How to check the format and security of images in Java

This article from Feng Libin's blog, the original address: http://www.fenglibin.com/use_java_to_check_images_type_and_security.html

I. Generally, you can verify whether a file is an image in the following three ways:

1) Determine whether the file extension is the required image Extension

This kind of judgment is a lot of method, but this method is very inappropriate. Others slightly change the extension of a file that is not an image to the image extension, this verification is bypassed. If the uploaded file is shell, PHP, or JSP, then your website can be basically put in the hands of others.

However, this method is not completely useless. We can place it in the outermost layer of the image. If the extension name of a file is not the image extension we require, therefore, we do not need to check the subsequent content format. To a certain extent, this helps reduce the pressure on servers, otherwise, all the files will be determined by the server after being uploaded, which will waste some resources.

2) based on the first few bytes of the file, that is, the magic number, you can determine the first several bytes of different file types. You can check my other website introduction: the magic number of different file types.

However, this method is very unreliable because it can only verify the first few bytes of the file. If someone modifies the extension of an executable PHP file to PNG, then add the "89 50" two bytes in front, and then bypass this authentication method.

The following is an example program that uses Java code to obtain the first two bytes of a file:

[Java]
View plaincopyprint?

1. Import java. Io. file;
2. Import java. Io. fileinputstream;
3. Import java. Io. ioexception;
4. Import java. Io. inputstream;
6. Public class imagetypecheck {
8. Public static string bytestohexstring (byte [] SRC ){
9. Stringbuilder = new stringbuilder ();
10. If (src = NULL | SRC. Length <= 0 ){
11. Return NULL;
12. }
13. For (INT I = 0; I <SRC. length; I ++ ){
14. Int v = SRC [I] & 0xff;
15. String HV = integer. tohexstring (v );
16. If (HV. Length () <2 ){
17. Stringbuilder. append (0 );
18. }
19. Stringbuilder. append (HV );
20. }
21. Return stringbuilder. tostring ();
22. }
23. Public static void main (string [] ARGs) throws ioexception {
24. String ImagePath = "C:/favicon.png ";
25. File image = new file (ImagePath );
26. Inputstream is = new fileinputstream (image );
27. Byte [] bt = new byte [2];
28. Is. Read (BT );
29. System. Out. println (bytestohexstring (BT ));
30. }
31. }

import java.io.File;import java.io.FileInputStream;import java.io.IOException;import java.io.InputStream; public class ImageTypeCheck {     public static String bytesToHexString(byte[] src) {        StringBuilder stringBuilder = new StringBuilder();        if (src == null || src.length <= 0) {            return null;        }        for (int i = 0; i < src.length; i++) {            int v = src[i] & 0xFF;            String hv = Integer.toHexString(v);            if (hv.length() < 2) {                stringBuilder.append(0);            }            stringBuilder.append(hv);        }        return stringBuilder.toString();    }    public static void main(String[] args) throws IOException {        String imagePath = "c:/favicon.png";        File image = new File(imagePath);        InputStream is = new FileInputStream(image);        byte[] bt = new byte[2];        is.read(bt);        System.out.println(bytesToHexString(bt));    }}

However, this method is the same as the extension, and is not completely useless. At least you can perform a simple check in the early stage to pave the way for the next check.

3) obtain the width and height attributes of an image.
If we can get the width and height attribute of an image normally, it must be an image. We cannot get the width and height attribute of a non-image file, the following is a Java code used to determine whether an image can be obtained based on the image width and height attribute:

[Java]
View plaincopyprint?

1. /**
2. * Read the file and obtain its width and height to determine whether the current file is an image. This is a very simple method.
3. *
4. * @ Param imagefile
5. * @ Return
6. */
7. Public static Boolean isimage (File imagefile ){
8. If (! Imagefile. exists ()){
9. Return false;
10. }
11. Image IMG = NULL;
12. Try {
13. IMG = ImageIO. Read (imagefile );
14. If (IMG = NULL | IMG. getwidth (null) <= 0 | IMG. getheight (null) <= 0 ){
15. Return false;
16. }
17. Return true;
18. } Catch (exception e ){
19. Return false;
20. } Finally {
21. IMG = NULL;
22. }
23. }

/*** It is very easy to judge whether the current file is an image by reading the file and obtaining its width and height. ** @ Param imagefile * @ return */public static Boolean isimage (File imagefile) {If (! Imagefile. exists () {return false;} image IMG = NULL; try {IMG = ImageIO. read (imagefile); If (IMG = NULL | IMG. getwidth (null) <= 0 | IMG. getheight (null) <= 0) {return false;} return true;} catch (exception e) {return false;} finally {IMG = NULL ;}}

Ii. security check and handling of image files
Now, we can finally determine whether a file contains images. However, what if some illegal code is added to an image file that can be browsed normally:

This is some IFRAME code added at the end of a normal image. I tried to open this image separately and put it on a webpage. Although this will not be executed, however, it does not mean that other code will not be inserted. Anti-virus software (such as avast) reports a virus for such modifications.
So how should we prevent this kind of thing, that is, it can be opened normally, it has the correct image file extension, and it can also get its width and height attributes? Oh, we can rewrite this image at this time, add a watermark to it or resize it, so that the newly generated image will no longer contain such malicious code, the following is a Java implementation for adding Watermarks:

[Java]
View plaincopyprint?

1. /**
2. * Add an image watermark
3. *
4. * @ Param srcimg target image path, for example, C: \ kuku.jpg
5. * @ Param waterimg watermark image path, for example, C: \ kuku.png
6. * @ Param x the offset between the watermark image and the left side of the target image. If X is less than 0, it is in the middle.
7. * @ Param y the offset between the watermark image and the target image. If y is less than 0, it is in the middle.
8. * @ Param Alpha transparency (0.0 -- 1.0, 0.0 is completely transparent, and 1.0 is completely opaque)
9. * @ Throws ioexception
10. */
11. Public final static void addwatermark (string srcimg, string waterimg, int X, int y, float alpha) throws ioexception {
12. // Load the Target Image
13. File file = new file (srcimg );
14. String ext = srcimg. substring (srcimg. lastindexof (".") + 1 );
15. Image image = ImageIO. Read (File );
16. Int width = image. getwidth (null );
17. Int Height = image. getheight (null );
19. // Load the target image to the memory.
    
20. Bufferedimage = new bufferedimage (width, height, bufferedimage. type_int_rgb );
21. Graphics2d G = bufferedimage. creategraphics ();
22. G. drawimage (image, 0, 0, width, height, null );
24. // Load the watermark image.
25. Image waterimage = ImageIO. Read (new file (waterimg ));
26. Int width_1 = waterimage. getwidth (null );
27. Int height_1 = waterimage. getheight (null );
28. // Set the transparency of the watermark image.
29. G. setcomposite (alphacomposite. getinstance (alphacomposite. src_atop, alpha ));
31. // Set the position of the watermark image.
32. Int widthdiff = width-width_1;
33. Int heightdiff = height-height_1;
34. If (x <0 ){
35. X = widthdiff/2;
36. } Else if (x> widthdiff ){
37. X = widthdiff;
38. }
39. If (Y <0 ){
40. Y = heightdiff/2;
41. } Else if (Y> heightdiff ){
42. Y = heightdiff;
43. }
45. // "Draw" the watermark image from the original image.
    
46. G. drawimage (waterimage, X, Y, width_1, height_1, null );
47. // Close the paint brush.
48. G. Dispose ();
50. // Save the target image.
51. ImageIO. Write (bufferedimage, ext, file );
52. }

/*** Add an image watermark ** @ Param srcimg target image path, for example, C: \ kutuku.jpg * @ Param waterimg watermark image path, for example, C: \ kutuku.png * @ Param x the offset between the watermark image and the left side of the target image. If X is <0, the offset between * @ Param Y and the top side of the target image is displayed, if y is <0, * @ Param Alpha transparency (0.0 -- 1.0, 0.0 is completely transparent, 1.0 is completely opaque) * @ throws ioexception */public final static void addwatermark (string srcimg, string waterimg, int X, int y, float alpha) throws ioexception {// load the target image file = new fi Le (srcimg); string ext = srcimg. substring (srcimg. lastindexof (". ") + 1); image = ImageIO. read (File); int width = image. getwidth (null); int Height = image. getheight (null); // loads the target image to the memory. Bufferedimage = new bufferedimage (width, height, bufferedimage. type_int_rgb); graphics2d G = bufferedimage. creategraphics (); G. drawimage (image, 0, 0, width, height, null); // load the watermark image. Image waterimage = ImageIO. read (new file (waterimg); int width_1 = waterimage. getwidth (null); int height_1 = waterimage. getheight (null); // sets the transparency of the watermark image. G. setcomposite (alphacomposite. getinstance (alphacomposite. src_atop, alpha); // set the position of the watermark image. Int widthdiff = width-width_1; int heightdiff = height-height_1; If (x <0) {x = widthdiff/2;} else if (x> widthdiff) {x = widthdiff;} If (Y <0) {Y = heightdiff/2;} else if (Y> heightdiff) {Y = heightdiff ;} // "Draw" the watermark image from the original image. G. drawimage (waterimage, X, Y, width_1, height_1, null); // close the paint brush. G. Dispose (); // Save the target image. ImageIO. Write (bufferedimage, ext, file );}

Through the above methods, we should be able to avoid the security issues of malicious code in most of the images. However, due to my poor personal skills, there may be some considerations. Please kindly advise.