Jump to content

createjpeg and permissions

raku

By raku
in PHP Coding Help

 Share

Recommended Posts

raku Member

raku

Posted
Posted

Hi,

 

I am trying to create images with PHP. I originally got the error "permission denied" when I tried to use the createjpeg function. But, I created a directory "images" and gave it 707 permissions. PHP was then able to create the images inside that folder. The images created by php have the permissions 644. Is this safe, or a security hazard? The images seem to be fine with the 644 permissions, but I'm unsure about the directory having 707.

 

Thanks for your help!

Link to comment
https://forums.phpfreaks.com/topic/83014-createjpeg-and-permissions/
Share on other sites
raku Member

raku

Posted
  • Author
Posted

Hi,

 

I have a quick followup for this. Is there a way to check to make sure that a dangerous image isn't being created? The user has some control over this. Is there some sort of php antivirus that I could run every time an image is created, and then delete anything potentially harmful?

 

Thanks

raku Member

raku

Posted
  • Author
Posted

Perhaps more information will help bring a response.

 

It's a resize script. So the user enters a url for were their image is (i.e. www.example.com/example.gif) and chooses the kind of resizing they want.

 

I would like to make sure that their image is safe before doing anything with it. I'm guessing a good option here would be to do some kind of antivirus scan on the url they input.

 

Any help is appreciated!

corbin Regular Member

corbin

Posted
Posted

A virus could sit on a computer for ten thousand years and be perfectly safe as long as it was never opened....

 

You should be safe as long as the file extension isn't anything potentially harmful (.php, .exe, .pl, .cgi, .msi, so on).

 

Also, if you check for failed imagecreatefrom<format> calls, that should also be a clue.

raku Member

raku

Posted
  • Author
Posted

Thanks for the reply.

 

I only allow gifs, jpegs, and pngs, and if those three imagecreatefroms return false, the script stops.

 

The images aren't just shown to the user that inputs them, there is the option to make it available to everyone on the site -- a sort of slideshow type thing. So my worry is that if a virus is embedded in an image, and is then served to other users through the site, it may cause problems for the users and potentially even the server.

 

Is that possible?

 

Thanks for your time!

corbin Regular Member

corbin

Posted
Posted

Apache handles things based on file extensions.  Windows generally does too, but Linux isn't too aware of them.  Anyway, these file extensions tell Apache how to handle things.

 

Apache might go "Ok... I've got a .jpg; I need to send a message telling the client to treat it as an image, and then I need to read the contents of it to the client."  After sending the message [headers],  Apache would read the contents of the image to the client, similar to if you were to readfile() a file in PHP.  That's why file extensions are so important server side.  Even exe's can be safe server side depending on the setup of Apache.

 

Then client side, the browser gets the message [headers] and thinks "OK, This is an image.  I need to render it."  Then, it will try to render the image.  If it can't render it, it will just display that crazy red X everyone hates.  The only way a virus can be harmful when transmitted as an image would be if it was run by the client computer.  For example, if it some how got named an exe or the shell ran it as an EXE, both of which would require some user manipulating to happen.

 

So, theoretically, the worst virus in the world could be in a .jpg, and it would be harmless.

corbin Regular Member

corbin

Posted
Posted

No problem.

 

It's probably also worth noting that file permissions are more of a server side thing.

 

File permissions are more of designed to protect users from each other than outside sources.

 

Files can't be modified over HTTP.  That means that a folder could have full write access with full run access and what not, and it would be perfectly safe from a client<->server stand point.

 

The reason file permissions are good is because on my shared server, person A can't access my files.  He can't write php files to my folder, he can't mod my files, he can't even read my files (server side).

 

If I was to mod my file perms the wrong way, he could potentially mod/read/write my stuff.  (Some times though, it's done by groups, not users, and you aren't allowed to mod perms for different users, only your self, so you wouldn't even be able to give the wrong person file perms.)

 

 

Anyway, I'm far from an expect on Linux file perms (especially since I do 96% of my stuff on Windows ;p), but here're a few links:

 

http://www.comptechdoc.org/os/linux/usersguide/linux_ugfilesp.html

http://www.freeos.com/articles/3127/

http://www.google.com/search?hl=en&q=linux+file+perms&btnG=Search

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.