Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid
 
PerlMonks  

Re^4: security: making sure graphics uploaded by users are safe

by gwadej (Chaplain)
on Sep 30, 2009 at 17:16 UTC ( #798408=note: print w/ replies, xml ) Need Help??


in reply to Re^3: security: making sure graphics uploaded by users are safe
in thread security: making sure graphics uploaded by users are safe

While you might be right that the OP is being overly cautious, saying that images files should not be dangerous is not quite correct. In the presence of bugs in the viewing software (which the OP cannot control), maliciously crafted images can be a security issue.

As a relatively paranoid individual, I follow the Security Now! podcast. I've been startled at the number of exploits based on errors in image processing programs reported in the past year.

During the Aug. 13, 2009 show, we heard about a buffer overflow in the ImageIO library that could result in either application termination or remote code execution. In the Sept. 3, 2009 show, there was discussion of a similar problem in libpng. Over the last year, it seems like there were at least a dozen of these kinds of exploits on one or another OS. (I think all of the majors were represented.)

That being said, I'm not sure that it's possible to perform a general test to find this kind of thing for an image upload site.

G. Wade


Comment on Re^4: security: making sure graphics uploaded by users are safe

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://798408]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others chilling in the Monastery: (10)
As of 2014-12-18 18:41 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (59 votes), past polls