Convert all Images to JPEG?

[doubledee]

I am using PHP's GD to resize uploaded images and create new ones for security purposes.

 

Should I leave the converted files in their native format (e.g. PNG ---> PNG) or should I convert all images to JPG (i.e. PNG ---> JPEG)??

 

Thanks,

 

 

Debbie

 

P.S.  Should it be ".jpg" or ".jpeg"

[premiso]

I think the standard is .jpg, at least my preference.

 

But why convert to .jpg? png is an acceptable format, if there is no need to change the format just leave it as png. Unless you have a good reason to convert it, just leave it.

[doubledee]

I think the standard is .jpg, at least my preference.

 

But why convert to .jpg? png is an acceptable format, if there is no need to change the format just leave it as png. Unless you have a good reason to convert it, just leave it.

 

Hey, I'm the one asking the question here! 

 

I thought maybe it would be better for security - and in general - to have all of my Users' Images be JPEGs, but who knows?!

 

 

Debbie

 

[premiso]

How would it better security?

 

I am asking these questions because without knowing where you are going I cannot help you properly. As far as I know, there is nothing to do with security here. The file name itself, (not the extension) would be the security part. As long as that is handled properly it is fine. If you want the images to be "universal" and that is your reason for converting to jpg, and that is a good enough reason for you to do that, then go ahead and do it. But it won't make your application any more secure and will just cause for an extra step, either or.

[doubledee]

How would it better security?

 

Is it correct that once you run an Image through GD that it strips any nefarious code/payloads (e.g. embedded PHP)??

 

 

I am asking these questions because without knowing where you are going I cannot help you properly. As far as I know, there is nothing to do with security here. The file name itself, (not the extension) would be the security part. As long as that is handled properly it is fine. If you want the images to be "universal" and that is your reason for converting to jpg, and that is a good enough reason for you to do that, then go ahead and do it. But it won't make your application any more secure and will just cause for an extra step, either or.

 

If I am allowing Users to upload a Photo of themselves, would there be a benefit of having all of them be one format (e.g. JPEG)?

 

(Right now, I allow GIF, JPEG,and PNG to be uploaded.)

 

 

Debbie

 

[premiso]

Are you planning on executing an image? The only way I know for an image to be damaging is if someone potentially uploads an image from a website that is a script, but even then, you would have to execute that image in some way for it to be damaging. I could be wrong, but I don't think so. Even if someone put a whole php script in image code, the only way for that to be ran is A: You set the wrong header when serving the image; B: you include the image in a script. or C: you actively execute it by renaming it to .php and opening it in a browser.

 

As far as it stripping, I have no clue what GD does / does not do, this is the part where I would tell you to read the manual to find out that information.

 

The only benefit to having one format would be lack of having to remember the extension later on, but .png and .gif can be animated images, converting them to .jpg would remove any animation they may have and will just take the first frame. If you really don't want animated images, converting them to .jpg would alleviate that as a bonus I guess.

[doubledee]

Are you planning on executing an image? The only way I know for an image to be damaging is if someone potentially uploads an image from a website that is a script, but even then, you would have to execute that image in some way for it to be damaging. I could be wrong, but I don't think so. Even if someone put a whole php script in image code, the only way for that to be ran is A: You set the wrong header when serving the image; B: you include the image in a script. or C: you actively execute it by renaming it to .php and opening it in a browser.

 

As far as it stripping, I have no clue what GD does / does not do, this is the part where I would tell you to read the manual to find out that information.

 

If I recall what others have taught me, the risk is if an Image had a PHP payload and it was run/executed because I did not have my WebServer properly configured, which actually is the current case.

 

Of course if you strip any code embedded in an image, then the file can't do any harm regardless.

 

 

The only benefit to having one format would be lack of having to remember the extension later on, but .png and .gif can be animated images, converting them to .jpg would remove any animation they may have and will just take the first frame. If you really don't want animated images, converting them to .jpg would alleviate that as a bonus I guess.

 

So it sounds like you think I should just keep the native FIle Format that was uploaded?

 

(I thought that in the modern world that PNG was supposed to be the best format?)

 

 

Debbie

 

[requinix]

- Without going through the source code, I believe GD will write the image from scratch, because otherwise it would have to remember all the little bits of fluff it encounters when loading the data - and then write them back, assuming that the fluff is still accurate even after modifying the image. (Saying this because I know specifically of a few things that depend on the image data, thus changing the image data screws them up.)

 

- JPEGs are best for photographs. If people upload a PNG then it's quite possible they're not uploading a photograph (eg, some icon or glyph), in which case you probably want to keep it as a PNG. Then there's GIFs which can be animated. So it'll probably be better to keep whatever format they use.

 

- GD is quick and simple but isn't that great at preserving quality during operations (especially with palette images). If you need to keep quality, try ImageMagick instead.

[doubledee]

- Without going through the source code, I believe GD will write the image from scratch, because otherwise it would have to remember all the little bits of fluff it encounters when loading the data - and then write them back, assuming that the fluff is still accurate even after modifying the image. (Saying this because I know specifically of a few things that depend on the image data, thus changing the image data screws them up.)

 

I didn't follow what you just said.

 

Was that a "Yes, GD strips out nefarious code when it renders a new image" or a "No, any nefarious code will still be present in your new image."

 

 

- GD is quick and simple but isn't that great at preserving quality during operations (especially with palette images). If you need to keep quality, try ImageMagick instead.

 

How much harder is ImageMagick to work with?

 

 

Debbie

[Monkuar]

Are you planning on executing an image? The only way I know for an image to be damaging is if someone potentially uploads an image from a website that is a script, but even then, you would have to execute that image in some way for it to be damaging. I could be wrong, but I don't think so. Even if someone put a whole php script in image code, the only way for that to be ran is A: You set the wrong header when serving the image; B: you include the image in a script. or C: you actively execute it by renaming it to .php and opening it in a browser.

 

As far as it stripping, I have no clue what GD does / does not do, this is the part where I would tell you to read the manual to find out that information.

 

The only benefit to having one format would be lack of having to remember the extension later on, but .png and .gif can be animated images, converting them to .jpg would remove any animation they may have and will just take the first frame. If you really don't want animated images, converting them to .jpg would alleviate that as a bonus I guess.

 

.png cannot be animated images

[Pikachu2000]

.png cannot be animated images

 

O, RLY?

 

http://en.wikipedia.org/wiki/APNG

http://people.mozilla.com/~dolske/apng/demo.html

[Monkuar]

.png cannot be animated images

 

O, RLY?

 

http://en.wikipedia.org/wiki/APNG

http://people.mozilla.com/~dolske/apng/demo.html

 

i dont use crappy opera or firefox, so i never knew

 

pretty cool tho thanks for sharing

 

They are pretty worthless if the top major browsers in the world don't support them though.

[requinix]

Was that a "Yes, GD strips out nefarious code when it renders a new image" or a "No, any nefarious code will still be present in your new image."

GD doesn't know what "nefarious code" is. It was a "I believe" that it will not keep unrecognized stuff.

 

How much harder is ImageMagick to work with?

For most people I would say "easier" but you won't really know until you try.

[Psycho]

If I recall what others have taught me, the risk is if an Image had a PHP payload and it was run/executed because I did not have my WebServer properly configured, which actually is the current case.

 

And you were given instructions on how to prevent those security risks by renaming the file such that is doesn't have any php 'embedded' extensions and/or validating that it really is an image. The "malicious" images you are worried about are not really images. They are simply a script that is renamed to have the extension of an image (typically with an embedded 'php' extension). So, the process to convert an image will do the same thing as getimagesize() would do. It will work when it is a valid image and it will fail when it is not.

 

Are these profile type images? If so, then you will want to do some processing of the images to put them into an acceptable size. And, while doing that you can convert to a standard format. Otherwise, you might have someone upload an image like this for their profile image.

 

As already stated, there is no security need to convert the images to a standard format. If you need to maintain the original size of the image it would be more efficient to use the getimagesize() method to filter our potentially malicious uploads.

 

[doubledee]

If I recall what others have taught me, the risk is if an Image had a PHP payload and it was run/executed because I did not have my WebServer properly configured, which actually is the current case.

 

And you were given instructions on how to prevent those security risks by renaming the file such that is doesn't have any php 'embedded' extensions and/or validating that it really is an image.

 

Right. So?  I will be doing that.

 

 

The "malicious" images you are worried about are not really images. They are simply a script that is renamed to have the extension of an image (typically with an embedded 'php' extension). So, the process to convert an image will do the same thing as getimagesize() would do. It will work when it is a valid image and it will fail when it is not.

 

So other than the fact that I do need to create Thumbnails, you are saying there is no security value in re-rendering an Image?

 

 

Are these profile type images? If so, then you will want to do some processing of the images to put them into an acceptable size. And, while doing that you can convert to a standard format. Otherwise, you might have someone upload an image like this for their profile image.

 

Yes, they are User Images and the main reason I am using GD is to create smaller Thumbnails.

 

 

As already stated, there is no security need to convert the images to a standard format. If you need to maintain the original size of the image it would be more efficient to use the getimagesize() method to filter our potentially malicious uploads.

 

As mentioned, I am using getimagesize() to make sure an "image" is truly an image.

 

But based on prior conversations, I figured that it couldn't hurt to also use GD to strip out any nefarious code that might exist in an image.  And that is why I was asking.

 

 

Debbie

 

[Psycho]

The "nefarious" code you keep referring to would make the file an invalid image - i.e. it would not display as an image. So, if getimagesize() returns valid values then it doesn't have "nefarious" code. But, as stated already, if you have a need to convert the images, then by all means do so. But, if you are doing what you say you are, then you are adding any more security prevention to the process. The only thing that may be happening by recreating the images is that you would probably be removing any meta information attached to the image. That wouldn't be a security risk for your application, but there could be anything listed in those tags.

 

But, this is all moot. You've stated that you need to re-size these images anyway. So, the question of whether you "should" recreate the images or not is not a question since that will be happening when you re-size them anyway. Whether you use a common image type or not is a personal preference. Personally, I would use a common image type with the user id as the name of the image.

[Pikachu2000]

.png cannot be animated images

 

O, RLY?

 

http://en.wikipedia.org/wiki/APNG

http://people.mozilla.com/~dolske/apng/demo.html

 

i dont use crappy opera or firefox, so i never knew

 

pretty cool tho thanks for sharing

 

They are pretty worthless if the top major browsers in the world don't support them though.

 

Actually, it looks like there are only 2 major browsers that don't support it. One of those Is vEry crappy.

[requinix]

The "nefarious" code you keep referring to would make the file an invalid image - i.e. it would not display as an image. So, if getimagesize() returns valid values then it doesn't have "nefarious" code. But, as stated already, if you have a need to convert the images, then by all means do so. But, if you are doing what you say you are, then you are adding any more security prevention to the process. The only thing that may be happening by recreating the images is that you would probably be removing any meta information attached to the image. That wouldn't be a security risk for your application, but there could be anything listed in those tags.

Off the top of my head, both GIFs and JPEGs allow for arbitrary comments. It is entirely possible for images to contain malicious code.

 

[edit] Besides, getimagesize() only inspects a very small amount of the image. Just enough to grab the information it needs. It does not validate images.

[doubledee]

The "nefarious" code you keep referring to would make the file an invalid image - i.e. it would not display as an image.

 

But that's no true.

 

A legitimate GIF could have...

<?php phpinfo(); ?>

 

...inside of its comments section.

 

 

So, if getimagesize() returns valid values then it doesn't have "nefarious" code.

 

See above.

 

If someone put PHP in the comments section of an Image, and your code or webserver executed that file as a PHP file, the code would run!

 

 

But, as stated already, if you have a need to convert the images, then by all means do so. But, if you are doing what you say you are, then you are adding any more security prevention to the process. The only thing that may be happening by recreating the images is that you would probably be removing any meta information attached to the image. That wouldn't be a security risk for your application, but there could be anything listed in those tags.

 

I'm doing it mainly to create Thumbnails.

 

But I did believe it would be an extra security measure for the reasons mentioned above.

 

 

But, this is all moot. You've stated that you need to re-size these images anyway. So, the question of whether you "should" recreate the images or not is not a question since that will be happening when you re-size them anyway. Whether you use a common image type or not is a personal preference. Personally, I would use a common image type with the user id as the name of the image.

 

Some people say that is a security risk, and that I should rename the Images with hashed values...

 

 

Debbie

 

[premiso]

Ok, so if you already know how code can be injected, what are you debating here? Re-create the image with GD, use a hash for the name, for whatever reason and you are secure.

 

I am not sure why you are asking as we already confirmed all you wanted to know, and it seems like you knew it all already and were going about it right. So stop debating us about it, and go ahead and do it / try it! Want to see if comments are left after you recreate a gif? Try re-creating a gif with comments in it! Want to see if the gif can be executed in anyway shape or form on your server, try it!

 

You have your answer, now go and code!

[spiderwell]

proabably a bit late but i would say no to converting images to jpgs if gif or png, due to jpg inability to do transparency.

[Psycho]

The "nefarious" code you keep referring to would make the file an invalid image - i.e. it would not display as an image.

 

But that's no true.

 

A legitimate GIF could have...

<?php phpinfo(); ?>

That is moot as long as you are renaming the file so it would not be executed as a PHP file. You shouldn't care what anyone puts as comments inside a file. As stated COUNTLESS times, you have already been given the information needed to make sure that you are receiving valid images and what to do to safeguard them from being executed.