Just another Perl shrine | |
PerlMonks |
Re: virus scanning uploaded imagesby tye (Sage) |
on Sep 16, 2004 at 04:04 UTC ( [id://391360]=note: print w/replies, xml ) | Need Help?? |
I think your computer sucks if it is running code inside of images, whether it is virus code or not. We already ensure that uploads are always tagged as non-executable. That should be enough. I could imagine a version of MS IE being so broken as to notice that a data stream tagged as "image/gif" actually is the data from an MS Word document containing a macro virus, for example. But I think even they've been burned enough and this would be such a blatant securiy hole, that I'm not worried about it happening (and even if it did, I wouldn't care if an exploit got uploaded -- the blame would be all on the idiots who decided to *run* *data*). Update: Ah, buffer overruns. *sigh* I consider virus scanners the wrong solution to just about any problem. At level 5, the risk seems quite slim. I still vote 'no'. Now, an efficient image format validator would be a better solution here (so long as it doesn't have a buffer overrun bug in it...). - tye
In Section
Inner Scriptorium
|
|