Danack
commented
3 years ago There doesn't seem to be an equivalent of the imagecreatefromjpeg() though?
There isn't, and there won't be. It's an impossible task for Imagick to try to make files 'safe' in that manner.
I have a couple of regexs that remove php or javascript tags from the file after using file_get_contents() to get the file data in string form, but appreciate this is quite weak.
This is just the wrong approach to take. If users can ever find a way for any file they control to be parsed by PHP, that is inevitably going to cause surprises. As per the security guidelines in the readme:
NEVER directly serve any files that have been uploaded by users directly through PHP, instead either serve them through the webserver, without invoking PHP, or use readfile to serve them within PHP.
Serving images as images, rather than hoping you've removed anything potentially malicious is the only approach that is sensible.
EmilyChews
Hi,
In the GD image library if you use
imagecreatefromjpeg()to create an image resource and then use it withimagescale()to resize an image andimagejpeg()to send the image to a destination folder, the process creates a duplicate of the image purely with image data only - I believe this is done with the initialimagecreatefromjpeg()method.The equivalent functions in Imagick as far as I can see are
resizeImage()andwriteImage()for the resizing and placing it in the folder/destination. There doesn't seem to be an equivalent of theimagecreatefromjpeg()though?My question is - is there such a function, and if not do either the
resizeImage()andwriteImage()undertake this role, and if that is also a 'no', what steps would you recommend in terms of stripping out malicious code/data?I have a couple of regexs that remove php or javascript tags from the file after using
file_get_contents()to get the file data in string form, but appreciate this is quite weak.