Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

i want to write (and currently writing) a php script to display external images,

ID: 659785 • Letter: I

Question

i want to write (and currently writing) a php script to display external images, not hosted on my website. Something like facebook's safe_image.

What I'm currently doing is file_get_contents('pic') (or curl) the url and checking for httpcode and content-type, resulting in a 404 or whatever other code if content-type differs from 'image/jpeg', 'image/png', 'image/gif' (these are the only mime types i'm allowing), otherwise a 200 or 304.

But I've read a lot of posts saying that a picture might contain malicious code, maybe in their exif header. Now, I'm not using include() to show pictures and always do a mywebsite.com/safepic?url='.urlencode('external_picture_url') in php or 'mywebsite.com/safepic?url='+encodeURIComponent('external_picture_url') in javascript.

So, if the content type returned from curl matches that of a valid picture, I run a getimagesize(), but I'm sure this is not enough, I also force the content type to be imagesomething but don't think this make sure the file is 'executed' as a picture and prevent the malicious code bytes to be recognized. I also thought about doing all these checks and a lot more (like trying to resizing to check if it is really a picture, and creating a whole new picture through imagecreatefromjpeg based from that one).

Got any ideas ?

Explanation / Answer

I think you are overthinking the problem.

You should be worried if your clients were able to upload pictures. In that case, the client could fake the MIME type, create malicious content on EXIF headers, put garbage inside the picture, and exploit it by using a Local File Include on your server.

But looks like this is not the case. If your script will just show the pictures, why not hotlinking to the image? Let the client browser download and show it.

If you don't want to hotlink the picture, you could just download and send them using curl.

Related Questions

i want part B to be solved A metal bar is in the xy-plane with one end of the ba
Question #1617113
i want solve this question by matlab code The upward velocity of a rocket is giv
Question #1996664
i want solve this question by matlab code The upward velocity of a rocket is giv
Question #2073225
i want solve this question step by step , and write by pc Solomon is a principal
Question #2290941
i want someone can hlep me write a annotation of these few paragraphs. i got a i
Question #442823
i want someone to answer these 5 questions please Question 12 Which file sharing
Question #3863528
i want someone to answer these 5 questions please Question 17 Wireless connectio
Question #3863530
i want someone to answer these 5 questions please uestion 26 Mobile broadband ca
Question #3863534

Navigate

Previous
i want to understand why months[12] wont work in the cout statement below... i h
Next
i want to write a C Program which reads d , l, n from the command line, where n

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.