Re: [PHP] Re: how to detect type of image

On Wed, April 25, 2007 7:00 am, Tijnema ! wrote:
On 4/25/07, Satyam <Satyam@xxxxxxxxxxxxx> wrote:
Sorry I'm late to this thread, I don't know if it has been
mentioned, but
most files have a 'magic number' at the begining of the file, which
usually
reads as a couple of letters or more. I think EXE files start with
MZ, gifs
with GIFxx where xx is the last two digits of the year of the
standard.
Just open files of the types you are concerned about and check the
first few
characters.

Satyam

I believe that mime_content_type does this, by reading a .magic file.
In a magic file, there are these described i believe. But how would
you detect (by a magic number) if a script is HTML or PHP? No way :P
Of course, It's both not valid for an image file, but you might be
worried when the first magic bytes are faked. Does somebody care if
there are a few magic bytes displayed at the top of his page?

Yes, no, sort of.

Once you've checked the "magic numbers" at the start, the potential
abuses shrinks DRAMATICALLY.

For example, I'm pretty sure that most Operating Systems will refuse
to execute a file that starts with 'GIF89a' as if it were a binary
executable.

That doesn't mean somebody couldn't manage to write an abusive Perl
script (or PHP script or Java applet or whatever) that "looks" like a
GIF because it starts with "GIF89a" and then that person might still
manage to trick your PHP script into putting it somewhere that it will
get executed as a script on your server, rather than just displayed as
a GIF (looking like "noise" or "abstract art", at best) in a browser.

But checking the magic number in some fashion will alter a huge
sucking chest wound of a Security hole into a small punctured lung of
a Security hole. :-)

You should, of course, also take care that the files in question could
not possibly get executed, nor passed into any kind of parser like
PHP, Perl, Python, Java, JSP, ASP, etc. That would be another barrier
to try to erect.

Every extra barrier you layer in there will slim down the number of
attackers that can get through, usually. "Defense in Depth" it's
usually called.

--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
.

Relevant Pages

  • Re: Excecute PHP script in SSL protected dir / sched. task on win 2k3 server
    ... >> I want to execute a PHP script that is in a SSL secured directory through ... > This should be able to be added to the schedule with help of a small batch ...
    (alt.php)
  • Re: does php require a client is present to execute?
    ... let's say you have an html document that calls a php script. ... the php script continue and execute until completion even though the ... As a background task, the script will not be able to display any output, nor will it be able to return results to the user (because the web server script has moved on). ...
    (comp.lang.php)
  • Execute Process Task : Help!!!
    ... I'm trying to execute a script on our web server, a PHP script, using ... "Execute Process Task" task in DTS designer. ...
    (microsoft.public.sqlserver.dts)
  • remotely executing commands via telnet
    ... I basically just want to do this in a php script: ... Execute Command & Return Result ... EXPECT script but the overhead of connect each time in the scripts ... when I need to run multiple commands is taking too long. ...
    (php.general)
  • Re: Will Linux become as vulnerable as MS ??
    ... > beeing vulnerable to viruses. ... > that they know are executable, and execute intentionally. ... >> Linux, each distro is a little different, and even within the distro, ... > Since clicking on a script is easier than typing it's name, ...
    (comp.os.linux.security)