Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- class SecureImage
- {
- /**
- * @author - RyanTheGreat
- * @information - Secure Image class designed to secure images for storage on server
- * @lastmodified - 10/5/2010
- * @majorchanges - None
- * @filelocation - webroot/includes/classes
- */
- protected $_imgOriginalImage;
- protected $_imgSecureImage;
- protected $_strOriginalName;
- protected $_boolStrict;
- protected $_approvedExtension;
- protected $_intMaxWidth;
- protected $_intMaxHeight;
- protected $_allowedExtensions = array('.jpg', '.jpeg', '.gif', '.png');
- public function __construct($imgOriginalImage, $strImageName, $boolStrict, $intMaxWidth = 0, $intMaxHeight = 0)
- {
- $this -> _imgOriginalImage = $imgOriginalImage; //The actual image in its original form.
- $this -> _strOriginalName = $strImageName; //The images original name, as supplied by the user
- $this -> _boolStrict = $boolStrict;
- $this -> _intMaxWidth = $intMaxWidth;
- $this -> _intMaxHeight = $intMaxHeight;
- }
- //public function to give access to the SecureImage routines
- public function getSecureImage()
- {
- $passedCheck = $this -> verifyImageType($this -> _imgOriginalImage, $this -> _strOriginalName);
- if($passedCheck === true)
- {
- //passed the original checks, now for the extended protection against maliciously coded images.
- $successfullyCreated = $this -> createSecureImage();
- if($successfullyCreated)
- {
- return array($this -> _imgSecureImages, $this -> _approvedExtension, $this -> strOrignalName);
- }
- else
- {
- return 1;
- }
- }
- return $passedCheck;
- }
- //This function creates a new image based off the data supplied in the form it is expected to be in, by rearranging the bytes.
- //This adds protection for any attacks the work based off parsers that grab their headers from the top and ignore junk at the bottom.
- //i.e. Maliciously coded images, GIFARs, etc.
- protected function createSecureImage()
- {
- //different functionality based off image type
- switch($this -> _approvedExtension)
- {
- case '.jpg':
- $this -> _imgSecureImage = imagecreatefromjpeg($this -> _imgOriginalImage);
- break;
- case '.jpeg':
- $this -> _imgSecureImage = imagecreatefromjpeg($this -> _imgOriginalImage);
- break;
- case '.gif':
- $this -> _imgSecureImage = imagecreatefromgif($this -> _imgOriginalImage);
- break;
- case '.png':
- $this -> _imgSecureImage = imagecreatefrompng($this -> _imgOriginalImage);
- break;
- default:
- return false;
- break;
- }
- if($this -> _imgSecureImage === false)
- {
- return false;
- }
- return true;
- }
- //this function actually writes the Image resource to a file location, or can be used to output to the buffer by leaving the file location null
- public function writeImageToFile($saveLocation = NULL)
- {
- //if writing to buffer, don't forget headers first :)
- if($this -> _approvedExtension == '.jpg' || $this -> _allowedExtension == '.jpeg')
- {
- imagejpeg($this -> _imgSecureImage, $saveLocation);
- }
- else if($this -> _approvedExtension == '.gif')
- {
- imagegif($this -> _imgSecureImage, $saveLocation);
- }
- else if($this -> _approvedExtension == '.png')
- {
- imagepng($this -> _imgSecureImage, $saveLocation);
- }
- else
- {
- //probably mistakenly called this before the getSecureImage function, return false to indicate epicfail
- return false;
- }
- imagedestroy($this -> _imgSecureImage);
- return true;
- }
- //this function verifys the image type based off MIME type and extension supplied by user
- protected function verifyImageType($imgVerifyImage, $strVerifyName)
- {
- $imgData = getimagesize($imgVerifyImage);
- //if there is maximum dimensions set, check them
- if($this -> _intMaxWidth != 0)
- {
- if($imgData[0] > $this -> _intMaxWidth)
- {
- return 2;
- }
- }
- else if($this -> _intMaxHeight != 0)
- {
- if($imgData[1] > $this -> _intMaxHeight)
- {
- return 3;
- }
- }
- //verify the extension is among the approved
- $extension = strtolower(trim(strrchr($strVerifyName, '.')));
- if(!in_array($extension, $this -> _allowedExtensions))
- {
- return 4;
- }
- $this -> _approvedExtension = $extension;
- //Next, verify the image data supplied, keep in mind: alone this is easily spoofed, so this is used as defense in depth.
- if($imgData === false || empty($imgData))
- {
- //failed a basic test for image headers, definitely a no-go.
- return 5;
- }
- if($this -> _boolStrict)
- {
- //This isn't necessarily all that strict of a checking procedure, but may not need this functionality everywhere, so it is optional. I suggest using it.
- //Note: If you allow more image types than the default, modify this section accordingly.
- if(($extension == '.jpeg' && $imgData[2] != IMG_JPEG) || ($extension == '.jpg' && $imgData[2] != IMG_JPG) || ($extension == '.gif' && $imgData[2] != IMG_GIF) || ($extension == '.png' && $imgData[2] != IMG_PNG))
- {
- return IMG_PNG;
- }
- }
- return true;
- }
- }
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement