问题
Is deleting the EXIF data from images using PHP enough to prevent malicious codes from being executed in a server?
I want to protect the server against the practices described in this blog post:
<?php
$img = imagecreatefromjpeg('malicious_codes.jpg');
$w = imagesx($img);
$h = imagesy($img);
$trans = imagecolortransparent($img);
if($trans >= 0) {
$rgb = imagecolorsforindex($img, $trans);
$oldimg = $img;
$img = imagecreatetruecolor($w,$h);
$color = imagecolorallocate($img,$rgb['red'],$rgb['green'],$rgb['blue']);
imagefilledrectangle($img,0,0,$w,$h,$color);
imagecopy($img,$oldimg,0,0,0,0,$w,$h);
}
imagejpeg($img,'safe_image.jpg');
?>
回答1:
This will show you EXIF information from JPEG file in PHP.
$uploadfile = "uploaded/pic.jpg";
$exif = exif_read_data($uploadfile, 0, true);
echo "<b>Your file</b><br />\n";
foreach ($exif as $key => $section) {
foreach ($section as $name => $val) {
echo "$key.$name: $val<br />\n";
}
}
And this piece of code should delete all EXIF information
$img = new Imagick($uploadfile);
$img->stripImage();
$img->writeImage($uploadfile);
You can try it here: https://iconnaut.com/exif.php
回答2:
I think that if you manipulate the image of any way (resize for example), it lose some exif data. At least in an example in java happened this.
HERE also has an example using ExifTool.
EDIT:
see this post: Remove EXIF data from JPG using PHP
来源:https://stackoverflow.com/questions/19812383/php-remove-exif-data-from-images