4

I need to allow site users to supply remote "hotlinked" images.

I realize this is a little dangerous, so here's the procedure currently:

1) parse the path provided using PHP pathinfo and break the path into parts (host, filename, extension) that are then properly escaped.

2) execute a curl request for the image headers as described here: How can one check to see if a remote file exists using PHP? and verify that it's got a valid png or jpg mime type and an HTTP 200 return code.

3) verify that the filename and extension (from the pathinfo above) is a valid png or jpg file (I'm not accepting gifs etc.)

4) finally, store the image path data in multiple columns in the DB (escaping the data)

Am I missing anything? Is there any danger still lurking? I was thinking perhaps I should re-do the curl function on the display end too, to make sure the image is still there and that it's still an image.

Thanks for any advice.

Community
  • 1
  • 1
julio
  • 6,630
  • 15
  • 60
  • 82
  • If you want to be even smarter, you can try fetching the actual data and then try creating the image object in PHP. However whatever you do at this point will not prevent somebody from putting a correct image on a remote server, providing you with the URL and then changing that image to something malicious. – Aleks G Mar 29 '12 at 15:54
  • @AleksG -- yeah, that's the issue, and why I'm thinking it might be best to do the curl on display as well as save. However, that almost defeats the purpose of allowing remote images (since I'll be getting the bandwidth hit as well as the storage hit, even if temporarily) – julio Mar 29 '12 at 15:55
  • Why do you want to do this anyway? What risks do you fear when the path would not be audited? – Gumbo Mar 29 '12 at 16:59
  • @Gumbo-- allowing users to essentially post un-checked content in a site is a very bad idea. It could be a script, malware embedded in animated gif, etc. – julio Mar 29 '12 at 17:22

1 Answers1

1

Make sure it's not donkey porn?

... Seriously though the only thing I can think of is if it's a script/exe/bin that outputs an image to the screen (think PHP/GD) but does something else in the background at the same time.

CAPTCHAs, for instance, ouput an image but may store the "right answer" in the session at the same time (behind the scenes) just by calling <img src="/img/captcha.php" ... />.

There's no reason mod_rewrite couldn't be used to call that same PHP script with <img src="/img/captcha.jpg" ... />. HTTP headers could be set to report the MIME type as "image/jpg" with a response of 200.

I think you're doing pretty much everything you can; though you could probably use the GD library to read in the image the user has submitted and create a copy of it (as an image) on your system rather than remote linking.

CD001
  • 8,332
  • 3
  • 24
  • 28
  • lol-- porn is the least of my worries. If it's just an offensive image, that can be dealt with. I'm more concerned with XSS, malware, etc. Thanks for the idea re: a CGI type of setup. – julio Mar 29 '12 at 20:54