I’m working on a site where users can post notes. I’m considering allowing users to post images by providing a url to the image (ie not uploading it via a form).
However, I’ve learned that this can be used to do some kind of hacking, for example, users can paste an url that is not an image, so when the page was load, a GET request will be made to that url.
I’d like to know:
1. what other malicious things could be done and how can I stop them?
2. is there an easy way (just use JavaScript) to check if an url is an image?
There are a lot of issues to be concerned with when allowing users to upload arbitrary files to a server (which this is).
Firstly, you need to make sure the file is an image, and can only be accessed as an image (ie not executed as a script)
Secondly, the image can’t be too large or act as a DoS to users or the server
Thirdly, you need to make sure you save the image in a secure way such that users can’t overwrite sensitive files.
Fourthly, serve all uploaded content from a different origin than your primary content. Not only is this more secure, it can also be faster (no cookies)
Fifth, ensure you use ImageMagick or GD to process the images to remove any unwanted data in the image. Remember that image files could be used as containers for more than just visible data.
Six: Be aware of path injection, LFI, RFI, etc attacks
Seven: Don’t rely on the extension to tell you what type of file an image is. Check this yourself.
Are users going to be pasting a link to an image or uploading a file from their own computer?
Let’s put it this way: the users are uploading arbitrary files to your server
Not really, and it wouldn’t help. You want to do server side checking
List of things for you to read:
http://www.scriptygoddess.com/archives/2004/10/19/gifs-that-execute-a-php-script/
There are more issues…