base64编码图像的安全性问题

时间:2021-12-14 15:31:00

I have an API that accepts base64 encoded image data, and will need to decode the data, save the image file, then create a thumbnail from that image.

我有一个接受base64编码图像数据的API,需要解码数据,保存图像文件,然后从该图像创建缩略图。

I am concerned that malicious code could get executed if I do not properly validate the contents of the POST payload before attempting to create a thumbnail.

我担心如果在尝试创建缩略图之前我没有正确验证POST有效内容的内容,恶意代码就会被执行。

The basic workflow I have thus far is below. Is there enough validation that I do not need to be concerned about security? I guess I am worried about someone encoding something bad, then when one of the image functions below is called, the internet explodes.

我到目前为止的基本工作流程如下。是否有足够的验证,我不需要担心安全性?我想我担心某人编码不好的东西,然后当调用下面的图像函数之一时,互联网就会爆炸。

<?php

$decodedImage = base64_decode($_POST["canvas"]);
if ($decodedImage === false) {
    // Error out
}

$imageSizeValidation = getimagesizefromstring($decodedImage);
if ($imageSizeValidation[0] < 1 || $imageSizeValidation[1] < 1 || !$imageSizeValidation['mime']) {
    // Error out
}

$tempFilePath = "/tmp/" . microtime(true) . "-canvas-web.jpg";
file_put_contents($tempFilePath, $decodedImage);

$originalWidth = $imageSizeValidation[0];
$originalHeight = $imageSizeValidation[1];
$newWidth = 49;
$newHeight = 49;

$scaleWidth = $newWidth / $originalWidth;
$scaleHeight = $newHeight / $originalHeight;
$scale = min($scaleWidth, $scaleHeight);

$width = (int)($originalWidth * $scale);
$height = (int)($originalHeight * $scale);

$xpos = (int)(($newWidth - $width) / 2);
$ypos = (int)(($newHeight - $height) / 2);

$oldImage = imagecreatefromjpeg($tempFilePath);
$newImage = imagecreatetruecolor($width, $height);
$background = imagecolorallocate($oldImage, 255, 255, 255);

imagefilledrectangle($newImage, 0, 0, $width, $height, $background);

imagecopyresampled($newImage, $oldImage, $xpos, $ypos, 0, 0, $width, $height, $originalWidth, $originalHeight);
imagedestroy($oldImage);

imagejpeg($newImage, "/path/to/new.jpg", 90);

imagedestroy($newImage);

1 个解决方案

#1


0  

Didn't end up getting any answers, so for those that are interested in what I ultimately did:

最终没有得到任何答案,所以对于那些对我最终做的事感兴趣的人:

After investigating this a bit more, I found that one of my biggest concerns was valid image files encoded with inline PHP, Ruby, etc. EG: An image with the following at the end:

在对此进行了更多研究之后,我发现我最关心的一个问题是使用内联PHP,Ruby等编码的有效图像文件.EG:最后一个带有以下内容的图像:

<?php phpinfo();

I ended up taking the decoded image data, and giving it to imagecreatefromstring(), then saving the image to a temp directory via imagejpeg().

我最终获取了解码后的图像数据,并将其提供给imagecreatefromstring(),然后通过imagejpeg()将图像保存到临时目录。

This seemed to remove any encoded PHP from the original image data. At that point I validated the image size data of the saved image using getimagesize(). Assuming that everything was valid at that point, I moved the image to a permanent location.

这似乎从原始图像数据中删除任何编码的PHP。此时,我使用getimagesize()验证了保存图像的图像大小数据。假设此时一切都有效,我将图像移动到永久位置。

Another thing I changed, was instead of using a filename based on a static string and microtime(), I used a hash.

我改变的另一件事是,而不是使用基于静态字符串和microtime()的文件名,我使用了哈希。

Regarding the concern of images with code injected, I found this link to be helpful: https://www.owasp.org/index.php/Unrestricted_File_Upload

关于注入代码的图像的关注,我发现这个链接很有帮助:https://www.owasp.org/index.php/Unrestricted_File_Upload

I also found this other SO post useful, as far as overall ideas go: Validating base64 encoded images

我还发现这个其他SO帖子很有用,就整体想法而言:验证base64编码的图像

Finally, the following book brought the concern of images with code to my attention in the first place: http://www.apress.com/9781430233183

最后,下面的书首先引起了关注图像和图像的关注:http://www.apress.com/9781430233183

#1


0  

Didn't end up getting any answers, so for those that are interested in what I ultimately did:

最终没有得到任何答案,所以对于那些对我最终做的事感兴趣的人:

After investigating this a bit more, I found that one of my biggest concerns was valid image files encoded with inline PHP, Ruby, etc. EG: An image with the following at the end:

在对此进行了更多研究之后,我发现我最关心的一个问题是使用内联PHP,Ruby等编码的有效图像文件.EG:最后一个带有以下内容的图像:

<?php phpinfo();

I ended up taking the decoded image data, and giving it to imagecreatefromstring(), then saving the image to a temp directory via imagejpeg().

我最终获取了解码后的图像数据,并将其提供给imagecreatefromstring(),然后通过imagejpeg()将图像保存到临时目录。

This seemed to remove any encoded PHP from the original image data. At that point I validated the image size data of the saved image using getimagesize(). Assuming that everything was valid at that point, I moved the image to a permanent location.

这似乎从原始图像数据中删除任何编码的PHP。此时,我使用getimagesize()验证了保存图像的图像大小数据。假设此时一切都有效,我将图像移动到永久位置。

Another thing I changed, was instead of using a filename based on a static string and microtime(), I used a hash.

我改变的另一件事是,而不是使用基于静态字符串和microtime()的文件名,我使用了哈希。

Regarding the concern of images with code injected, I found this link to be helpful: https://www.owasp.org/index.php/Unrestricted_File_Upload

关于注入代码的图像的关注,我发现这个链接很有帮助:https://www.owasp.org/index.php/Unrestricted_File_Upload

I also found this other SO post useful, as far as overall ideas go: Validating base64 encoded images

我还发现这个其他SO帖子很有用,就整体想法而言:验证base64编码的图像

Finally, the following book brought the concern of images with code to my attention in the first place: http://www.apress.com/9781430233183

最后,下面的书首先引起了关注图像和图像的关注:http://www.apress.com/9781430233183