Process uploaded animated gif for security

Question

We are working on a website to allow animated GIF upload. To ensure the image is indeed an image and without malware/virus/backdoor/trojan or anything other than image data itself, we try to recreate the original image.

However, the process itself will take sometime when there are lots of frames inside. Is there any other way to ensure an uploaded animated GIF file is free from the issues mentioned above?

Answer 1

You can never 100% guarantee that a file does not contain malware - even with your approach there is the chance that the gif contains some code that could be malicious simply by opening the image in a vulnerable viewer.

That said, the chances are low and you can expect these sort of bugs to be patched fairly quickly in most modern operating systems.

There are various checks you can do on uploaded files though that take less processing time:

• Check the file name extension is what you expect - ignore the content-type at upload stage though as this can be spoofed.
• Virus scan all uploaded files with a virus scanner with up to date definitions.
• Do not store the files in a location where they can be executed - e.g. do not store in the web root (www.example.com/uploads/image.aspx).
• Serve the files via a program or script that reads them from storage as data and then streams the output to the browser.

• When serving the files, ensure the correct content-type, and if possible, filename extension is set correctly. Use Content-Disposition to set the name the browser will use:

  Content-Disposition: attachment; filename="fname.ext"