump($imagesize); //Execute in a function: Safe | |
//var_dump($safefilecontent);//Safe content you can do anything with it now.. | |
exit; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Posted as answer to : http://security.stackexchange.com/questions/67058/how-to-safely-display-external-pictures/94720#94720