Beefy Boxes and Bandwidth Generously Provided by pair Networks
We don't bite newbies here... much

virus scanning uploaded images

by crazyinsomniac (Prior)
on Sep 16, 2004 at 02:36 UTC ( #391346=pmdevtopic: print w/replies, xml ) Need Help??

Replies are listed 'Best First'.
Re: virus scanning uploaded images
by tye (Sage) on Sep 16, 2004 at 04:04 UTC

    I think your computer sucks if it is running code inside of images, whether it is virus code or not.

    We already ensure that uploads are always tagged as non-executable. That should be enough.

    I could imagine a version of MS IE being so broken as to notice that a data stream tagged as "image/gif" actually is the data from an MS Word document containing a macro virus, for example. But I think even they've been burned enough and this would be such a blatant securiy hole, that I'm not worried about it happening (and even if it did, I wouldn't care if an exploit got uploaded -- the blame would be all on the idiots who decided to *run* *data*).

    Update: Ah, buffer overruns. *sigh* I consider virus scanners the wrong solution to just about any problem. At level 5, the risk seems quite slim. I still vote 'no'. Now, an efficient image format validator would be a better solution here (so long as it doesn't have a buffer overrun bug in it...).

    - tye        

        I think your computer sucks if it is running code inside of images, whether it is virus code or not.

      But computers do suck. And buffer overflows have been known to appear in software run on all sorts of operating systems.

      Update: ah, noticed your own update.

Re: virus scanning uploaded images
by Aristotle (Chancellor) on Sep 17, 2004 at 00:47 UTC

    Why would someone upload an image with a known virus? That's all a virus scanner would catch, but there's nothing to be gained from doing that.

    If anyone seriously attempts to exploit this hole, they'd build their own exploit, which a virus scanner is useless against anyway.

    I'm with tye on this one.

    Makeshifts last the longest.

Log In?

What's my password?
Create A New User
[Discipulus]: echo 'a'\'' gives me the prompt and then go with error on ctrl-d
[Discipulus]: uch! worst than windows!
[marto]: It's not worse, just different. Different shells, different tools. Different ways

How do I use this? | Other CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (11)
As of 2017-11-24 10:23 GMT
Find Nodes?
    Voting Booth?
    In order to be able to say "I know Perl", you must have:

    Results (346 votes). Check out past polls.