Why strip EXIF data???

  • I’ve been working on a photography related website and was investigating how to include EXIF data with images. It seems that WP reads a portion of the EXIF data when an image is imported, stores the data in the WP database and then strips all EXIF and IPTC from the image and stores that on the webserver.

    This prevents, for example, using the PHP function exif_read_data to extract additional pieces of EXIF or IPTC data from the image file. Of course, this is also why there are no plugins that do this sort of thing either (the exception being the Exifography plugin, but it only supports the importing of a handful of additional EXIF fields and isn’t easily extended to include more by the user).

    From a photographers standpoint, this is REALLY BAD for two reasons:

    1) it removes the EXIF data that contains a copyright notice, author information, etc. from the image itself.

    2) it makes it very difficult (impossible unless you know PHP and are willing to hack WP core files) to import additional EXIF fields or other metadata such as IPTC.

    Now I realize that the EXIF data can be easily changed so it isn’t a fool-proof method of indicating copyright and/or authorship for an image but what is the harm in retaining this information? If striping it out serves a purpose, I would like to suggest that this be made optional behavior for WP as I, for one, would like the EXIF and other meta-data to be retained.

Viewing 5 replies - 1 through 5 (of 5 total)

  • I agree entirly with your comments

    Moderator Samuel Wood (Otto)

    (@otto42)

    www.remarpro.com Admin

    WordPress strips EXIF data from the auto-resized versions of the images as a side effect. What it’s actually doing is creating new images from the original, and not copying that data.

    However, the original image is saved as-is, with all EXIF information included. The original image is not modified in any way.

    I would think that from a security point of view stripping the EXIF data would be a good thing. That’s definitely one way to insert a script into image and if it reaches your server temp directory there’s no telling what could/would happen. So if you’re allowing images to be uploaded to your server I would make sure that you trust the users that are doing so.

    https://php.webtutor.pl/en/2011/05/13/php-code-injection-a-simple-virus-written-in-php-and-carried-in-a-jpeg-image/

    That is one way to inject a script into an image, I know of another way as well.

    Thread Starter brucedwilliams

    (@brucedwilliams)

    I have a single-user WordPress install so I (presumably) don’t need to worry about someone inserting a malicious script into the EXIF portion of an image. I only upload my own photos to my website and not photos/images downloaded from the internet (generally, using downloaded images from the internet on your own website is a copyright violation, which as a photographer, I make pains to avoid). Thus, my suggestion that the stripping of EXIF data be made optional via a WordPress setting.

    I agree having an option would be great. Or you could manually (FTP/SFTP) the images. More work, but it’s possible.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Why strip EXIF data???’ is closed to new replies.

Tags