Open fpietrosanti opened 11 years ago
fpietrosanti
commented
11 years ago From .mario. the best pratice to do it:
Filesize (mitigating crashes, DoS, flooding) Check MIME type via magic bytes (type validation 1) Check extension (mitigate XSS, RCE) Compare MIME to extension (mitigate type confusion) Get dimensions (mitigate overlapping data, XSIO) Repaint twice (mitigate attacks using the recalc'd data to contain payload) Rename (mitigate XSS via filename) Store and Deploy
vecna
commented
11 years ago prerequisite: extend DB (version 3 to 4)
verify: libmagic ? pillow again ? something simpler to works over images ?
vodkina
commented
11 years ago this is not vuln till issue #156 is implemented.
hellais
commented
11 years ago to verify images I would suggest just extracting the magic bytes we need and implement a simple function in GLBackend that checks if the file contains magic bytes from a set.
vecna
commented
11 years ago Standby of this feature:
We would like to ask the pentester which is the best way to implement validation to accept as images only gif/png/jpg/jpeg files.
That's because of #247 where we removed the libjpeg convertion that was acting implicitly as a validator.
We have two things to be considered:
Should we really check the magic trough library "filemagic" or we can just check file extension, given that a) this is an operation that only the admin can do b) there is additional protection on the "output" ?
Currently the issue is low-impact because only the Administrator can subvert the image file, but in future we may wish to open this opportunity also to Receivers, requiring to have strong validation for that files.
Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.