forked from GNUsocial/gnu-social
[ATTACHMENTS] Restrict thumbnail generation to allowed sizes. Defaults to only configured sizes, but can be extended with the event 'GetAllowedThumbnailSizes'. The intention is to prevent DoS attacks, since handling a thumbnail request is a relatively slow process
This commit is contained in:
parent
4f6f1941da
commit
aea8639d44
@ -145,9 +145,18 @@ END;
|
||||
*
|
||||
* This can be used in the future to deduplicate images by visual content
|
||||
*/
|
||||
public static function onHashFile(string $filename, ?string &$out_hash)
|
||||
public function onHashFile(string $filename, ?string &$out_hash)
|
||||
{
|
||||
$out_hash = hash_file(Attachment::FILEHASH_ALGO, $filename);
|
||||
return Event::stop;
|
||||
}
|
||||
|
||||
/**
|
||||
* Fill the list of allowed sizes for an attachment, to prevent potential DoS'ing by requesting thousands of different thumbnail sizes
|
||||
*/
|
||||
public function onGetAllowedThumbnailSizes(?array &$sizes)
|
||||
{
|
||||
$sizes[] = ['width' => Common::config('thumbnail', 'width'), 'height' => Common::config('thumbnail', 'height')];
|
||||
return Event::next;
|
||||
}
|
||||
}
|
||||
|
@ -109,14 +109,17 @@ class Attachment extends Controller
|
||||
assert(false, 'Attachment scope not implemented');
|
||||
}
|
||||
|
||||
// TODO rate limit, limit to known sizes
|
||||
|
||||
$max_width = Common::config('thumbnail', 'width');
|
||||
$max_height = Common::config('thumbnail', 'height');
|
||||
$width = Common::clamp($this->int('w') ?: $max_width, min: 0, max: $max_width);
|
||||
$height = Common::clamp($this->int('h') ?: $max_height, min: 0, max: $max_height);
|
||||
$default_width = Common::config('thumbnail', 'width');
|
||||
$default_height = Common::config('thumbnail', 'height');
|
||||
$width = $this->int('w') ?: $default_width;
|
||||
$height = $this->int('h') ?: $default_height;
|
||||
$crop = $this->bool('c') ?: false;
|
||||
|
||||
Event::handle('GetAllowedThumbnailSizes', [&$sizes]);
|
||||
if (!in_array(['width' => $width, 'height' => $height], $sizes)) {
|
||||
throw new ClientException('The requested thumbnail dimensions are not allowed', 400); // 400 Bad Request
|
||||
}
|
||||
|
||||
$thumbnail = AttachmentThumbnail::getOrCreate(attachment: $attachment, width: $width, height: $height, crop: $crop);
|
||||
|
||||
$filename = $thumbnail->getFilename();
|
||||
|
Loading…
Reference in New Issue
Block a user