Virus risk, receiving pictures vs receiving urls

Forum Moderators: phranque

Message Too Old, No Replies

Virus risk, receiving pictures vs receiving urls

advantage

1:21 pm on Dec 14, 2005 (gmt 0)

I'm working on a website where my customers can send in a picture of themselves. But I'm worried about that opening me WAY up to a virus hidden in one of their attachments. Accidentally-or on purpose.

Am I safer by insisting on receiving URLs only from them where I can go and dowload or even just copy it myself?

Any other best ways around inviting a typhoid Mary picture directly into my computer?

Krapulator

1:29 am on Dec 15, 2005 (gmt 0)

Limit your file uploads to jpg's only.

Leosghost

1:37 am on Dec 15, 2005 (gmt 0)

virii exist also in jpegs..as do many other things such as directions to illegal pron ..or images of the same or data or links to info data or sites that is /are illegal where you are ..( investigate "stenography" if you really want to understand the basics )

the only way you can be reasonably safe is to allow uploads to a sandbox ..you scan the contents with at least 3 different Av's..( and learn to read hidden / imbedded / encrypted data traces )

you then if they are shown "clean" imbed them in your pages ..

and even then you are not certain ..

there are other issues concerning your or others security involved with allowing the uploading of any data in any form to your space ..

advantage

3:22 am on Dec 15, 2005 (gmt 0)

I'm still not sure about it. For example, I can usually just left click and drag over a picture, then hit ctrl C which copies the picture.

Is that the same as downloading it? Is viewing it before I left click it as dangerous virus-wise as copying it?

I just tried it off of a Yahoo image search. It won't add itself onto a File in my Photosuite with ctrl V, but it will attach to a new Hotmail letter, then I can send it to send myself.

Any of this safer?

kaled

1:23 pm on Dec 15, 2005 (gmt 0)

I've heard it said that viruse can exist in jpegs, however, unless a file type is registered as executable in some way, a virus might exist in the file but it's harmless.

If you are certain that uploaded files cannot be executed, there should not be a problem.

Kaled.

lasko

3:28 pm on Dec 15, 2005 (gmt 0)

I used to only check the extension but since moving to php5 I started using another function as well its also available in php4.3

I'm using the following exif_imagetype function that reads the first few bytes of the file to see if its actually an image or pdf etc.

if(exif_imagetype($_FILES['files']['tmp_name']) ==
IMAGETYPE_GIF)
{
$this->Upload($_FILES, $dir);
}

[cz.php.net...]

Currently I only allow Gif and Jpgs to be added if its for Jo public use.

When it comes to private admin areas then I allow docs and other files.

wyvern

3:32 am on Dec 18, 2005 (gmt 0)

Maybe running some rendering filters on the newly uploaded images (using a library like ImageMagick or GD), which only slightly modify the image if at all, would verify that it's actually a valid image (otherwise the rendering library would stop with an error) and break any virus code which they might contain.