Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change
 
PerlMonks  

virus scanning uploaded images

by crazyinsomniac (Prior)
on Sep 16, 2004 at 02:36 UTC ( #391346=pmdevtopic: print w/ replies, xml ) Need Help??
crazyinsomniac has raised the following topic:

Comment on virus scanning uploaded images
Re: virus scanning uploaded images
by tye (Cardinal) on Sep 16, 2004 at 04:04 UTC

    I think your computer sucks if it is running code inside of images, whether it is virus code or not.

    We already ensure that uploads are always tagged as non-executable. That should be enough.

    I could imagine a version of MS IE being so broken as to notice that a data stream tagged as "image/gif" actually is the data from an MS Word document containing a macro virus, for example. But I think even they've been burned enough and this would be such a blatant securiy hole, that I'm not worried about it happening (and even if it did, I wouldn't care if an exploit got uploaded -- the blame would be all on the idiots who decided to *run* *data*).

    Update: Ah, buffer overruns. *sigh* I consider virus scanners the wrong solution to just about any problem. At level 5, the risk seems quite slim. I still vote 'no'. Now, an efficient image format validator would be a better solution here (so long as it doesn't have a buffer overrun bug in it...).

    - tye        

        I think your computer sucks if it is running code inside of images, whether it is virus code or not.

      But computers do suck. And buffer overflows have been known to appear in software run on all sorts of operating systems.

      Update: ah, noticed your own update.

Re: virus scanning uploaded images
by Aristotle (Chancellor) on Sep 17, 2004 at 00:47 UTC

    Why would someone upload an image with a known virus? That's all a virus scanner would catch, but there's nothing to be gained from doing that.

    If anyone seriously attempts to exploit this hole, they'd build their own exploit, which a virus scanner is useless against anyway.

    I'm with tye on this one.

    Makeshifts last the longest.

Log In?
Username:
Password:

What's my password?
Create A New User
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others studying the Monastery: (6)
As of 2014-07-13 11:53 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    When choosing user names for websites, I prefer to use:








    Results (249 votes), past polls