php - using fopen instead of upload to import external images to website over http

If you want to let your website users add their own images to your website you could offer them the option to upload a file using an html form - remembering to treat this ‘external data’ with extreme caution.

See http://www.phpfreaks.com/tutorials/36/0.php for a brief outline of how to do this AND thoroughly research the security implications of how to handle uploaded files.

However, in the project I’m working on at the moment, many of my client’s users wish to add images that are already located on the web. So he wishes to offer them the option to submit an URL to image as an alternative to uploading it. This would save them the hassle of downloaded the image to their PC and then having to upload it back onto the web via a form.

The whole concept of collecting files, (located at URLs that are specified by users), storing them on a web server, then serving them on a PHP enabled website makes me nervous. The last thing I want to do is to write a PHP script that obediently collects and stores a malicious script onto my client’s machine.

So, using my blog as a personal bookmark system,….here are some links to various pages I find on the web that I will want to re-visit:

The most useful info i found so far:
Very interesting article. CTRL+F to “then storing the file on the server” on that page to jump to solutions to image problems:
http://ez.no/layout/set/printarticle/developer/articles/dangers_of_csrf_and_xss
It ends with… “So what is the bottom line, as far as the images go? Well, short of removing the functionality and preventing their use altogether, all other solutions merely make attacks more difficult, but certainly not impossible.”

So in conclusion - I’m going to advise my client that the whole idea of letting users pass URLS to images instead of using an Upload form needs a re-think.

Another page on this, that may well be a duplicate:
http://ez.no/developer/articles/dangers_of_csrf_and_xss/on_fake_images_can_anything_be_done

Other info:

A forum post asking how to do this from an admin perspective using fopen, fread, fwrite :
http://www.webmasterworld.com/forum88/447.htm

stream_context_create look interesting too:
http://uk2.php.net/manual/en/function.stream-context-create.php

The getimagesize function in php - which can use URLs in the argument:
http://uk.php.net/manual/en/function.getimagesize.php

CURL’s curl_getinfo function which may or may not be useful to determine file types etc:
http://uk.php.net/manual/en/function.curl-getinfo.php

A cautionary word on using images that may contain malicious php code:
http://www.phpclasses.org/blog/post/67-PHP-security-exploit-with-GIF-images.html

PHP docs on using remote files:
http://uk3.php.net/manual/en/features.remote-files.php

Copy()
http://uk3.php.net/manual/en/function.copy.php

file_get_contents()
http://uk3.php.net/manual/en/function.file-get-contents.php

Remember localhost - check if it could be abused!
…more as i find it…

Feel free, as always, to add comments to discuss this issue…

Leave a Reply