Is it important to verify that the uploaded file is an actual image file?

Let's say you could upload any file you wished to a server, but the file extension MUST be ".jpg". Would you be able to upload anything that could harm the server?

The point of my question is that file type verification is slow, and I would rather only have to check the file extension if that is secure enough. I am having trouble imagining a scenario where malware disguised as an image could be used.

I have seen recommendations for using getimagesize() to verify an image, but this function is pretty slow, and I cannot figure out if it is necessary开发者_开发百科, or even effective, for preventing malware uploads...

Any information on this is greatly appreciated.

For testing the security of images, I really only use one method: just re-create the image with GD or whatever image processing library you're using, and use the new image.

This should make the file perfectly secure if you have updated versions of your library.

It may make your stuff a bit slower, but the safer the better.

Just checking if there is a '.jpg' at the end of a file name will do nothing. The file can still be any type of file.

Hope this helped!

It seems like only checking the extension is unsafe. Harmful to the server? Hard to say, without knowing the server OS, permissions on the uploaded files, etc.. You definitely don't want to allow these to be executed. It's certainly easily abused by allowing users to upload non-images, then they just rename to what it really is when their friends download it. This is how you find yourself unwittingly hosted pirated movies, warez, etc..

If you think getimagesize() is a bit too slow (because all uploads are done in super highspeed as we know ;) ) you can try the fileinfo library as well. It inspects at least some bytes within the file. It's pretty fast, I use it every day for hundreds of files in an app that should run speedy and it does.

However, what you don't verify you don't know. So probably first checking extension, ensure a safe filename and a safe store and that they are properly send out to the client.

Before letting any image library touch it (and this should include those on the computers of your site's users), for security reasons the file should be scanned by a virus scanner. That's much more slow compared to getimagesize(), others suggest to take a look into the file for any occurance of <?php as well to prevent uploading as payload. Naturally this includes checking for phar files if inclusion is not prevented via the PHP installations security settings (e.g. by suhosin)

Next to on-demand virus scanning, stored files should be checked from time to time again and again because of formerly unknown exploits.

So part of this is always a background job. But even the on demand real-time checks often do not take that much time unless your application does uploads all the time. You might want to introduce some upload-queue, so the upload is already done but the file get's available to the uploader after the necessary tasks have been run.

Another side-effect of not checking whether it's an image or not is when, and if, you need to display it somewhere on the website (in user profile, on front page, etc) then if it's not really an image, it will appear broken, and thus, your site will appear broken.

As for malware being injected, that depends on your server configuration. If it hasn't been updated to secure holes and exploits then yes, malware can infiltrate through (even though that's rare, but possible).