php header content-type image/jpeg security question
Question
Hi I was wondering if the following would pose any threats ? The url is take from the browser checks if its a picture and output it otherwise display "image does not exist". I haven't done the if statement yet. But should i put anymore header(); settings before outputting or any other suggestions that could make it a bit more secure if I have missed any.
header('content-type: image/jpeg');
$file = urlencode('http://domain.com/images/file.jpg');
ob_start();
require_once($file);
$out = ob_get_contents();
ob_end_flush();
echo $out;
2 answers
solution1
5 ACCPTED 2010-11-19 14:23:56
Yes it's a huge security risk, as you're asking PHP to interprete a remote file. If a user may pass any URI to your script, he'll be able to make control of your server with ease.
You should use the cURL functions or a simple file_get_contents (or fopen ) call, if the URL wrappers are available on your installation.
solution2
2 2010-11-19 14:26:08
You definitely shouldn't be using require_once for that.
Use readfile() .
header('content-type: image/jpeg');
$file = urlencode('http://domain.com/images/file.jpg');
readfile($file);
exit();
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.