remove exif data when upload picture

microweber · Feb 22, 2022 · bfb8624 · bfb8624
1 parent b12e1a4
commit bfb8624
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 5 deletions.
diff --git a/src/MicroweberPackages/App/functions/plupload.php b/src/MicroweberPackages/App/functions/plupload.php
@@ -149,7 +149,7 @@
                             $is_ext = strtolower($is_ext);
 
                             switch ($is_ext) {
-                                case 'php': 
+                                case 'php':
                                 case 'php12':
                                 case 'php11':
                                 case 'php10':
@@ -518,18 +518,30 @@
 
             $valid = false;
             if ($ext === 'jpg' || $ext === 'jpeg' || $ext === 'jpe') {
-                if (@imagecreatefromjpeg($filePath)) {
+
+                // This will clear exif data - security issue
+                $imgCreatedFromJpeg = @imagecreatefromjpeg($filePath);
+                if ($imgCreatedFromJpeg) {
+                    imagejpeg($imgCreatedFromJpeg, $filePath,100);
                     $valid = true;
                 }
             } else if ($ext === 'png') {
-                if (@imagecreatefrompng($filePath)) {
+
+                $imgCreatedFromPng = @imagecreatefrompng($filePath);
+                if ($imgCreatedFromPng) {
+                    imagepng($imgCreatedFromPng, $filePath,100);
                     $valid = true;
                 }
+
             } else if ($ext === 'gif') {
-                if (@imagecreatefromgif($filePath)) {
+
+                $imgCreatedFromGif = @imagecreatefromgif($filePath);
+                if ($imgCreatedFromGif) {
+                    imagegif($imgCreatedFromGif, $filePath,100);
                     $valid = true;
                 }
-            }else if ($ext === 'svg') {
+
+            } else if ($ext === 'svg') {
 
                 if (is_file($filePath)) {
                     $sanitizer = new \enshrined\svgSanitize\Sanitizer();
@@ -557,6 +569,7 @@
 
     if ($is_ext == 'gif' || $is_ext == 'jpg' || $is_ext == 'jpeg' || $is_ext == 'png') {
         try {
+
             $size = getimagesize($filePath);
             $is_image = true;
             $filesize = filesize($filePath);

diff --git a/src/MicroweberPackages/Media/helpers/media.php b/src/MicroweberPackages/Media/helpers/media.php
@@ -129,3 +129,42 @@ function  create_media_dir($params)
     return app()->media_manager->create_media_dir($params);
 }
 
+
+
+
+
+/**
+ * Remove EXIF from a IMAGE file.
+ * @param string $old Path to original image file (input).
+ * @param string $new Path to new jpeg file (output).
+ */
+function remove_exif_data($old, $new)
+{
+    // Open the input file for binary reading
+    $f1 = fopen($old, 'rb');
+    // Open the output file for binary writing
+    $f2 = fopen($new, 'wb');
+
+    // Find EXIF marker
+    while (($s = fread($f1, 2))) {
+        $word = unpack('ni', $s)['i'];
+        if ($word == 0xFFE1) {
+            // Read length (includes the word used for the length)
+            $s = fread($f1, 2);
+            $len = unpack('ni', $s)['i'];
+            // Skip the EXIF info
+            fread($f1, $len - 2);
+            break;
+        } else {
+            fwrite($f2, $s, 2);
+        }
+    }
+
+    // Write the rest of the file
+    while (($s = fread($f1, 4096))) {
+        fwrite($f2, $s, strlen($s));
+    }
+
+    fclose($f1);
+    fclose($f2);
+}