0

I am doing a simple thumbnail generator, no problem to generate the thumbnail, I am using PHP, file_get_contents to get the remove image content.

I am wondering if there is some security issue to download the file content like this (with cURL or file_get_contents).

  1. How can I limit the file size and stop the download at X Mo?
  2. How can I check the binary content has no dangerous code?
  3. Maybe there is another technologie than PHP fitting my needs?

Thanks

Thomas Decaux
  • 21,738
  • 2
  • 113
  • 124
  • `with cURL or file_get_contents` be specific and provide some code as well. – The Alpha May 28 '14 at 22:39
  • 1
    you have limited control with `file_get_contents` although as of 5.1 is has support for `maxlen` but you're still at the mercy of the `allow_url_fopen` directive; I'd suggest using curl, this will help with the max download size: http://stackoverflow.com/questions/17641073/how-to-set-a-maximum-size-limit-to-php-curl-downloads – zamnuts May 28 '14 at 23:47
  • @zamnuts thanks, so I could use CURL WRITE FUNCTION to read the first bytes and detects a JPG/PNG ! (according to http://stackoverflow.com/questions/3312607/php-binary-image-data-checking-the-image-type) ! – Thomas Decaux May 29 '14 at 13:26

1 Answers1

0

Here a piece of code I will test:

curl_setopt($cURL_Handle, CURLOPT_BUFFERSIZE, 128);
curl_setopt($cURL_Handle, CURLOPT_NOPROGRESS, false);
curl_setopt($cURL_Handle, CURLOPT_PROGRESSFUNCTION, function(
    $DownloadSize, $Downloaded, $UploadSize, $Uploaded) {
    // If $Downloaded exceeds 1KB, returning non-0 breaks the connection!
   return ($Downloaded > (1 * 1024)) ? 1 : 0;
});
curl_setopt($cURL_Handle, CURLOPT_WRITEFUNCTION, function(
    $ch, $str) {
    // Grab the first bytes, check if match a image "header signature"
});
Thomas Decaux
  • 21,738
  • 2
  • 113
  • 124