Beefy Boxes and Bandwidth Generously Provided by pair Networks
Your skill will accomplish
what the force of many cannot
 
PerlMonks  

Comment on

( #3333=superdoc: print w/replies, xml ) Need Help??

While you might be right that the OP is being overly cautious, saying that images files should not be dangerous is not quite correct. In the presence of bugs in the viewing software (which the OP cannot control), maliciously crafted images can be a security issue.

As a relatively paranoid individual, I follow the Security Now! podcast. I've been startled at the number of exploits based on errors in image processing programs reported in the past year.

During the Aug. 13, 2009 show, we heard about a buffer overflow in the ImageIO library that could result in either application termination or remote code execution. In the Sept. 3, 2009 show, there was discussion of a similar problem in libpng. Over the last year, it seems like there were at least a dozen of these kinds of exploits on one or another OS. (I think all of the majors were represented.)

That being said, I'm not sure that it's possible to perform a general test to find this kind of thing for an image upload site.

G. Wade

In reply to Re^4: security: making sure graphics uploaded by users are safe by gwadej
in thread security: making sure graphics uploaded by users are safe by keiusui

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?
    Username:
    Password:

    What's my password?
    Create A New User
    Chatterbox?
    [Corion]: Discipulus: I don't know whether I could really do that, but the init process itself mostly launches other processes, and the whole startup is just following a path of dependencies and making sure they are all running. Which basically is what ...
    [Discipulus]: when at work my time is (temporarly) owned by the firm, so i do not care (coworkers whatch movies.. I code Perl)
    [Corion]: ... make already does, except for files instead of programs. But maybe with some /proc hackery, that could be eliminated and one could use plain make :-D
    [choroba]: systemd just makes is asynchronous
    [choroba]: so, make -j
    [Corion]: Discipulus: Yeah - but when writing Perl to save time (instead of having fun), it helps to look whether you're actually saving time ;) Why spend 5 minutes doing manually what you can spend three years automating? ;)
    [Corion]: choroba: Oh, yeah :-D

    How do I use this? | Other CB clients
    Other Users?
    Others musing on the Monastery: (6)
    As of 2017-07-27 09:34 GMT
    Sections?
    Information?
    Find Nodes?
    Leftovers?
      Voting Booth?
      I came, I saw, I ...
























      Results (408 votes). Check out past polls.