Any danger of using PHP getimagesize function?

Question

I have this host that disables allow_url_fopen as they said it is a security risk which in turns prevents my use of getimagesize function because I am passing in a http.

My site is on Wordpress and I am using getimagesize to pull in a image within the uploads folder of a Wordpress site which obviously contains http://.

So my question is if this is not safe? If it is not safe, how can this be done within a Wordpress environment?

Thanks.

Answer 1

The security risk your host is likely thinking of is where folks will try to include() a script from a remote host. When you enable your fopen wrappers for HTTP, this typically gets enabled to. (The behavior can of course be disabled, but most hosts don't bother, and just block these requests out of an abundance of caution. Other problems exist as well.)

As far as the security of getimagesize() goes, it doesn't matter how you got your source image. cURL or fopen wrappers... makes no difference. It is mostly secure to use getimagesize() on arbitrary content, but watch out as vulnerabilities in various image librarys have been discovered in the past.

Answer 2

Ok the solution is to use CURL. So something like this would work.

$filename = "http://www.example.com/example.jpg";

$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, $filename);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);

$contents = curl_exec($ch);
curl_close($ch);

$new_image = ImageCreateFromString($contents);
imagejpeg($new_image, "temp.jpg",100);

$size = getimagesize("temp.jpg");

// width and height

$width = $size[0];
$height = $size[1];