[Resolved] Secure image content

Jocke

I´m looking for a secure way to mix html and binary data. The binary data is a streamed image.
The idea is to create a secure way to protect images from direct view (i.e http://www/image.jpg).
The image should only be displayed to authorized users.

So far, I have found several methods to display the image using fpassthru() and fopen() (among others).
The script works great, as long as the only thing output to the browser is the image itself. As soon as I add a line of html, all I see is binary data instead of an image.
This works:

$file = "/path/to/image/image.jpg"; 
$fhandle = fopen($file, "rb"); 
$fdata = fread($fhandle, filesize($file)); 
fclose($fhandle); 
Header("Content-type: image/jpeg");
echo $fdata;

This doesn't

echo "an image";
$file = "/path/to/image/image.jpg"; 
$fhandle = fopen($file, "rb"); 
$fdata = fread($fhandle, filesize($file)); 
fclose($fhandle); 
Header("Content-type: image/jpeg");
echo $fdata;

I think it has something to do with the headers. The server first sends a header telling the browser there is a textfile coming up and all of the sudden binary data appears. I did find this workaround:

<img src='image.php?image=imagefilename'>

This way I can mix html and binary data, if image.php contains something like this:

if(!empty($_GET['image']))
{
	$name = "/path/to/image/".$_GET['image'];
	$fp = fopen($name, 'rb');
	header("Content-Type: image/jpg");
	header("Content-Length: " . filesize($name));
	fpassthru($fp);
}

However, the above method leaves one weakness: a user can access the image directly, like so:
http://www/image.php?image=imagefilename.
Thereby rendering the user authentication system useless at best, at worst any file on the system can be viewed, so proper input validation is a must!
The only way I can solve this is to append the user uthentication layer to image.php. That is however, not desired. Let's say, for the sake of the argument, that multiple images will be viewed. Not very efficient to verify that the user is logged on and has access to the specific file every time image.php is called. Especially, if the access information is stored in a db.

Is there another way to mix binary and html data? This would enable me to write a file that authenticate the user only once.
So far, I´ve been running around in circles and can't find, what seems to be, a simple answer. Any thoughts?

mtmosier

I did find this workaround:
<img src='image.php?image=imagefilename'>

Thats not a workaround, thats the way it works.

proper input validation is a must!

Agreed, always.

The only way I can solve this is to append the user uthentication layer to image.php. That is however, not desired. Let's say, for the sake of the argument, that multiple images will be viewed. Not very efficient to verify that the user is logged on and has access to the specific file every time image.php is called. Especially, if the access information is stored in a db.

Most people validate once and then use sessions to avoid revalidation.

Jocke

🙂
Boy do I feel stupid. I'm currently storing the user id in sessions among other things. I don't know how I managed to overlock the usefulness of sessions in this situation. I knew the answer was sitting there right in front of me, just couldn't see it.

Well, I guess sometimes all you need is someone stating the obvious, when you're busy doing things the really complicated way. 😃 Thanks!

Weedpacket

You might want to rethink the security of your code. From what you've posted I see nothing that would stop me from requesting

../../../etc/passwd

(for a suitable number of "../" which can be found by trial-and-error) or any other guess at any other file on your server that takes my fancy.

Jocke

Good point, weedpacket. I did consider that possibility, and I did use input validation to take care of that vulnerability. I just didn't add the code to my post, since it was getting rather large anyway.

Among other things, slashes are searched for and striped. Here is a short example from the class that performs the input validation.


$file = $_GET['image'];

$str = stripSpecialCharacters($file);
if($str == $file)
{
//valid input, do something here
}
function stripSpecialCharacters($str)
{
	$str = str_replace (";","",$str);
	$str = str_replace ( "/","",$str);
	$str = str_replace ( "*","",$str);
	$str = str_replace ( "`","",$str);
	$str = str_replace ( "|","",$str);
	$str = str_replace ( "%","",$str);
	return $str;
}

Future improvements to this code includes some sort of log function. After all, I do want to know if, and how, someone is probing my site in an attempt to hack it. In that case I probably need to replace the str_replace() function with something more convienient.

Weedpacket

Just to check; where do these images come from? If they're uploaded and you're saving them under (what they claim to be) their original name, then that could cause problems.

But even so; I think a safer method would be to scan the image directory to get a list of the image files there, and only allow requests for images in that list. Doing that you also get a "the requested file exists" test for free. Easier would be to only allow certain characters in filenames, and bin any request that contains any other characters. But then you need to do the file_exists() test explicitly.

Whichever way, it's generally safer to limit input data to what you know is safe than try to anticipate every way in which it could be unsafe.

Jocke

But even so; I think a safer method would be to scan the image directory to get a list of the image files there, and only allow requests for images in that list. Doing that you also get a "the requested file exists" test for free.

I agree. I'll look into that method.