Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m talking about user uploaded images. These images might be unsafe and may even contain scripts and such. I was told that as long as I don’t execute the image, I should be fine. What exactly counts as executing an image? If the user uploads a .png and I need to convert it to .jpg first before displaying it, does this conversion count as executing the image.
If you e.g. use some library to work with the library, then the only way for that to be a security risk is an issue with the library itself. E.g. if there is a buffer overflow security issue in the library, a mere process of reading the image could potentially make it execute the code conveniently hidden in the image (i.e. image would not be the image anymore, it will be turned into code).
If you use standard libraries, chances for such security holes are rather slim. Not zero, though, but I guess you would have to live either with that or not looking at any digital picture in your life again.