Valid JPG and HTML in one file
-
@lucas1 it acts just like any other URL.
When it's loaded and rendered as an image, scripts can't run. It's just an image.
When it's loaded and rendered as an HTML document, scripts can run as usual, subject to the usual security model, unless the server sets a header to say that they cannot. Cross-domain rules apply if it tries to interact with something that comes from a different domain than itself, just like on any other page.
In theory you could even put it in a
<script src="...">
. All of the same security rules would apply as any other remotely-hosted script.The real issue is when a user-uploaded file is on the same domain as the page is, which means it'll be treated like a trusted source, unless the server adds a header to say otherwise, which is what @ben_lubar did when this was discovered.
-
@anotherusername said in Valid JPG and HTML in one file:
@lucas1 it acts just like any other URL.
When it's loaded and rendered as an image, scripts can't run. It's just an image.
When it's loaded and rendered as an HTML document, scripts can run as usual, subject to the usual security model, unless the server sets a header to say that they cannot. Cross-domain rules apply if it tries to interact with something that comes from a different domain than itself, just like on any other page.
In theory you could even put it in a
<script src="...">
. All of the same security rules would apply as any other remotely-hosted script.The real issue is when a user-uploaded file is on the same domain as the page is, which means it'll be treated like a trusted source, unless the server adds a header to say otherwise, which is what @ben_lubar did when this was discovered.
The only "security" flaw with this would be that it would be easier to get someone to visit your page - IE via "view image in new tab" or similar, which normally shouldn't allow for anything other than displaying an image.
-
@anotherusername I guess the only potential flaw could be if someone (for some reason) saw the image, copied the url and did
<iframe src="http://bad.site/foo.jpg" />
But if you embed anything inside an iframe you're asking for trouble.
-
@sloosecannon said in Valid JPG and HTML in one file:
The only "security" flaw with this would be that it would be easier to get someone to visit your page - IE via "view image in new tab" or similar, which normally shouldn't allow for anything other than displaying an image.
That's a very slim attack vector, and if the goal is to get eyes and record hits, it's not like the server doesn't register a hit when you load the image anyway.
The real potential security flaw is that if you allow untrusted persons to upload files that contain scripts, those scripts can then run within the security framework of the domain where you're hosting them. They're of the same origin. E.g. uploads here are served from
https://what.thedailywtf.com/uploads/files/*
. Ordinarily there is no security in place that will prevent scripts fromhttps://what.thedailywtf.com/uploads/files/*
from running, or from interacting with the page, or from capturing the logged in user's session cookies. Not unless you explicitly set up rules on the server to add headers that say scripts aren't permitted to run, as has been done here, after the exploit was discovered. Now, since the ambiguous image/HTML only runs the scripts when it's interpreted as HTML, simply embedding the image wasn't enough to trigger them; you had to either open the URL in a new tab by clicking the embedded image, or you would've had to find a way to get it to embed as an<iframe>
instead of an<img>
(I wasn't able to figure out a way, the first time this came up).
-
@bb36e The browser's security model should prevent
bad.site
andwhat.thedailywtf.com
from interacting with each other, though, even if you embedded one inside the other as an iframe. But if the origin's the same, then yeah, it could do any number of bad things. Anything that a logged in user could do with a script from their browser console, basically.
-
@anotherusername said in Valid JPG and HTML in one file:
That's a very slim attack vector,
Actually, it's not. Let's say I construct an image that is an unreadably low-resolution version of, say, a screenshot. In the html embedded in that image, I embed another image, the higher resolution / larger version (or merely a link to another image), and In my post I add "open in new tab to embiggen". People are kinda used to doing this, so they do it, trigger the image being loaded as html, which shows the embedded /linked high-resolution version, a script runs changing the displayed url, and does other badness.
You've been hit, and you don't even know it. Sure, it's not a driveby, but it's trivial social engineering.
Many sites, in fact, "helpfully" resize images, with built-in "click to display original" so all you'd need to do in that case is make the original image big enough to trigger the resizing.
-
@tufty or you could put, I dunno, an HTML file at the end of the link.
-
@tufty said in Valid JPG and HTML in one file:
Many sites, in fact, "helpfully" resize images, with built-in "click to display original" so all you'd need to do in that case is make the original image big enough to trigger the resizing.
All of which means that uploaded images ought to be run through a sanitizer to at least remove the extra crud. It probably ought to strip most legit metadata as well to prevent accidental doxxing.
-
@Jaloopa said in Valid JPG and HTML in one file:
isn't the implication that a squirrel with no prior exposure to humans will eat out of your hand? Mostly, this only happens with island species that have no predators so aren't accustomed to being cautious. One famous example is the dodo
That can't be right. A squirrel couldn't do that because dodos don't have hands.
-
@dkf said in Valid JPG and HTML in one file:
@tufty said in Valid JPG and HTML in one file:
Many sites, in fact, "helpfully" resize images, with built-in "click to display original" so all you'd need to do in that case is make the original image big enough to trigger the resizing.
All of which means that uploaded images ought to be run through a sanitizer to at least remove the extra crud. It
probably ought toshould stripmost legitall metadata as well to prevent accidental doxxing. (and rotate the image according to those metadata rotate hints too, because some browsers respect those hints and others don't so normalize the fuckers since we're already doing such invasive manipulation anyway)FTFMTC
-
@accalia I'd be happy with it leaving the color profile and gamma correction in there. :p
-
@dkf And rotation. Stripping all metadata is why people post a horizontal image to a forum and it comes out vertical, because their dumb image libraries don't parse the meta-data correctly before rewriting the image.
-
@blakeyrat I believe the suggestion on the table is first to rotate the actual image pixmap according to the supplied rotation metadata (this can be done losslessly for any extant image format AFAIK) and then discard that metadata.
-
@flabdablet I don't care how they handle it as long as they don't ignore it, and ship a broken product to the customers.
-
@accalia but I like seeing the EXIF stuff sometimes... It's cool seeing what lens etc was used
-
@bb36e It was cool before they started puting your geographic location, full name, bank account data and advertising preferences in them.
-
@groo I think it's stupid to include coordinates by default in phones, but I see nothing wrong with having it as an option, e.g. flickr's photo map is a nice tool that lets you see an overview of a photographer's entire gallery through a map
Plus I'm pretty sure it also includes a copyright field, which is pretty important.
-
@bb36e Fuck that, you can save this info in a text file if you want. In an image format all I want are the pixels.
-
@groo to be pedantic I guess you could argue that JPEG is technically a digital photo format, not an image format :p
-
@groo said in Valid JPG and HTML in one file:
@bb36e Fuck that, you can save this info in a text file if you want. In an image format all I want are the pixels.
so you save all images as .RAW
and have to manually imput the image dimensions and colour depth every time you view the image?
-
@groo said in Valid JPG and HTML in one file:
full name, bank account data and advertising preferences
At least my p0rn preference is save!
-
@Luhmann said in Valid JPG and HTML in one file:
@groo said in Valid JPG and HTML in one file:
full name, bank account data and advertising preferences
At least my p0rn preference is save!
actually no, they rolled that into your advertizing preferences last decade so they could more effectively target their sexually charged advertizing at you and avoid accidentally turning you off their product by showing you the wrong add for your pr0n preferences.
-
@accalia don't forget the colour temperature and EV
-
@accalia said in Valid JPG and HTML in one file:
actually no
-
@flabdablet said in Valid JPG and HTML in one file:
rotate the actual image pixmap according to the supplied rotation metadata (this can be done losslessly for any extant image format AFAIK)
It is only possible to losslessly rotate a JPEG if the width and/or height is a multiple of the size of the minimum coded unit, typically 8x8.
-
@bb36e said in Valid JPG and HTML in one file:
@blakeyrat well it displays in basically every browser, so it seems pretty valid to me. if it wasn't valid then it wouldn't work.
Ahhhh, I see you spend a lot of time working with web frameworks. Possibly even developing them?
-
@Polygeekery my other car is a framework!
-
-
@accalia said in Valid JPG and HTML in one file:
and have to manually imput the image dimensions and colour depth every time you view the image?
Depends on the manufacturer. Some are rawer than others. ()
-
@ben_lubar said in Valid JPG and HTML in one file:
@tufty or you could put, I dunno, an HTML file at the end of the link.
vs.
One of those should make you suspicious by the URL alone.
Of course, ever since Firefox went full idiot and got rid of the status bar, we've been slowly and surely training our users to ignore URLs. Or should I say, undoing a decade of hard work that went into training users to look at an URL before clicking it.
Fuck you Mozilla.
-
@accalia said in Valid JPG and HTML in one file:
actually no, they rolled that into your advertizing preferences last decade
I thought there was no difference in @Luhmann's case.
-
@Lorne-Kates said in Valid JPG and HTML in one file:
Click to Embiggen
vs.
Click to EmbiggenOne of those should make you suspicious by the URL alone.
The modern way is:
-
@Luhmann That's not a framework.
This is a framework!
https://www.youtube.com/watch?v=mbsYPXAJhxUAround the Nürburgring. Nice bit starting at about 8:10 where some dipshit riceboy completely fails to understand how comprehensively outclassed he is.
https://www.youtube.com/watch?v=abAogAUyoTE
-
@Lorne-Kates to be fair, users transitioning to mobile are also going through the same thing
-
@dkf said in Valid JPG and HTML in one file:
@accalia said in Valid JPG and HTML in one file:
actually no, they rolled that into your advertizing preferences last decade
I thought there was no difference in @Luhmann's case.
Shame there are no adds on the forum ...
-
@flabdablet
How can it be a framework when it goes properly fast?
-
@Luhmann said in Valid JPG and HTML in one file:
@flabdablet
How can it be a framework when it goes properly fast?For a single user.
-
@dkf said in Valid JPG and HTML in one file:
@Lorne-Kates said in Valid JPG and HTML in one file:
Click to Embiggen
vs.
Click to EmbiggenOne of those should make you suspicious by the URL alone.
The modern way is:
-
@groo said in Valid JPG and HTML in one file:
@bb36e Fuck that, you can save this info in a text file if you want. In an image format all I want are the pixels.
Yes, good idea. I’m already looking forward to having to remember to also send someone a bunch of files with metadata for the photographs I might want to show, so they can tell where and when I took them. Not to mention to teaching the average recipient how to make their image viewer take those metadata files into account when showing those photographs.
-
@Gurth I bet the "someone" will just use the default windows image viewer and not even imagine there is any extra information in the EXIF things, like any reasonable person.
Weirdos that want a picture to be more than a picture should use a zip file or something. I'm disgusted the standard format was distorted to accomodate for this, and now we have security holes in jpeg files.
-
@groo or maybe they'd use Lightroom? OK, to be fair they might use some RAW format instead. but still, what's wrong with having metadata associated with an image? IMO, it's a perfectly valid use case for photos (seeing how the format was created by the Joint Photographic Experts Group, this makes sense) and the inclusion of the metadata in the image itself helped us avoid the problem of a dozen competing standards for standalone metadata.
imagine if nikons, canons, etc. used different formats for the data -- then any time you want to share that metadata (e.g. flickr, 500px) each site has to implement multiple completely different processors for that information.
-
@flabdablet Why is it just random-ass cars on the track? Including what looks like one of those larger Prius' delivering office supplies? WTF.
-
@bb36e It is a perfectly valid use case for photos, until you say "okay, your metadata can contain whatever the hell you want and be several gigs in size if you want it to"
-
@bb36e said in Valid JPG and HTML in one file:
then any time you want to share that metadata
that time is never, but now I'm exposed to the security problems these morons created
-
@Lorne-Kates said in Valid JPG and HTML in one file:
we've been slowly and surely training our users to ignore URLs. Or should I say, undoing a decade of hard work that went into training users to look at an URL before clicking it.
- Users have never looked at URLs, and they never will no matter what you do
- Looking at URLs does nothing for security so congrats on wasting everyone's times
- You're an idiot if you ever based any security around users remembering to do something
-
@anonymous234 said in Valid JPG and HTML in one file:
You're an idiot if you ever based any security around users remembering to do something
Did you remember to lock your car and take your key with you?
-
@groo My car has an RFID key, it locks itself when I walk further than about 10-15 away from it.
-
@blakeyrat but you have to remember to take it with you, right? or did you implant it under your skin?
-
@groo Well yes, but that's not hard since it never leaves my pocket ever.
-
@groo said in Valid JPG and HTML in one file:
@Gurth I bet the "someone" will just use the default windows image viewer and not even imagine there is any extra information in the EXIF things, like any reasonable person.
Weirdos that want a picture to be more than a picture should use a zip file or something. I'm disgusted the standard format was distorted to accomodate for this, and now we have security holes in jpeg files.
If they did that, the next thing you know the people who design cameras would have them automatically zip up all the information that goes along with the pictures into that format, and then weirdos will want their standard image viewer to accommodate for the image files their camera natively creates.