Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change

virus scanning uploaded images

by crazyinsomniac (Prior)
on Sep 16, 2004 at 02:36 UTC ( #391346=pmdevtopic: print w/replies, xml ) Need Help??

Replies are listed 'Best First'.
Re: virus scanning uploaded images
by tye (Sage) on Sep 16, 2004 at 04:04 UTC

    I think your computer sucks if it is running code inside of images, whether it is virus code or not.

    We already ensure that uploads are always tagged as non-executable. That should be enough.

    I could imagine a version of MS IE being so broken as to notice that a data stream tagged as "image/gif" actually is the data from an MS Word document containing a macro virus, for example. But I think even they've been burned enough and this would be such a blatant securiy hole, that I'm not worried about it happening (and even if it did, I wouldn't care if an exploit got uploaded -- the blame would be all on the idiots who decided to *run* *data*).

    Update: Ah, buffer overruns. *sigh* I consider virus scanners the wrong solution to just about any problem. At level 5, the risk seems quite slim. I still vote 'no'. Now, an efficient image format validator would be a better solution here (so long as it doesn't have a buffer overrun bug in it...).

    - tye        

        I think your computer sucks if it is running code inside of images, whether it is virus code or not.

      But computers do suck. And buffer overflows have been known to appear in software run on all sorts of operating systems.

      Update: ah, noticed your own update.

Re: virus scanning uploaded images
by Aristotle (Chancellor) on Sep 17, 2004 at 00:47 UTC

    Why would someone upload an image with a known virus? That's all a virus scanner would catch, but there's nothing to be gained from doing that.

    If anyone seriously attempts to exploit this hole, they'd build their own exploit, which a virus scanner is useless against anyway.

    I'm with tye on this one.

    Makeshifts last the longest.

Log In?

What's my password?
Create A New User
[Discipulus]: just after earthquake mobile phones never work: but they could evacuate to open schoolyard and then call or go back to school
[LanX]: "evacuate to open schoolyard" is standard procedure here

How do I use this? | Other CB clients
Other Users?
Others exploiting the Monastery: (10)
As of 2017-01-18 12:05 GMT
Find Nodes?
    Voting Booth?
    Do you watch meteor showers?

    Results (161 votes). Check out past polls.