Has anyone used a Graphics Program to “sanitize” Images that are being uploaded to your website?
In my researching how to allow Users to securely upload pictures to my website, it has been said by a few that you should convert the Original Images to an intermediary format (e.g. BMP) and then convert the stripped version back to a Standard Format (e.g. JPEG).
This sounds complicated, scary, and possibly expensive?! :-/
You don’t need to use imagemagick, image reprocessing within php using gd will strip exif, and if you do a resize, this should juggle the pixel data to sufficiently disrupt any malicious executable code that an attacker might try and insert. If you have to go to these lengths though you’re missing other necessary precautions for user uploaded files.
GD is php module which is generally installed by default. Imagemagick is a standalone set of applications, that are often connected to php (but not on all hosting). Both are entirely free.