Upload image from string - image

If i have a filename for a local file on the computer:
$img = "deskfile:///D%3A%2FSCANS%2F%23AUKT%2Fimg2014%2F2014-06+SP%2FEPSON007.jpg"
how can i upload it the server without using the "file selector"?
If i enter the file adresses in the url window of a browser i can display the image.
But if i load the image in tag they won't display. I've read it's becuse of restrictions in the browser.
I can't add a value caluse to the either.
Is there anyway to upload the image from the string?
Or can i at least open the correct directory in the "file selector" so the user wont have the browse the whole computer when looking for the file?

Yes there is a way. You can use the File API with Html5 and/or a polyfill for this to load the image in the browser before posting it back to the server. The best such polyfill that I know of is called Moxy/Plupload. It includes Flash and Silverlight fallbacks for older browsers.

You can display the image because it is stored locally in your computer. How do you know where is the image going to be in the user's computer. The only way to access the user's file system is through the file selector, once the user has selected a file you can then use any API to save that file in the server on your terms, but you will not be able to see each of your users file system from you page (security reasons). Could you elaborate more in what you are trying to accomplish? What exactly are you trying to do?

Related

Image Upload Security - User Profile

we have to implement a feature user profile Image upload in our web application. the user can upload his profile image .
after uploading image it will be saved to DB2 DB .. and it will be rendered only to the user who uploaded the image after the login.
Technology stack -> J2EE , AIX, DB2.
we got a strange complaint from our security department that this feature needs to be dropped because the user may upload a virus and this will infect the server !
I don't understand how a user will upload the virus, at the end of the day the virus is a program that needs to be executed ,right?
second thing the platform is UNIX-AIX ,,, even if user uploaded a malware the server will not be infected , right ?
last thing, there is a possibility that user will be infected by XSS in case a JS file uploaded instead of image, but i can see that this in our case is not valid because only the user can upload the image and it will be rendered only to the user..
Is my understanding is right ?
No, it is actually possible to hide executable code in image files.
And when the user renders the image, it may be possible depending on the server configuration that the code inside the image can be executed.
See for example http://hackaday.com/2014/11/15/hiding-executable-javascript-in-images-that-pass-validation/
And search in google for gif executable, png executable, etc.
I have seen proofs of concepts that allow to run windows executables like this http://www.codeproject.com/Articles/9791/Hiding-EXE-Data-Within-GIF-Data, batch commands and other stuff for linux (even rm -fr *), php code and many others.
You will have to either verify the image or be sure the image is converted to a safe format before it gets rendered.

Javascript Upload and real image refresh/reload

I need to create, for a specific project, an image manager that works via Ajax (to get the list of images, display them, ...).
The upload of new images, or image modification, is done via an Ajax script (using the new javascript File API).
The upload works fine, but I encounter a problem in case of image modification : the image displayed by the browser after upload is the cached one and not the uploaded one !!
I know it's a classic cache problem, that can be solved via the 'imagesrc?new Date.getTime()' hack, but I can't use it here.
in fact, this hack doesn't really reload the image, it only create a new instance of the image into the cache, associated to the image url 'imagesrc?new Date.getTime()'.
So, if at any moment, into the image manager, I retry to display the image, without adding the '?new Date.getTime()' to the src, it will display again the old image.
And I either cannot add this hack systematically (because, for example, if the image manager needs to display a lot of very heavy images, it's usefull to get them from the browser cache until they are modified).
I searched a way to solve this problem on internet (really replace the cached image after a javascript upload instead of using the above hack), but I found nothing.
Is there a way to do this, or is it totally impossible ?
Any help or suggestion would be greatly appreciated.
Many thanks in advance
Olivier
Configure your server to send ETag-headers for the images.
An ETag is a hash-value of the file that changes when the file is modified. If an ETag is sent, the browser will add an If-None-Match-header containing the last received ETag of that ressource on its next request and the server will respond with 304: not modified to save traffic if nothing has changed or send the new file if there is one.

Image File Uploads Security

I am implementing a project to my site to allow users to upload image files (ai, pdf, jpeg, gif, tiff). I know this can be very risky but I was wondering what kind of security checks I should put in place to make sure these files to not cause my site any harm.
OR
Should I use something like dropbox to upload my images? If I do this is it possible to get these images whenever I want so I can display them within the browser to the user?
image uploads are fine, because you know what you want: An image
First rule is never to trust the client, so let the user upload the file (maybe you want to add an upload size limit).
Second, you have to ensure that the image is really an image so
Check the mime-type of the file (don't go by the file extension, use a real mime type check like the file shell command or an appropriate library)
To really make sure the file is OK, Open and Reprocess it using an image library like GD, ImageMagick etc. and save it to disk (keep in mind this needs some resource!). This will also filter out corrupted images.
An uploaded file usually doesn't harm the site itself but the users who download the file.
I've come across with a file uploading part of a project I worked.
Some high-level suggestions to complement sled's answer:
The mime type is set on base of the file extension, so it's no useful (as the file has not been uploaded yet to the server, the mime type is just a 'guess' in base of his extension).
So solutions would be:
Do the content check client-side (before sending the http-request)
When you get the whole file by HTTP do the check server-side before persisting to the disk.
Other Suggestions:
The simple file extension check
(wheter by filename or mime-type) is
the basic secutiry measure that also
has to be present.
Folder permissions: Don't allow execute permissions, don't allow the user to create new folders (as it might create a sub-folder with executing permissions).

extract URL from .swf file

I am trying to extract images from flash on the following web-site: http://meijer.shoplocal.com/meijer/default.aspx?action=entryflash&storeref=120
I noticed that every time I click on "Next image", an images is requested from sever. Sample URL is http://akimages.shoplocal.com/dyn_rppi/740.0.75.0/meijer/large/110206os_o_003_T1C1_2pw26.jpg
So, this URL is exactly what I need, but I don't know how to extract all these URLs from the .swf file I have. I don't have any experience with flash, but I think that URLs should be in the .swf file. I tried "grep '110206os_o_003_T1C1_2pw26' adspage_slider-2.swf", but didn't get any result :(((
Ivan,
Did you try a Flash decoder? It should allow you to access the code and respective resources. Another possible and easier way would be to use Fiddler2 to extract the URLs that you have clicked from the swf file. Still, before you move further, make sure that you're not breaking any of the site's Terms and Conditions.

Logging image downloads

I'm trying to find a way of finding out who is downloading what image from an image gallery. Users can download using a button beside the thumbnail or right click and use the "save link as" Is it possible to relate a user session or ID to a "save link as" action from all browsers using either PHP or JavaScript.
Yes, my preferred way of doing this would be via PHP. You'd have to set up a script which would load up the file and send it to the user browser. This script would also be able to log the download somewhere (e.g. your database).
For example - in very rough pseudo-code:
download.php
$file = $_GET['file'];
updateFileCount($file);
header('Content-Type: image/jpeg');
sendFile($file);
Then, you just have your download link point to download.php instead of the actual file. (Note that updateFileCount and sendFile are functions that you would have to provide, of course - this script is an example of a download script which you could use)
Note: I highly recommend avoiding the use of $_GET['file'] to get the whole filename - malicious users could use it to retrieve sensitive files from your web server. But the safe use of PHP downloads is a topic for another question.
You need a gateway script, like ImageDownload.php?picture=me.jpg, or something like that.
That page whould return the image bytes, as well as logging that the image is downloaded.
Because the images being saved are on their computer locally there would be no way to get that kind of information as they have already retrieved the image from your system. Even with javascript the best I know that you could do is to log each time a user presses the second mousebutton using some kind of ajax'y stuff.
I don't really like the idea, but if you wanted to log everytime someone downloaded an image you could host the images inside a flash or java app that made it a requirement to click a download image button. That way the only way for them to get the image without doing that would be to either capture packets as they came into their side or take a screenshot.
Your server access logs should already have the request for the non-thumbnailed version of the file, so you just need to modify the log format to include the sessionid, which I presume you can map back to a user.
I agree strongly with the suggestion put forward by Phill Sacre. For what you are looking for this is the way to go.
It also has the benefit of being potentially able to keep the tracked files out of the direct web path so that they can't be direct linked to.
I use this method in a client site where the images are paid content so must be restricted access.

Resources