Recreating An Uploaded Image to Protect It Against Virus ?

[phdphd]

Hi All,

 

Is recreating an uploaded image an efficient way to protect it against a potential virus ?

 

I came across this solution at the following address : http://security.stackexchange.com/questions/26690/use-php-to-check-uploaded-image-file-for-malware

 

at the paragraph starting with "Best I can think for PHP is to re-create the image".

 

Thanks

[trq]

No its not neither or efficient or even productive IMO.

[jazzman1]

It's a very common area for questions, as this efficient way can have several options and methods depend on which environments the server is, assuming you are on UNIX/Linux environment. Without going into too much details, I'm going to try and give some tips use for you.

1. Use input validation to ensure the uploaded filename uses an expected extension type

2. Ensure the uploaded file is not larger than a defined maximum file size

3. Ensure the image is served with the correct content type (image/jpeg, image/png, etc..)

4. Ensure the uploaded directory has correct file/directory permissions itself.

5. Ensure the uploaded file has not executable rights.

6. Use some Apache techniques like ".htaccess" and ".htpasswd" which provides server configuration options on a per-directory basis.

7. Use image rewriting libraries in php to verify the image is valid and to strip away extraneous content.

8. Set the extension of the stored image to be a valid image extension based on the detected content type of the image. Do not just trust the header from the upload php script


So, I think this could covered of the very basic of security measures and hope it has helped you.

jazz.

[phdphd]

Thank you for your answer Jazz !