Advertisement:

Author Topic: Looking for a good image validation library  (Read 1394 times)

Offline Kryzen

  • On Hiatus
  • SMF Hero
  • *
  • Posts: 4,046
  • Gender: Male
    • nedroden on GitHub
Looking for a good image validation library
« on: August 14, 2017, 08:49:12 AM »
One of my projects requires an image upload system, which is not an issue, but in order to make sure it's secure and to avoid reinventing the wheel, I'm looking for a library that handles the image validation part. Basically all it'd need to do is make sure the image is actually an image (the cake may have been a lie, but a user-uploaded image shouldn't be). Since the project is primarily written in PHP, it'd be fantastic if the library were as well, and if the package could be installed using Composer, that would be even more fantastic.

Any suggestions would be most welcome.

Thanks!
- Kryzen
Amateur PHP & Java developer
DraiWiki | Project Alpha

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 68,055
    • Arantor on GitHub
Re: Looking for a good image validation library
« Reply #1 on: August 14, 2017, 09:17:31 AM »
What threat do you consider that you're trying to protect again? That it is literally just a valid image? (In which case, use something like the fileinfo extension to get its data)

If you have any real doubt about the validity of the image, load it with GD and resave it.
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

You either die a hero or live long enough to see yourself become the villain. It seems you have chosen which, and now I must do the same.

Offline Kryzen

  • On Hiatus
  • SMF Hero
  • *
  • Posts: 4,046
  • Gender: Male
    • nedroden on GitHub
Re: Looking for a good image validation library
« Reply #2 on: August 14, 2017, 09:50:36 AM »
Thanks for the quick reply! Yes, correct, although I'm especially concerned about XSS injection through images. The risk of that happening may or may not be minimal, but if it's an actual threat (several websites mentioned something about it only affecting old browsers, while other sites mentioned it is still possible), I'd like to deal with it before it has any chance of causing serious problems. Both of your suggestions sound great, though. I'll probably go with the second. I'll let you know how it goes.

Thanks again for your help. :)
Amateur PHP & Java developer
DraiWiki | Project Alpha

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 68,055
    • Arantor on GitHub
Re: Looking for a good image validation library
« Reply #3 on: August 14, 2017, 10:18:41 AM »
If you ensure it is a valid picture, and ensure it is served with the correct headers (because, ideally, you're serving it from outside the core filesystem, so you're serving it through PHP), you have done everything you can do from a general standpoint.

If you're protecting against a mostly-theoretical attack such as the one you described, open the file with GD, resave it with GD to strip everything and force re-encode it.
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

You either die a hero or live long enough to see yourself become the villain. It seems you have chosen which, and now I must do the same.