Has anyone used a Graphics Program to “sanitize” Images that are being uploaded to your website?
In my researching how to allow Users to securely upload pictures to my website, it has been said by a few that you should convert the Original Images to an intermediary format (e.g. BMP) and then convert the stripped version back to a Standard Format (e.g. JPEG).
This sounds complicated, scary, and possibly expensive?! :-/
You don’t need to use imagemagick, image reprocessing within php using gd will strip exif, and if you do a resize, this should juggle the pixel data to sufficiently disrupt any malicious executable code that an attacker might try and insert. If you have to go to these lengths though you’re missing other necessary precautions for user uploaded files.