in reply to Re: prevent arbitrary code execution in images
in thread prevent arbitrary code execution in images

2) Prevent them from being executed by the client. Enforce the extention as mentioned above. Try loading the upload in an image info package. (Perhaps ImageMagick or Image-Info?) If the package doesn't recognize the upload as an image, and if it's not a JPEG, GIF or PNG, reject the upload.

I could be mistaken, but I think the OP's concerned about the JPEG of Death. I don't know enough about the hole to be certain, but I don't think that just checking headers is going to be enough.

--
F o x t r o t U n i f o r m
Found a typo in this node? /msg me
% man 3 strfry

  • Comment on Re^2: prevent arbitrary code execution in images

Replies are listed 'Best First'.
Re^3: prevent arbitrary code execution in images
by ikegami (Patriarch) on Sep 15, 2004 at 23:26 UTC

    That's a toughie. Convert JPGs to PNGs and back? If the conversion tool doesn't give an error, it will surely corrupt the virus. (Discard the file if the conversion tool gives an error.)

    Is that really something that needs to be checked actively? Maybe it's sufficient to keep logs and act on reports reactively. It depends on the case, really.

[reply]
      Convert JPGs to PNGs and back? If the conversion tool doesn't give an error, it will surely corrupt the virus. (Discard the file if the conversion tool gives an error.)

      That's not a bad idea. My only concern is that, since JPEG's a lossy format, re-JPEGging an image might introduce more compression artifacts. In that case, you might want to leave the image as a PNG. (I can't offhand think of any reason why you'd want to use JPEG instead of PNG... I think the compression rates are pretty similar these days.)

      --
      F o x t r o t U n i f o r m
      Found a typo in this node? /msg me
      % man 3 strfry

[reply]
        Out of curiosity, I tried converting two jpegs to pngs (using convert). One of them became four times bigger, the other one nine times bigger.

        (BTW, I also tried converting the same jpegs to gifs, and they became five and six times larger.)
[reply]
      That's a toughie. Convert JPGs to PNGs and back?
      I'm sorry, but that is a tad too creative :) I'd use a virus scanner like File::Scan or clamav and scan the files for viruses upon upload.

      MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"
      I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).
      ** The third rule of perl club is a statement of fact: pod is sexy.

[reply]
        Scan files for viruses on upload? Doesn't that depend on the scanner package having a profile to look for? Which means that a new virus gets through until someone circulates a new profile (and other people fetch it to update their scanners)?

        If a file is supposed to contain an image (but also contains a virus), it actually makes a lot more sense to apply some global filter to the "pixel" data such that image quality would be generally preserved, but anything like machine code would be obliterated. It's a pity that the same does not hold for email attachments that are supposed to be MS-Word "doc" files, etc...

[reply]

In Section Seekers of Perl Wisdom