I think your computer sucks if it is running code inside of images, whether it is virus code or not.

We already ensure that uploads are always tagged as non-executable. That should be enough.

I could imagine a version of MS IE being so broken as to notice that a data stream tagged as "image/gif" actually is the data from an MS Word document containing a macro virus, for example. But I think even they've been burned enough and this would be such a blatant securiy hole, that I'm not worried about it happening (and even if it did, I wouldn't care if an exploit got uploaded -- the blame would be all on the idiots who decided to *run* *data*).

Update: Ah, buffer overruns. *sigh* I consider virus scanners the wrong solution to just about any problem. At level 5, the risk seems quite slim. I still vote 'no'. Now, an efficient image format validator would be a better solution here (so long as it doesn't have a buffer overrun bug in it...).

I'm not worried about it happening (and even if it did, I wouldn't care if an exploit got uploaded -- the blame would be all on the idiots who decided to *run* *data*).

What do you mean if ?!? It's out there...

• Win XP JPEG Buffer overflow security hole
• Mozilla BMP buffer overflow security hole

...vulnerable systems get screwed just by looking at well crafted images.

I think your computer sucks if it is running code inside of images, whether it is virus code or not.

But computers do suck. And buffer overflows have been known to appear in software run on all sorts of operating systems.

Update: ah, noticed your own update.

Why would someone upload an image with a known virus? That's all a virus scanner would catch, but there's nothing to be gained from doing that.

If anyone seriously attempts to exploit this hole, they'd build their own exploit, which a virus scanner is useless against anyway.

I'm with tye on this one.