Reputation: 17522
php header content-type image/jpeg security question
Hi I was wondering if the following would pose any threats ? The url is take from the browser checks if its a picture and output it otherwise display "image does not exist". I haven't done the if statement yet. But should i put anymore header(); settings before outputting or any other suggestions that could make it a bit more secure if I have missed any.
header('content-type: image/jpeg');
$file = urlencode('http://domain.com/images/file.jpg');
ob_start();
require_once($file);
$out = ob_get_contents();
ob_end_flush();
echo $out;
Upvotes: 0
Views: 5413
Answers (2)
Reputation: 20602
You definitely shouldn't be using require_once for that.
Use readfile().
header('content-type: image/jpeg');
$file = urlencode('http://domain.com/images/file.jpg');
readfile($file);
exit();
Upvotes: 2
Reputation: 1064
Yes it's a huge security risk, as you're asking PHP to interprete a remote file. If a user may pass any URI to your script, he'll be able to make control of your server with ease.
You should use the cURL functions or a simple file_get_contents (or fopen) call, if the URL wrappers are available on your installation.
Upvotes: 5
Related Questions
- Header content type: image/jpeg not working
- PHP header ('Content-Type: image/png')
- Security: How to validate image file uploads?
- header("Content-Type: image/jpeg") not working
- header(Content-type: image/jpeg) not working
- php retrieving image w/ header info: authorization: basic and content-type: image/jpg
- PHP ImageFilter
- php image jpg header problem
- PHP Image content type problem
- PHP header, Content type: image not allowing text