#3531 closed (invalid)
ImageField - possible script injection
| Reported by: | Owned by: | Adrian Holovaty | |
|---|---|---|---|
| Component: | Database layer (models, ORM) | Version: | dev |
| Severity: | Keywords: | ||
| Cc: | sam@… | Triage Stage: | Unreviewed |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
ImageField field validates files using MIME which isn't 100% ok. It will allow uploading *py *php *pl or any other file extension when it will have image MIME signature at the beginning:
cat image.png code.php > upload_me.php
It's dangerous for shared hosting and other where media folders can execute scripts like PHP where <?PHP starts the code and makes the binary image part meaningless for the interpreter (could look like this).
Example: screenshot - 11.py uploaded as image. Check the extensions
Change History (4)
comment:1 by , 17 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
comment:3 by , 17 years ago
Piotr, if you wanted to do something like that, it'd probably be better to try decoding it with PIL to see if it's a real image.
comment:4 by , 17 years ago
| Cc: | added |
|---|
Note:
See TracTickets
for help on using tickets.
Thanks for the report (and the thinking behind it), however checking externsions is a not a good way of doing security. It is approach used by Microsoft in Windows and one of the reasons it is so easy to exploit that platform. Forcing people to use particular extensions (or any extension at all) for a file is not good practice. MIME types exist to avoid this very problem.
Uploading images (or other files) into a directory where the contents are automatically executed as CGI scripts is the real problem here. It just shouldn't be done (executing files that start with garbage and looking for meaningful strings in the middle of them is another problem). There is, in general, no 100% reliable way to check that something is just an image (or other type of file -- after all, we don't just allow image uploading if you use the FileField field, for example) and not *also* a file that might be mysteriously executed by an interpreter that processes any junk it is fed. It is quite possible that an image could legitimately contain the "magic string" that triggers execution by some language interpreter.
This is security problem, but the problem is on the side of the sever doing the uploads into an executable directory (or possibly serving files with an incorrect MIME type).