GD Library crop image not working

Question

I am trying to crop a JPG file using the following script:

if (isset($_POST['crop_attempt'])) {

    echo($_POST['path']);

    $source_img = imagecreatefromjpeg($_POST['path']);
    $dest_img = imagecreatetruecolor($_POST['crop_w'], $_POST['crop_h']);

    imagecopy(

        $dest_img,
        $source_img,
        0,
        0,
        $_POST['crop_l'],
        $_POST['crop_t'],
        $_POST['crop_w'],
        $_POST['crop_h']

    );

    imagejpeg($dest_img, $_POST['path']);

    imagedestroy($dest_img);

    imagedestroy($source_img);
}

I am sending through the $_POST variables inside the following Javascript object via ajax:

var db_data = {
        left        :   db.offset().left - img_pos.left * ratio,
        top         :   db.offset().top - img_pos.top * ratio,
        width       :   db.width() * ratio,
        height      :   db.height() * ratio,
        crop_attempt:   true,
        path        :   $('._jsImageToCrop').attr('src')
    };

The values are all going through and I have echo'ed them out from within the PHP script, I think the problem has something to do with the imagecreatefromjpeg() function, could anyone with a bit more experience with GD library offer any help?

Thanks.

Answer 1

Consider what PHP is going to get from the AJAX call - the src attribute of the client-side element, which will be something like /some/subdir/on/your/site/kittens.jpg . You fire that value off directly to imagecreatefromjpeg() , which will look for /some/subdir/.... on your server, which doesn't exist ... because it's missing your site's DOCUMENT_ROOT, which would make the actual path /path/to/your/site/doc/root/some/subdir/.... .

You should NEVER use external data in a file-system operation like this. While you are simply passing it to imagecreatefromjpeg(), it's still insecure as you're allowing a user to provide the full path directly, meaning they could load up ANY image on your server, ANYWHERE, for which they know the path.