On Mon, 2013-09-23 at 20:36 +0200, Domain nikha.org wrote:
> Stuart Dallas am Montag, 23. September 2013 - 12:58:
>
> > And, honestly, who would have a PHP file per language? I think it's
> perfectly reasonable to not allow that, because duplicating PHP code
> across many files is an incredible stupid way to support multiple
> languages.
> >
> I agree!! Didn't even know, that this kind of faked language support
> exists...
>
> > "Some people run all their files through PHP" - true, but that doesn't
> mean they should, or that you, as a responsible web host, should be
> endorsing it.
> >
> > PHP developers should absolutely validate all content coming in from
> users in every possible way, but I would be highly dubious about
> trusting a host who gives the reason above for what I consider a lax and
> insecure Apache configuration. It's like saying they sliced your arm off
> with their chainsaw because it's made for cutting things, attempting to
> dodge all responsibility for having swung it in your direction!
> >
> OK, in principle, I also agree. But this case is very easy to handle.
> I'm simply running "str_replace()" against dangerous parts of uploaded
> filenames, ".php" for instance. After that, Apache in every
> configuration will just serve, and never execute user uploaded files.
> Remains the risk on the clients side, I must concede. Better solutions?
>
> Nice days,
> Niklaus
>
No, no, no! That is not a good stand-in for fundamental security
principles!
This is a better method for ensuring an image is really an image:
<?php
if(isset($_FILES['file']))
{
list($width, $height) = getimagesize($_FILES['file']['tmp_name']);
if($width && $height)
{
$source = imagecreatefromjpeg($_FILES['file']['tmp_name']);
$dest = imagecreatetruecolor($width, $height);
imagecopyresampled($dest, $source,
0, 0, 0, 0,
$width, $height, $width,
$height);
imagejpeg($dest, basename($_FILES['file']['tmp_name']));
}
else
echo "{$_FILES['file']['name']} is not a jpeg";
}
?>
<form enctype="multipart/form-data" method="post">
<input type="file" name="file"/>
<input type="submit" name="submit" value="submit"/>
</form>
Obviously it's only rough, and checks only for jpeg images, but that's
easy to alter. I've just tested this with a regular jpeg, the same jpeg
with PHP code concatenated onto the end (which still appears to be a
valid image to viewing/editing software) and a pure PHP file with a .jpg
extension. In the case of the first 2, a new jpeg is generated with the
same image and without the code. The third example just echoes out an
error.
Thanks,
Ash
http://www.ashleysheridan.co.uk
