My website allows users to attach external image to their post. Sometimes when the host server of the image has malware.
My website will have this google malware warning
http://media.photobucket.com/image/google%20malware%20warning/unfuccwittable/MalwareWarning.jpg
Is there anything i can do on my end to prevent this? Like a php code to check the image before allowing displaying of the image on my website?
There are several PHP functions that can check a file for whether it is an image.
To make 100% sure, you would have to take every incoming image, create a copy of it using the GD library, and save that copy.
That will make absolutely sure no malware can pass through.
However, images are likely to lose quality, because GD's JPG compressor is not as good as Photoshop's for example. Also there will be issues with transparent images (they can be sorted out though).
CMYK images will not work at all with this method, but that's rather good, seeing as Internet Explorer can't display them, anyway.
Sorry, i just created an account. It's not affecting my server, it's just that warning, people will not proceed on to the website. I tried to google seems to not be able to find anything.
I gotta say, there is NOTHING like posting a big red warning on your site to attract visitors.
Since your using PHP, all public images should be ran through php-gd. This will verify its an image or fail. Also, it will remove geotagging metadata (stuff that some people consider private)
Related
In Imgur, you can input an image URL and a few seconds later, there's a thumbnail of the image. Or in Bing Search, you can (or used to) be able to view a thumbnail of the website in the search results before visiting it.
I would love to implement something similar for my website, but I can't wrap my head around on how it is done. Moreover, are there not security concerns? I'd imagine the servers have to at least download the website, render it and take a screenshot. What if it's a malicious website, and you download something malicious on your server?
A headless Web browser engine like PhantomJS can be used for this. See example on their wiki. Yes, it would be prudent to run this in some sort of a sandbox, feeding a queue of URLs into it, then taking the generated thumbnails from the file system.
While I don't know the internal workings of any of the aforementioned services, I'd guess that they download/create a local copy of the images and generate a thumbnail from that.
Imgur, as an image hosting service, definitely needs a copy of the image prior to being able to generate thumbnails or anything else from it. The image may be stored locally or just in memory, but either way, it must be downloaded.
The search engines displaying screenshots of the sites likely have services that periodically take a screenshot of the viewable area when the content is getting indexed, and then serve those screenshots (or derivatives) along with the search results. Taking a screenshot really isn't dangerous, so there's nothing to worry about there, and whatever tools are used to load/parse/index the websites will obviously be written with security considerations in mind.
Of course, there are security concerns about the data you're downloading, too; the images can easily contain executable code (such as PHP) in their EXIF data, so you need to be careful about what you do with the images and how.
Ok, here is what I'm trying to do.
On my site, I have a set of images I've uploaded to use as my avatar. Those sites usually asks for different sizes and are very picky to what kind of URLs they accept.
What I'm trying to do is to get a Gravatar image, from the Gravatar server, and serve it using a customized URL, on the fly or with cache.
My Gravatar URL for an image 100x100px:
http://gravatar.com/avatar/b6e428090e62182266a4e9dd87297ee1.png?s=100
What I want to offer to websites, more or less:
http://alenonimo.com.br/avatar/avatar100.png
Now let me explain the issue I'm trying to solve here, because it's interesting.
Some sites accepts third party URLs for avatar images, like phpBB and the like. They also have different sizes they prefer, like 100x100 pixels, 120x120 pixels, 200x200 pixels, etc. Yet, they refuse to accept the Gravatar URL if it comes with the "s" variable on the URL, which defines the size of the images served from Gravatar. The default size is always 80x80 pixels without the option.
So I want to serve those sites the Gravatar images and defining the size on the URL, in a way it doesn't notice that's coming from Gravatar's image generator. I want those sites to think the image actually comes from my website. It would allow me to set the size for those sites that doesn't accept Gravatar and luckily allow me to change all the avatar images on all those sites at once by just going to Gravatar.
I'm pretty sure it could be done using Apache's RewriteEngine, yet I lack the code-fu to do it. All the examples that I've found on the net regards redirecting content from the same site to somewhere else on the same site, which is not the case. I also wanted to make sure the size attribute would be a more or less valid number, instead of accepting anything. So a file called "100.png" would be okay but "banana.png" would not.
This for itself would be interesting but it occured me another thing. What if the site doesn't accept PNG files but accept JPG or GIF files? Probably wouldn't happen on sites which just show images but it would be interesting for me if I also could offer images to sites which uploads from URLs too. Also, maybe making sure something shows up even if Gravatar goes offline would be interesting too, like a cache system. That could be achievable with PHP but I'm not sure how complicated it would be.
Could someone help me with the RewriteEngine rules? Or even giving me some pointer on how to make this PHP script? Would it be interesting to someone else in here?
Here you go, you need to make your server listen to .php file with .png extension which can be done quite easily using .htacces
RewriteEngine on
RewriteRule ^avatar/([a-z,A-Z,0-9,-_]+)$ index.php?avatar_param=$1
Php Script
<?php
if(isset($_GET['avatar_param']))
{
$avatar_size = filter_var($_GET['avatar_param'],FILTER_SANITIZE_NUMBER_INT);
$user_email_hash = 'b6e428090e62182266a4e9dd87297ee1';
$get_gravar_image = 'http://gravatar.com/avatar/'.$user_email_hash.'.png?s='.$avatar_size;
echo '<img src="'.$get_gravar_image.'" />';
}
?>
By looking the your provided url structure i have used the numbers as the size of the image, just use the above code it will work for you.
Just try to play with the size in the url you will find it dynamic and working the nice way
Demo
http://thetutlage.com/demo/avatarProblem/avatar/avatar100.png
Okay, I know questions like this exist in multiple forms across StackOverflow and other places on the web, but none of them is pointing me to what I actually need (maybe I missed a question that was more catered to my problem).
I need a Facebook-style image upload mechanism, using Codeigniter and javascript/jquery. Here's what it's supposed to do -
Using a single file upload control (or for that matter any clickable control), open up the "Choose Files" dialog window, and allow the user to select multiple images from it. (I know this cannot yet be done in IE, and I do not really care about the multiple file selection not working in IE).
Once the user has selected the files, the page should display a series of progress bars (like Facebook does). As each image gets uploaded, the corresponding progress bar reaches 100% (if it's simpler to implement, I am willing to forego the graphical progress bar for a text that displays the progress percentage), and the thumbnail of the image is displayed next to the completed progress bar (or text). At this point, the user should have the option to delete the uploaded image by clicking a cancel button (I think I can get this part working on my own).
The upload can be sequential (like Facebook does), or asynchronous (some upload libraries I found work this way).
What's most important (and the part that is stumping me) is the thumbnail generation. I know that there's some HTML5/CSS3 technique that allows you to display the thumbnail before the files have actually been uploaded, pulling them directly from the user's hard drive. But that won't work in IE8, and while I am not concerned about the multiple image selection not working in IE8, I need for the thumbnail generation to work cross-browser, and that includes IE8 (deciding on the browser compatibility is not something I can command, so please don't come up with a "screw IE!" solution).
I have tried using uploadify (I have no constraints against using Flash), but cannot seem to able to customize it to my needs. While uploadify does indeed display progress bars, I was unable to find a way to generate (and display) thumbnails on the fly, in accordance with the behavior I described above. I know how thumbnail generation works on PHP, just cannot figure out how to implement this together with the progress indicators. Am I looking for a suitable jQuery/ajax call?
Any help and/or pointers would be appreciated. I admit that I might have missed a StackOverflow question that would solve my issue, so please direct me to that page, or to any other page you believe will help me. Please feel free to suggest upload libraries other than uploadify, which you believe I might find useful.
Thanks in advance. And thanks for reading through all this - I tried my best to make the question properly descriptive!
I have used Jquery file upload with good results. It does need IE to be in compatibility mode, but worked well for chrome/firefox.
UPDATE. It now claims to support IE 6.0+.
I'll focus on point 4 here. It can be done, but you'll end up using iframes (yeah, I now).
They can be 1px small, but you'll need them if you want to create thumbnail previews.
A good starting point would be here: http://www.zurb.com/playground/ajax_upload
As for creating the actual preview images (smaller versions) you can use CI's image library.
Let me know how it works out.
suppose there is an image on web without watermark. And someone downloads it and makes some edits on it like adding watermark etc etc. Is it possible to write a script in php to compare these two images. Like when I submit these two images to the script, it should be able to output the original image and manipulated image.
I read google's webmaster page which says
Google often finds multiple copies of the same image online. We use many different signals to identify the original source of the image
Blockquote
This is the main concern of my question
One more doubt is will there be any meta tags inside an image. if at all how to read them. Is it possible to edit them. Are there any information(not visual) inside an image which cannot be edited.
Anything within the image can be edited (it is, after all, just a collection of bytes), and it's definitely trivial for someone to add a watermark to an image, or simply change the contrast ever-so-slightly, to make it a very different file from the original. There are several other non-destructive changes that would make image files look completely different to a naive comparison algorithm (e.g., scaling, changing filetypes and compression, changing brightness, rotation, etc.).
Advanced image processing algorithms, however, can still often identify similarities between images that have been manipulated in ways like those above. There are many algorithms to do this, and honestly you could spend thousands of hours trying to roll an algorithm like this yourself. These sorts of algorithms are referred to as "content-based image retrieval."
You might be better off calling into engine that's already been developed to do exactly this. Here are some possibilities:
TinEye has a RESTful API that you can use, described here.
You could scrape the response from Google's Search by Image results using this technique.
You could use any of the number of suggestions within this slightly older StackOverflow post.
Good luck!
Photos taken by digital cameras usually have exif data embedded.
You can get the data with the exif_read_data function in PHP.
As for identifying similar images, here's some useful resources:
TinEye
SO Q on image similarity
The comments on Resig's article
You could submit both images to ImageEdited and see which one has been edited. Even if the exif data's missing, it tells when an image has been created with a program.
What about if I let users insert links to their own host's images, do I need to prevent any type of security issue?
To better exaplain, <img src="somedomain/somefile"/> in which case should make my site vulnerable?
One potential problem with allowing arbitrary image URLs is that the image's host could track all views and IP addresses. In a forum with little traffic that could put the image host in the position to identify specific users' IP addresses.
Another is that you don't control what is shown in the image. An image resource could be dynamic and show pretty much anything at any given time to any user.
Then there's the very remote risk of an image exploiting a vulnerability in a visitor's browser or image library. But those are exceedingly rare and likely to get patched quickly - I myself know of only one instance this has happened on a larger scale.
Stack Overflow with is massive reach and traffic still allows external images - from that I tend to deduce that the risks are somewhat manageable.
Still, if you want to make really sure, you're best off fetching the image resource, copying it using an image library (to make sure it's a real image and to strip any sensitive metadata), and storing it on your server.
Also if you're doing a simple string insertion into your markup someone could close the image tag and start a script tag or something like that. So you should be watching for script injection in whatever form the user gets to set such an image src attribute.
For example what if the image src was set to this:
myimagefile.jpg" /><script> ... </script>
You can see how that would get rid of the image tab altogether and start doing something else in a script tag. You need to make sure whatever they enter actually points to an image before you save it and start writing it out on live pages.
This style of script injection could for example read from a form on the page (maybe including personal information, login details, or session ids) and send end users info back to some bad hackers data collection point using jsonp.