What should I be aware of when allowing users to upload images via a URL?

I'm working on a site where users can post notes. I'm considering allowing users to post images by providing a url to the image (ie not uploading it via a form).

However, I've learned that this can be used to do some kind of hacking, for example, users can paste an url that is not an image, so when the page w开发者_高级运维as load, a GET request will be made to that url.

I'd like to know:

1. what other malicious things could be done and how can I stop them?

2. is there an easy way (just use JavaScript) to check if an url is an image?

There are a lot of issues to be concerned with when allowing users to upload arbitrary files to a server (which this is).

Firstly, you need to make sure the file is an image, and can only be accessed as an image (ie not executed as a script)

Secondly, the image can't be too large or act as a DoS to users or the server

Thirdly, you need to make sure you save the image in a secure way such that users can't overwrite sensitive files.

Fourthly, serve all uploaded content from a different origin than your primary content. Not only is this more secure, it can also be faster (no cookies)

Fifth, ensure you use ImageMagick or GD to process the images to remove any unwanted data in the image. Remember that image files could be used as containers for more than just visible data.

Six: Be aware of path injection, LFI, RFI, etc attacks

Seven: Don't rely on the extension to tell you what type of file an image is. Check this yourself.

However, I've learned that this can be used to do some kind of hacking, for example, users can paste an url that is not an image, so when the page was load, a GET request will be made to that url.

Are users going to be pasting a link to an image or uploading a file from their own computer?

1. what else hacking things could be done with this?

Let's put it this way: the users are uploading arbitrary files to your server

1. is there an easy way(just use JavaScript) to check if an url is an image?

Not really, and it wouldn't help. You want to do server side checking

List of things for you to read:

http://www.scriptygoddess.com/archives/2004/10/19/gifs-that-execute-a-php-script/

There are more issues...

If you embed a unknown URL as an image in HTML, the get request to this URL will be done either way, independent of it really being an image or not.

The question is whether this could do some damage, by either

• revealing to the image's server that it (and the page it is embedded in) is being looked at (you can't really avoid this without copying the image to your server)
• running a script on the image's server with the user context of the current viewer (who might be logged in there, and would not do something like this voluntarily), doing something different depending on the viewer (and potentially indirectly harmful to the viewer). You could avoid this by proxying the access, or copying the image to your server.)
• or being misinterpreted by the user's browser as a script or other harmful content, doing strange things to the look of your page or even more malicious things. I think this is what most browsers try to protect against by cross-site access policies. This could be actually worse if you copied the image to your server.