2) Prevent them from being executed by the client. Enforce the extention as mentioned above. Try loading the upload in an image info package. (Perhaps ImageMagick or Image-Info?) If the package doesn't recognize the upload as an image, and if it's not a JPEG, GIF or PNG, reject the upload.

I could be mistaken, but I think the OP's concerned about the JPEG of Death. I don't know enough about the hole to be certain, but I don't think that just checking headers is going to be enough.

That's a toughie. Convert JPGs to PNGs and back? If the conversion tool doesn't give an error, it will surely corrupt the virus. (Discard the file if the conversion tool gives an error.)

Is that really something that needs to be checked actively? Maybe it's sufficient to keep logs and act on reports reactively. It depends on the case, really.

Convert JPGs to PNGs and back? If the conversion tool doesn't give an error, it will surely corrupt the virus. (Discard the file if the conversion tool gives an error.)

That's not a bad idea. My only concern is that, since JPEG's a lossy format, re-JPEGging an image might introduce more compression artifacts. In that case, you might want to leave the image as a PNG. (I can't offhand think of any reason why you'd want to use JPEG instead of PNG... I think the compression rates are pretty similar these days.)

--
F o x t r o t U n i f o r m
Found a typo in this node? /msg me
% man 3 strfry

That's a toughie. Convert JPGs to PNGs and back?

I'm sorry, but that is a tad too creative :) I'd use a virus scanner like File::Scan or clamav and scan the files for viruses upon upload.

MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"

I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).

** The third rule of perl club is a statement of fact: pod is sexy.