php re-process image with slightest loss for sanitation

[leom]

Hi,

I'm creating an image upload for users with php.

I'd like the uploaded images to be re-processed by imagick in order to sanitize them from malicious code and to validate them as actual images and to get rid of EXIF data.

I was looking for a imagick function that scales or resizes the image to 100% in order to re-process it with the slightest loss, but I couldn't find a method in php to scale/resize it percentually.

My question:
Do you know a good method for re-processing the image with the slightest loss?

Many thanks!

[GreenKoopa]

Since you asked, although I don't think this is really want you need. On the command line you can resize to 100%.
convert in.jpg -resize 100% out.jpg

You may want to use -strip.

identify could tell you if a file was an actual image.

Documentation on scripting, including php and security:
http://www.imagemagick.org/Usage/api/

[Bonzo]

I think he wants to use Imagick GreenKoopa and not Imagemagick with the command line. Imagick has a limited amount of options and it looks like resizing by percent is not one of them.

I suppose he could use something like:

Code: Select all

<?php 
$input = 'input.jpg';

$size = getimagesize( $input);

$width = $size[0]*2;
$height = $size[1]*2;

$im = new Imagick( $input ); 
$im->thumbnailImage( $width, $height, TRUE ); 
$im->writeImage( "output.jpg" ); 
$im->destroy(); 
 ?> 

[GreenKoopa]

By "I don't think this is really want you need" I meant to ask if an image could be sanitized from malicious code by resizing? I don't know much about image security, so I'm not clear on the leom's need. If leom is just trying to add noise to an image, there are many other ways to do it.

[leom]

I think he wants to use Imagick GreenKoopa and not Imagemagick with the command line. Imagick has a limited amount of options and it looks like resizing by percent is not one of them.

correct!

Code: Select all

<?php
$input = 'input.jpg';

$size = getimagesize( $input);

$width = $size[0];
$height = $size[1];

$im = new Imagick( $input );
$im->thumbnailImage( $width, $height, TRUE );
$im->writeImage( "output.jpg" );
$im->destroy();
 ?> 

That works just fine!
I was thinking, that if I render an Image like that, possible malicious code that is within the exif/idf0 gets stripped off, as malicious code that is inside the image itself gets lost be rendering the image into a new one?

You may want to use -strip.

Should I use -strip before rendering the image for extra security or would that be redundant?

identify could tell you if a file was an actual image.

right now I use php mime-type check to identify the files and the second line to check file extension

Code: Select all

$_FILES["upload_file"]["type"] == wanted format;

$extensio = pathinfo($upload_file, PATHINFO_EXTENSION);

How about an extra check with imagick here?

By "I don't think this is really want you need" I meant to ask if an image could be sanitized from malicious code by resizing? I don't know much about image security, so I'm not clear on the leom's need. If leom is just trying to add noise to an image, there are many other ways to do it.

I read that re-rendering an image with imagick/GD etc. is an very effectiv way to sanitize images, because the resulting image gets a complete new binary-code. If there was malicious code within the image it gets destroyed by the process.

I was thinking that a resize to 100% is a way of rendering the image to a new one with the least loss of quality.