Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
+1 vote
857 views
in Q2A Core by
closed by

I checked qa_blobs table and see that the uploaded images are in file format PNG. However, q2a displays them as BMP? Is this a bug?

Check this example graphic, if you save it, it has extension BMP and is quite big:

However, it was uploaded as PNG!

closed with the note: solved http://question2answer.org/qa/18792/
by
That is strange. If you check the image headers (e.g. web-sniffer.net) it says the mime type is image/png.
But the image itself must be a .bmp because of the file size. If I open it and save as a .png it's only 7KB.

Possibly some problem with uploading.
by
Problem must be a bug then? I have not modified the php classes for images / uploads.

Besides I emailed the user and asked with what kind of software he is/was saving the images.

PS/Idea: Could it be that he just *renamed* the BMP to PNG to be allowed to upload??!
by
edited by
The user mailed back and just said "he used Paint". I am quite certain that he just renamed the BMP to PNG, as I tried it just now, and it works! Uploaded a BMP by changing the extension to .PNG - so I guess we need to check the file *content* serverside and convert the BMP to PNG.

This brings up the necessity to check on each uploaded file if it is really an image -> "You could use getimagesize() which returns zeros for size on non-images." ... we definitely should add this to qa-wysiwyg-upload.php

Maybe this is even a security leak?

I just tried: Renamed a PDF to PNG, ckeditor uploaded it!
by
To verify that it is an image I added after line 101 of qa-wysiwyg-upload.php:

if (empty($message)) {
    if(getimagesize($file['tmp_name']) == FALSE) {
        $message=qa_lang_sub('main/image_not_read', 'GIF, JPG, PNG');
    }
}

This prevents uploads of non-images even if they have an image file extension.
by
edited by
The following is even better as it checks the file if its content is GIF,JPG or PNG:

if (empty($message)) {
    $fileImgCheck = getimagesize($file['tmp_name']);
    switch ($fileImgCheck['mime']) {
        case "image/gif":
        case "image/jpeg":
        case "image/png":
            break;
           
        default:
            $message=qa_lang_sub('main/image_not_read', 'GIF, JPG, PNG');
            break;
    }
}

I opened a "ticket" for gidgreen at: http://question2answer.org/qa/18792/adding-image-verification-to-file-upload-wysiwyg-upload-php
...