How to protect the server that hosts the site and forum, with support for uploading your own avatar and inserting images into comments?

After all, everyone knows that the image can be supplied with a virus through which you can get full access to the server. How to work correctly with such image downloads? It is clear that the antivirus will not be able to help with anything, because it does not expose the newest viruses.

  • The option is paranoid utopia: in the browser, parse a pixel-by-pixel downloadable image, send an array of pixels to the server, reassemble the image there, for safety, also scan it off a couple of pixels, change the contrast and color range a bit, save it. - Vladimir Gamalyan
  • @VladimirGamalian so no one does. Why do you think? - Pavel Mayorov
  • one
    @PavelMayorov the word "utopia" hints to us, as BE, that no one does this and the author knows about it. - Risto
  • one
    After all, everyone knows that the image can be supplied with a virus through which you can get full access to the server. - oooh - etki
  • Launching the image for execution is a sign of the programmer's megakrivoruki. Just don't run them, that's all. - VladD 2:51 pm

3 answers 3

Everyone knows that the virus itself is a set of bytes, absolutely harmless, until it is launched for execution in the appropriate environment.

From the environments on the PHP web server, two are usually available - CGI and PHP. For CGI, it’s enough not to upload images to a folder that is intended for executable files.

For PHP, protection comes down to

  1. Do not skip files with the php extension. It's simple, except for one nuance *
  2. Do not include in your php scripts that horrible. This rule is much more important and wider than just downloading images. If it is not respected, then no pictures need to be uploaded to the server. If our code always means exactly which file it includes, and it’s impossible to slip it from the side, then the picture with pxp code will also be safe.

-
Nuance. The Apache web server in the default configuration executes files of the form script.php.jpg as php files.

  • one
    Here you go. And you "Who will launch?". Yes, the same server and run incorrectly configured. And the file rights will not be given to him. However, your answer does not make it worse. - Risto
  • @Risto is about that and that the server should be configured correctly. - Pavel Mayorov
  • @PavelMayorov if the site is on your server - of course. And if you write it to order? The code should be “foolproof”, I believe. - Risto
  • @Risto if the site is written to order - then the server config for the site should be attached to the site. - Pavel Mayorov
  • @PavelMayorov from human stupidity will not save. There are still "hosting" without access to the configs. As I said, the answer is good, but I don’t consider my own. - Risto

The best protection is a properly configured web server. For example, if you completely disable (in the case of Apache) or simply do not allow (in the case of nginx), launch PHP scripts from the /uploads/ folder (or whatever you call it), then you can not check anything at all when uploading files to the server (well, except that on /../ check).

If you use PHP frameworks with the Front Controller pattern (when all requests go through index.php), then you should generally forbid executing any PHP scripts except index.php

UPD Disable script execution via htaccess:

 SetHandler default-handler

Now, any files in this directory will be processed by the default handler, if I did not confuse anything.

  • And, further, your site will fall to the bottom of the list of search engines. I can upload 1000 images, with viruses, and your website will distribute them. - gilo1212
  • @ gilo1212 is exactly the same as it is possible to place forbidden text in any place where user texts can be placed - after which the site can be blocked through court. And then on the first channel to show ... - Pavel Mayorov
  • Could you add in your answer how exactly you need to configure - .htaccess, to limit the directory / file to run PHP scripts? Thank. - gilo1212

Simply read the image from one of the image libraries , and then programmatically draw it. Example for JPEG image using GD :

 $img = imagecreatefromjpeg('upload/avatar.jpg'); //Считываем изображение из загруженного //файла imagejpeg($img); //Рисуем считанное изображение imagejpeg($img, 'profile/avatar.jpg'); //Сохраняем считанное изображение в файл imagedestroy($img); //Освобождаем переменную

At the same time, all third-party files hidden in the image will be lost, and all that remains is to remove the source image from upload/ .

You should also remember about properly configured permissions:

 chmod('profile/avatar.jpg', 0600); //НЕ исполняемый файл, запись и чтение только для владельца

In conjunction with the launch of the server on behalf of a separate system user: Even if an executable file was in the image, it cannot be launched, since this is directly prohibited by file permissions. In addition, third-party programs will not be able to change the image after the download, as only the user on whose behalf the file was created has rights to it.

It is not necessary to output through imagejpeg images that have already been processed from profile/ , by this you generate an excessive load on the server, then you can get by with regular HTML. As a last resort, save the date of the last file change, after the installation of the rights, and check if it has changed.

  • And what will help the "correctly configured rights"? - Ipatiev
  • What else "ekzeshesnik"? Who will run it? Why should a "malware" infect something if it has already started? And why on earth would he fail? - Ipatiev
  • Well, porridge. Suppose we do not put a ban. Who will perform? - Ipatiev
  • @ Ipatiev and what's the difference? If no one is all the better, but I am not a security specialist, and not the author of all web servers at once, to know what vulnerabilities could be there. It's easier to make sure that this is impossible even theoretically. - Risto
  • Somehow not quite these confused arguments converge with the statement about "the best protection against hacking." - Ipatiev