eliseuamaro/gnu-social
1
0
Fork 0
forked from GNUsocial/gnu-social
Code Issues Pull Requests Releases Wiki Activity

[ATTACHMENTS] Restrict thumbnail generation to allowed sizes. Defaults to only configured sizes, but can be extended with the event 'GetAllowedThumbnailSizes'. The intention is to prevent DoS attacks, since handling a thumbnail request is a relatively slow process

Browse Source
This commit is contained in:
Hugo Sales 2021-04-28 21:53:02 +00:00
parent b2841cb5fc
commit bb56b24d8f
2 changed files with 19 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
components/Posting/Posting.php
View File

@ -145,9 +145,18 @@ END;
* *
* This can be used in the future to deduplicate images by visual content * This can be used in the future to deduplicate images by visual content
*/ */
public static function onHashFile(string $filename, ?string &$out_hash) public function onHashFile(string $filename, ?string &$out_hash)
{ {
$out_hash = hash_file(Attachment::FILEHASH_ALGO, $filename); $out_hash = hash_file(Attachment::FILEHASH_ALGO, $filename);
return Event::stop; return Event::stop;
} }
/**
* Fill the list of allowed sizes for an attachment, to prevent potential DoS'ing by requesting thousands of different thumbnail sizes
*/
public function onGetAllowedThumbnailSizes(?array &$sizes)
{
$sizes[] = ['width' => Common::config('thumbnail', 'width'), 'height' => Common::config('thumbnail', 'height')];
return Event::next;
}
} }

15
src/Controller/Attachment.php
View File

@ -109,13 +109,16 @@ class Attachment extends Controller
assert(false, 'Attachment scope not implemented'); assert(false, 'Attachment scope not implemented');
} }
// TODO rate limit, limit to known sizes $default_width = Common::config('thumbnail', 'width');
$default_height = Common::config('thumbnail', 'height');
$width = $this->int('w') ?: $default_width;
$height = $this->int('h') ?: $default_height;
$crop = $this->bool('c') ?: false;
$max_width = Common::config('thumbnail', 'width'); Event::handle('GetAllowedThumbnailSizes', [&$sizes]);
$max_height = Common::config('thumbnail', 'height'); if (!in_array(['width' => $width, 'height' => $height], $sizes)) {
$width = Common::clamp($this->int('w') ?: $max_width, min: 0, max: $max_width); throw new ClientException('The requested thumbnail dimensions are not allowed', 400); // 400 Bad Request
$height = Common::clamp($this->int('h') ?: $max_height, min: 0, max: $max_height); }
$crop = $this->bool('c') ?: false;
$thumbnail = AttachmentThumbnail::getOrCreate(attachment: $attachment, width: $width, height: $height, crop: $crop); $thumbnail = AttachmentThumbnail::getOrCreate(attachment: $attachment, width: $width, height: $height, crop: $crop);