diff options
author | tcitworld <tcit@tcit.fr> | 2014-05-20 11:42:22 +0200 |
---|---|---|
committer | tcitworld <tcit@tcit.fr> | 2014-05-20 11:42:22 +0200 |
commit | 99408dfcf37303bc3550713b835c3e9c16966573 (patch) | |
tree | eac0b73c54d4989d8e4f1edbcd25cefb6c18710b | |
parent | e3b00bcaf580177ecdbdb2ee90dfc263b1c2d79e (diff) | |
parent | 0bf0dfe10d0dd4aaafcc7da7deb5be8ef76ad602 (diff) | |
download | wallabag-99408dfcf37303bc3550713b835c3e9c16966573.tar.gz wallabag-99408dfcf37303bc3550713b835c3e9c16966573.tar.zst wallabag-99408dfcf37303bc3550713b835c3e9c16966573.zip |
Merge pull request #1 from leblanc-simon/images_security
Optimisation et gestion des erreurs
-rw-r--r-- | inc/poche/pochePictures.php | 73 |
1 files changed, 45 insertions, 28 deletions
diff --git a/inc/poche/pochePictures.php b/inc/poche/pochePictures.php index 8f86d2f2..7c319a85 100644 --- a/inc/poche/pochePictures.php +++ b/inc/poche/pochePictures.php | |||
@@ -14,6 +14,7 @@ | |||
14 | function filtre_picture($content, $url, $id) | 14 | function filtre_picture($content, $url, $id) |
15 | { | 15 | { |
16 | $matches = array(); | 16 | $matches = array(); |
17 | $processing_pictures = array(); // list of processing image to avoid processing the same pictures twice | ||
17 | preg_match_all('#<\s*(img)[^>]+src="([^"]*)"[^>]*>#Si', $content, $matches, PREG_SET_ORDER); | 18 | preg_match_all('#<\s*(img)[^>]+src="([^"]*)"[^>]*>#Si', $content, $matches, PREG_SET_ORDER); |
18 | foreach($matches as $i => $link) { | 19 | foreach($matches as $i => $link) { |
19 | $link[1] = trim($link[1]); | 20 | $link[1] = trim($link[1]); |
@@ -22,8 +23,17 @@ function filtre_picture($content, $url, $id) | |||
22 | $filename = basename(parse_url($absolute_path, PHP_URL_PATH)); | 23 | $filename = basename(parse_url($absolute_path, PHP_URL_PATH)); |
23 | $directory = create_assets_directory($id); | 24 | $directory = create_assets_directory($id); |
24 | $fullpath = $directory . '/' . $filename; | 25 | $fullpath = $directory . '/' . $filename; |
25 | download_pictures($absolute_path, $fullpath); | 26 | |
26 | $content = str_replace($matches[$i][2], $fullpath, $content); | 27 | if (in_array($absolute_path, $processing_pictures) === true) { |
28 | // replace picture's URL only if processing is OK : already processing -> go to next picture | ||
29 | continue; | ||
30 | } | ||
31 | |||
32 | if (download_pictures($absolute_path, $fullpath) === true) { | ||
33 | $content = str_replace($matches[$i][2], $fullpath, $content); | ||
34 | } | ||
35 | |||
36 | $processing_pictures[] = $absolute_path; | ||
27 | } | 37 | } |
28 | 38 | ||
29 | } | 39 | } |
@@ -64,6 +74,8 @@ function get_absolute_link($relative_link, $url) { | |||
64 | 74 | ||
65 | /** | 75 | /** |
66 | * Téléchargement des images | 76 | * Téléchargement des images |
77 | * | ||
78 | * @return bool true if the download and processing is OK, false else | ||
67 | */ | 79 | */ |
68 | function download_pictures($absolute_path, $fullpath) | 80 | function download_pictures($absolute_path, $fullpath) |
69 | { | 81 | { |
@@ -79,33 +91,38 @@ function download_pictures($absolute_path, $fullpath) | |||
79 | $whitelist = array(".jpg",".jpeg",".gif",".png"); | 91 | $whitelist = array(".jpg",".jpeg",".gif",".png"); |
80 | if (!(in_array($file_ext, $whitelist))) { | 92 | if (!(in_array($file_ext, $whitelist))) { |
81 | Tools::logm('processed image with not allowed extension. Skipping ' . $fullpath); | 93 | Tools::logm('processed image with not allowed extension. Skipping ' . $fullpath); |
82 | } else { | 94 | return false; |
83 | // check headers | 95 | } |
84 | $imageinfo = getimagesize($absolute_path); | 96 | |
85 | if ($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg'&& $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') { | 97 | // check headers |
86 | Tools::logm('processed image with bad header. Skipping ' . $fullpath); | 98 | $imageinfo = getimagesize($absolute_path); |
87 | } else { | 99 | if ($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg'&& $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') { |
88 | // regenerate image | 100 | Tools::logm('processed image with bad header. Skipping ' . $fullpath); |
89 | $im = imagecreatefromstring($rawdata); | 101 | return false; |
90 | if ($im) { | ||
91 | switch ($imageinfo['mime']) { | ||
92 | case 'image/gif': | ||
93 | imagegif($im, $fullpath); | ||
94 | break; | ||
95 | case 'image/jpeg': | ||
96 | case 'image/jpg': | ||
97 | imagejpeg($im, $fullpath, REGENERATE_PICTURES_QUALITY); | ||
98 | break; | ||
99 | case 'image/png': | ||
100 | imagepng($im, $fullpath, ceil(REGENERATE_PICTURES_QUALITY / 100 * 9)); | ||
101 | break; | ||
102 | } | ||
103 | imagedestroy($im); | ||
104 | } else { | ||
105 | Tools::logm('error while regenerating image ' . $fullpath); | ||
106 | } | ||
107 | } | ||
108 | } | 102 | } |
103 | |||
104 | // regenerate image | ||
105 | $im = imagecreatefromstring($rawdata); | ||
106 | if ($im === false) { | ||
107 | Tools::logm('error while regenerating image ' . $fullpath); | ||
108 | return false; | ||
109 | } | ||
110 | |||
111 | switch ($imageinfo['mime']) { | ||
112 | case 'image/gif': | ||
113 | $result = imagegif($im, $fullpath); | ||
114 | break; | ||
115 | case 'image/jpeg': | ||
116 | case 'image/jpg': | ||
117 | $result = imagejpeg($im, $fullpath, REGENERATE_PICTURES_QUALITY); | ||
118 | break; | ||
119 | case 'image/png': | ||
120 | $result = imagepng($im, $fullpath, ceil(REGENERATE_PICTURES_QUALITY / 100 * 9)); | ||
121 | break; | ||
122 | } | ||
123 | imagedestroy($im); | ||
124 | |||
125 | return $result; | ||
109 | } | 126 | } |
110 | 127 | ||
111 | /** | 128 | /** |