The Content-Type header can be changed, getimagesize () also does not make sense to trust, because the file can be in GIF, JPEG, JPG, PNG format, but at the same time a php script does not make sense to check the file extension, too it was said that the image could be a php-script.
Interested in all practical advice to ensure the safe loading of images.
First: it is not clear where, in your opinion, there is any security problem at all. Second:
getimagesize () also makes no sense to trust, as the file can be in GIF, JPEG, JPG, PNG format
If the file is really in the format of GIF, JPEG, JPG, PNG, and getimagesize returns its proportions, then this means that it is a real file in the format of GIF, JPEG, JPG, PNG. Maybe, of course, this is a rargipeg, but you are not going to execute it as a PHP script?
The third and last. Well, you downloaded the script with the extension .gif . Where does security collapse in this case? Do you server feeds files with .gif extension to PHP interpreter? The only problem that can be here is the problem with cgi.fix_pathinfo in php-fpm , and while you live on the hosting, the hoster should deal with this (and this is a very old bug that, it seems, fixed).
While you are working with a file as with an image, and do not expose files that fall under the “feed to the interpreter” rule (i.e. files with the .php extension) to the public access, nothing will happen.
Apache gives files with MIME type, defined by extension. Therefore, if you yourself define the file extension and do not use it somewhere other than img tags and style files, then your server is not in danger. In theory, your customers may still suffer from browser exploits, but this is not your headache.
Well and, of course, never execute include or require with user data.
I will answer the question from another answer.
A security issue occurs on the server.
If the file is really in the format of GIF, JPEG, JPG, PNG, and getimagesize returns its proportions, then it means that this is a real file in the format of GIF, JPEG, JPG, PNG, which in the metadata section may contain PHP code.
The question how to execute the filled code is the second question. For example, if we have a leaky inclusive, it may be easier to lock in the log file. But I still would not want to have a file with potentially dangerous content. Moreover, the apache with the default settings will happily execute pkhp code from the file named xploit.php.jpg
Therefore, I myself believe that for an average site (not dealing with the placement of photos), the most reliable way is to completely convert the filled image, such as the one that is done by the imagecreatefromjpeg () function.
Conversion of the loaded photo also does not give guarantees. Here is an article on this topic http://www.securitylab.ru/analytics/472887.php
I advise you to prohibit at the server level the execution of any codes (not only php) in files uploaded by the user (including images)
Remember that it is impossible to defend yourself 100% - you can only minimize risks))
UPD 03/29/16 For Apache servers, in the folder where user files are loaded, put .htaccess of approximate content:
php_flag engine 0 AddType "text/html" .php .cgi .pl .fcgi .fpl .phtml .shtml .php2 .php3 .php4 .php5 .php7 .asp .jsp 
Source: https://ru.stackoverflow.com/questions/428408/
All Articles