is it safe to allow external images to be attached to Blog or any Web content?

If its just a simple profile picture, you can avoid most security threats by using a trusted 3rd party like Gravatar(which is what security.se uses). Using a linked image as a "Web Bug" are unavoidable with remote images but apparently a lot of people don't care that Gravatar can track them. Storing an attacker-controlled file locally creates other security threats.

More generally, you do not want to store user-controlled files on your server. A good example of exploiting this type of vulnerability is using a PHP local file include (LFI) vulnerability to obtain remote code execution. Even storing an attacker controlled file temporarily is a security threat that can be exploited with an LFI attack.

Verifying that the link is in fact an image using getimagesize() helps prevent CSRF. However, even a valid image file can contain PHP tags in the EXIF metadata, and that could be used in a LFI attack. LFI attacks like this can be prevented using PHP's open_base_dir configuration option to prevent PHP from including files in the image or temporary directories.


When an external image is "attached" to the comment, then one of these two things occurs, depending on the way your server handles such things:

  • A reference to the URL pointing to the image is kept, and reproduced in the HTML file which is returned to any client browser visiting your site.
  • The image is downloaded by your server, and the clients will receive the copy which you keep on your server.

In the first case, every client who visits your page will automatically download the image, and the server at the other end (not yours, the one containing the image) can serve any image as it sees fit, possibly depending on who is currently asking (that's how the "show my IP" pictures work). Even if you yourself browse the page with your browser, you cannot be sure that every other visitor will see the same thing. Also, the sysadmin at the server which contains the image will be able to gather the IP address for every visitor of your site.

Last but not least, a maliciously crafted "image" link can point at things other than images, and unwillingly enroll all the visitors of your site in a distributed denial-of-service.

It thus seems safer to get a copy of the picture on the server, and serve it to visitors from your server only. This should be coupled with a validation/conversion step which checks that the image can be decoded, and forces it to have a "sane" size. Beware of scriptable image formats like SVG !