Image File Uploads Security - image

I am implementing a project to my site to allow users to upload image files (ai, pdf, jpeg, gif, tiff). I know this can be very risky but I was wondering what kind of security checks I should put in place to make sure these files to not cause my site any harm.
OR
Should I use something like dropbox to upload my images? If I do this is it possible to get these images whenever I want so I can display them within the browser to the user?

image uploads are fine, because you know what you want: An image
First rule is never to trust the client, so let the user upload the file (maybe you want to add an upload size limit).
Second, you have to ensure that the image is really an image so
Check the mime-type of the file (don't go by the file extension, use a real mime type check like the file shell command or an appropriate library)
To really make sure the file is OK, Open and Reprocess it using an image library like GD, ImageMagick etc. and save it to disk (keep in mind this needs some resource!). This will also filter out corrupted images.
An uploaded file usually doesn't harm the site itself but the users who download the file.

I've come across with a file uploading part of a project I worked.
Some high-level suggestions to complement sled's answer:
The mime type is set on base of the file extension, so it's no useful (as the file has not been uploaded yet to the server, the mime type is just a 'guess' in base of his extension).
So solutions would be:
Do the content check client-side (before sending the http-request)
When you get the whole file by HTTP do the check server-side before persisting to the disk.
Other Suggestions:
The simple file extension check
(wheter by filename or mime-type) is
the basic secutiry measure that also
has to be present.
Folder permissions: Don't allow execute permissions, don't allow the user to create new folders (as it might create a sub-folder with executing permissions).

Related

Use EC2 for PDF Generation, provide public URL to user

I have developed an application which allows Users to select multiple "transactions"; each of this is directly related to a PDF file.
When a User multi-selects them, and "prints" them, these PDF files are merged into one longer file to provide ease of print.
Currently, "transaction" PDFs are generated on request, and so is PDF-merging.
I'm trying to scale this up relaying over Amazon infrastructure, some questions arised to me.
Should I implement a queue for the PDF generation per "transaction"? If so, how can I provide the user a seamless experience? We don't want them to "wait"
Can I use EC2 to generate these PDF files for me? If so, can I provide a "public" link for the user to download the file directly from Amazon, instead of using our resources.
Thanks a lot!
EDIT ---- More details
User inputs some information through a regular form
System generates a PDF per request, using the provided information for the document
The PDF generated by the system is kept under Amazon S3
We provide an API which allows you to "print" multiple pdfs at once, to do so, we merge the selected PDF files from S3, into one file for ease-of-print
When you multi-print documents, a new window is opened which is your merged file directly, user needs to wait around 20ish seconds for it to display.
We can to leverage the resources used to generate the PDFs onto Amazon infrastructure, but we need to keep the same flow, meaning, we should provide an instant public link to the User to download & print the files.
Based on your understanding, i think you just need your link to be created immediately right after user request for file. However, you want in parallel to create PDF merge. I have idea to do that based on my understanding, and may be it could work in your situations.
First start with some logic to create unique pdf file name, with random string representing name of file. And at same time in background generate PDF, but the name of PDF should be same as you created in first step. This will give user instant name of file with link to download. However, your file creation is still in progress.
Make sure, you use threads if using PHP or event loop if using Node.JS to run both steps at same time. This will avoid 404 error for file not found.
Transferring files from EC2 to S3 would also add latency delay. But if you want to preserve files for later or multiple use in future then S3 is good idea as it could simply serve PDF files for faster delivery. As we know S3 is used for static media storage. Otherwise simply compute everything and generate files on EC2

Is it possible to resize an image when pasted into a rich text field

I am working on an xpages app, where the client wants to restrict the size of images that are pasted into the document. I have restricted docs with the upload component, but not with a pasted image.
Has anyone done anything like this?
Thanks
walt
Yes it is possible, I haven't done this but there are a few ways you could go about it.
Excuse me if you already know this, but it is worth pointing out for anyone who comes across this question in the future, RichText as we knew it from Notes/Domino is not used XPages, it is all MIME. When I started Xpages I knew nothing about MIME so after understanding it all I have written a little summary on my blog to help anyone get used to the idea. If you are going to do anything with the InputRichText control and File Uploads etc. it is worth getting familiar with MIMEEntity's.
http://camerongregor.com/2016/04/21/webmail-ui-you-must-learn-about-mime/
There are 2 ways that images can make it into the 'rich text field', either uploaded using the 'Image' button on the editor toolbar, or alternatively in some web browsers, the image can be pasted from the clipboard. The 2 different methods will include the image in 2 different ways
Uploaded
If the image is uploaded, then the image becomes a multipart/related mime entity of some sort of image/jpeg, image/png etc., related to the text/html. Between the time that the image is uploaded, and the time that the Document is saved, the image file will be located on the server's disk, in the xpages persistence folder associated with the Document e.g.
xsppers_directory/application-id/session-id/document-id/someimage.png
Pasted
When pasted the image is not uploaded as a file to the server's persistence folder, but is instead included within the text/html as a data URI image (as Stephan mentioned in the comment above).
So, if you want a true solution you will need to address both avenues.
Handling Pasted images
I have shared a plugin on my blog which blocks pasted images, so this could be used to eliminate the 'paste' avenue altogether, and force users down the upload avenue.
http://camerongregor.com/2016/11/14/preventing-pasting-of-images-in-ckeditor/
Alternatively, if you are happy with having smaller pasted images, you could just 'restrict' it by modifying the plugin so that it checks the 'length' of the data URI (as Stephan suggested above) and allows the paste if the length is below your predetermined limit.
If even more alternatively, you could find some sort of client side javascript library that will resize images and do it there in the client before the paste.
Or another server-side option is you could process the contents of the 'text/html' MIMEEntity when saving, and find any img tag's that used Data URI's and strip it out, resize the image using some server side library such as ImageMagick and replace it.
Handling Uploaded Images
For uploaded images, an intense solution would be to extend the InputRichText control (similar to how the have demonstrated in the Mastering Xpages 2nd edition) and override the processAjaxRequest event so that it resizes the image during the process of uploading of the image and putting it in the persistence folder. You could resize it there and then using something like ImageMagick.
Or a less intense version would be to process the 'pending' attachments during a before save event. If you get the DominoRichTextItem from the DominoDocument, you should be able to iterate through the Attachments, checking their attachment state, there will be a state which means 'pending/about to upload' and for these ones you can process them while they are in the persistence folder, before they are finally attached to the document.
Finally if you don't want the xpages runtime / persistence directory to be involved, you could do it all after save, just using the backend NotesDocument and MimeEntity processing. Extract the Image MimeEntities to disk, process them with ImageMagick or similar, and then re-attach them.
Someone else may have a simpler solution that I haven't thought of but at least this gives you some idea of what may be involved.

Upload image from string

If i have a filename for a local file on the computer:
$img = "deskfile:///D%3A%2FSCANS%2F%23AUKT%2Fimg2014%2F2014-06+SP%2FEPSON007.jpg"
how can i upload it the server without using the "file selector"?
If i enter the file adresses in the url window of a browser i can display the image.
But if i load the image in tag they won't display. I've read it's becuse of restrictions in the browser.
I can't add a value caluse to the either.
Is there anyway to upload the image from the string?
Or can i at least open the correct directory in the "file selector" so the user wont have the browse the whole computer when looking for the file?
Yes there is a way. You can use the File API with Html5 and/or a polyfill for this to load the image in the browser before posting it back to the server. The best such polyfill that I know of is called Moxy/Plupload. It includes Flash and Silverlight fallbacks for older browsers.
You can display the image because it is stored locally in your computer. How do you know where is the image going to be in the user's computer. The only way to access the user's file system is through the file selector, once the user has selected a file you can then use any API to save that file in the server on your terms, but you will not be able to see each of your users file system from you page (security reasons). Could you elaborate more in what you are trying to accomplish? What exactly are you trying to do?

extract URL from .swf file

I am trying to extract images from flash on the following web-site: http://meijer.shoplocal.com/meijer/default.aspx?action=entryflash&storeref=120
I noticed that every time I click on "Next image", an images is requested from sever. Sample URL is http://akimages.shoplocal.com/dyn_rppi/740.0.75.0/meijer/large/110206os_o_003_T1C1_2pw26.jpg
So, this URL is exactly what I need, but I don't know how to extract all these URLs from the .swf file I have. I don't have any experience with flash, but I think that URLs should be in the .swf file. I tried "grep '110206os_o_003_T1C1_2pw26' adspage_slider-2.swf", but didn't get any result :(((
Ivan,
Did you try a Flash decoder? It should allow you to access the code and respective resources. Another possible and easier way would be to use Fiddler2 to extract the URLs that you have clicked from the swf file. Still, before you move further, make sure that you're not breaking any of the site's Terms and Conditions.

Logging image downloads

I'm trying to find a way of finding out who is downloading what image from an image gallery. Users can download using a button beside the thumbnail or right click and use the "save link as" Is it possible to relate a user session or ID to a "save link as" action from all browsers using either PHP or JavaScript.
Yes, my preferred way of doing this would be via PHP. You'd have to set up a script which would load up the file and send it to the user browser. This script would also be able to log the download somewhere (e.g. your database).
For example - in very rough pseudo-code:
download.php
$file = $_GET['file'];
updateFileCount($file);
header('Content-Type: image/jpeg');
sendFile($file);
Then, you just have your download link point to download.php instead of the actual file. (Note that updateFileCount and sendFile are functions that you would have to provide, of course - this script is an example of a download script which you could use)
Note: I highly recommend avoiding the use of $_GET['file'] to get the whole filename - malicious users could use it to retrieve sensitive files from your web server. But the safe use of PHP downloads is a topic for another question.
You need a gateway script, like ImageDownload.php?picture=me.jpg, or something like that.
That page whould return the image bytes, as well as logging that the image is downloaded.
Because the images being saved are on their computer locally there would be no way to get that kind of information as they have already retrieved the image from your system. Even with javascript the best I know that you could do is to log each time a user presses the second mousebutton using some kind of ajax'y stuff.
I don't really like the idea, but if you wanted to log everytime someone downloaded an image you could host the images inside a flash or java app that made it a requirement to click a download image button. That way the only way for them to get the image without doing that would be to either capture packets as they came into their side or take a screenshot.
Your server access logs should already have the request for the non-thumbnailed version of the file, so you just need to modify the log format to include the sessionid, which I presume you can map back to a user.
I agree strongly with the suggestion put forward by Phill Sacre. For what you are looking for this is the way to go.
It also has the benefit of being potentially able to keep the tracked files out of the direct web path so that they can't be direct linked to.
I use this method in a client site where the images are paid content so must be restricted access.

Resources