mirror of
https://github.com/willnorris/imageproxy.git
synced 2026-04-24 20:36:24 +02:00
prevent pixel flooding attack
Refuse to transform images larger than 100 megapixels. Fixes #254
This commit is contained in:
parent
707b5ac551
commit
07c1c27092
2 changed files with 28 additions and 0 deletions
14
transform.go
14
transform.go
|
|
@ -5,6 +5,7 @@ package imageproxy
|
|||
|
||||
import (
|
||||
"bytes"
|
||||
"errors"
|
||||
"fmt"
|
||||
"image"
|
||||
_ "image/gif" // register gif format
|
||||
|
|
@ -43,6 +44,19 @@ func Transform(img []byte, opt Options) ([]byte, error) {
|
|||
return img, nil
|
||||
}
|
||||
|
||||
// decode image metadata
|
||||
cfg, _, err := image.DecodeConfig(bytes.NewReader(img))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// prevent pixel flooding attacks
|
||||
// accept no larger than a 100 megapixel image.
|
||||
const maxPixels = 100_000_000
|
||||
if cfg.Width*cfg.Height > maxPixels {
|
||||
return nil, errors.New("image too large")
|
||||
}
|
||||
|
||||
// decode image
|
||||
m, format, err := image.Decode(bytes.NewReader(img))
|
||||
if err != nil {
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
Loading…
Add table
Add a link
Reference in a new issue