From 007f26e582251895ea7d12b509c8aee24c4b1f47 Mon Sep 17 00:00:00 2001 From: tcit Date: Sun, 18 May 2014 22:11:56 +0200 Subject: Security fix for Download Images --- inc/poche/pochePictures.php | 36 +++++++++++++++++++++++++++++++++--- 1 file changed, 33 insertions(+), 3 deletions(-) (limited to 'inc/poche/pochePictures.php') diff --git a/inc/poche/pochePictures.php b/inc/poche/pochePictures.php index e4b0b160..3202f2cc 100644 --- a/inc/poche/pochePictures.php +++ b/inc/poche/pochePictures.php @@ -72,9 +72,39 @@ function download_pictures($absolute_path, $fullpath) if(file_exists($fullpath)) { unlink($fullpath); } - $fp = fopen($fullpath, 'x'); - fwrite($fp, $rawdata); - fclose($fp); + + // check extension + $file_ext = strrchr($fullpath, '.'); + $whitelist = array(".jpg",".jpeg",".gif",".png"); + if (!(in_array($file_ext, $whitelist))) { + Tools::logm('processed image with not allowed extension. Skipping ' . $fullpath); + } else { + // check headers + $imageinfo = getimagesize($absolute_path); + if ($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg'&& $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') { + Tools::logm('processed image with bad header. Skipping ' . $fullpath); + } else { + // regenerate image + $im = imagecreatefromstring($rawdata); + if ($im) { + switch ($imageinfo['mime']) { + case 'image/gif': + imagegif($im, $fullpath); + break; + case 'image/jpeg': + case 'image/jpg': + imagejpeg($im, $fullpath); // default quality is 75% + break; + case 'image/png': + imagepng($im, $fullpath); + break; + } + imagedestroy($im); + } else { + Tools::logm('error while regenerating image ' . $fullpath); + } + } + } } /** -- cgit v1.2.3 From 18209292a4f0ac0ac01795cd5e4cd9f2b449dded Mon Sep 17 00:00:00 2001 From: tcit Date: Mon, 19 May 2014 15:01:36 +0200 Subject: Fix bad character encoding when downloading images --- inc/poche/pochePictures.php | 1 + 1 file changed, 1 insertion(+) (limited to 'inc/poche/pochePictures.php') diff --git a/inc/poche/pochePictures.php b/inc/poche/pochePictures.php index e4b0b160..a11340f8 100644 --- a/inc/poche/pochePictures.php +++ b/inc/poche/pochePictures.php @@ -68,6 +68,7 @@ function get_absolute_link($relative_link, $url) { function download_pictures($absolute_path, $fullpath) { $rawdata = Tools::getFile($absolute_path); + $fullpath = urldecode($fullpath); if(file_exists($fullpath)) { unlink($fullpath); -- cgit v1.2.3 From 1d6a9ac25aa0ee1a51b3fcc70bc4247ff14c54e2 Mon Sep 17 00:00:00 2001 From: tcit Date: Mon, 19 May 2014 15:24:11 +0200 Subject: Option for setting quality --- inc/poche/pochePictures.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'inc/poche/pochePictures.php') diff --git a/inc/poche/pochePictures.php b/inc/poche/pochePictures.php index f10cc25e..97eb56ac 100644 --- a/inc/poche/pochePictures.php +++ b/inc/poche/pochePictures.php @@ -94,10 +94,10 @@ function download_pictures($absolute_path, $fullpath) break; case 'image/jpeg': case 'image/jpg': - imagejpeg($im, $fullpath); // default quality is 75% + imagejpeg($im, $fullpath, REGENERATE_PICTURES_QUALITY); break; case 'image/png': - imagepng($im, $fullpath); + imagepng($im, $fullpath, REGENERATE_PICTURES_QUALITY); break; } imagedestroy($im); -- cgit v1.2.3 From e3b00bcaf580177ecdbdb2ee90dfc263b1c2d79e Mon Sep 17 00:00:00 2001 From: tcit Date: Mon, 19 May 2014 15:59:18 +0200 Subject: Fixed bug for png images --- inc/poche/pochePictures.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/poche/pochePictures.php') diff --git a/inc/poche/pochePictures.php b/inc/poche/pochePictures.php index 97eb56ac..8f86d2f2 100644 --- a/inc/poche/pochePictures.php +++ b/inc/poche/pochePictures.php @@ -97,7 +97,7 @@ function download_pictures($absolute_path, $fullpath) imagejpeg($im, $fullpath, REGENERATE_PICTURES_QUALITY); break; case 'image/png': - imagepng($im, $fullpath, REGENERATE_PICTURES_QUALITY); + imagepng($im, $fullpath, ceil(REGENERATE_PICTURES_QUALITY / 100 * 9)); break; } imagedestroy($im); -- cgit v1.2.3 From 0bf0dfe10d0dd4aaafcc7da7deb5be8ef76ad602 Mon Sep 17 00:00:00 2001 From: Simon Leblanc Date: Tue, 20 May 2014 00:42:51 +0200 Subject: Optimisation et gestion des erreurs --- inc/poche/pochePictures.php | 73 ++++++++++++++++++++++++++++----------------- 1 file changed, 45 insertions(+), 28 deletions(-) (limited to 'inc/poche/pochePictures.php') diff --git a/inc/poche/pochePictures.php b/inc/poche/pochePictures.php index 8f86d2f2..7c319a85 100644 --- a/inc/poche/pochePictures.php +++ b/inc/poche/pochePictures.php @@ -14,6 +14,7 @@ function filtre_picture($content, $url, $id) { $matches = array(); + $processing_pictures = array(); // list of processing image to avoid processing the same pictures twice preg_match_all('#<\s*(img)[^>]+src="([^"]*)"[^>]*>#Si', $content, $matches, PREG_SET_ORDER); foreach($matches as $i => $link) { $link[1] = trim($link[1]); @@ -22,8 +23,17 @@ function filtre_picture($content, $url, $id) $filename = basename(parse_url($absolute_path, PHP_URL_PATH)); $directory = create_assets_directory($id); $fullpath = $directory . '/' . $filename; - download_pictures($absolute_path, $fullpath); - $content = str_replace($matches[$i][2], $fullpath, $content); + + if (in_array($absolute_path, $processing_pictures) === true) { + // replace picture's URL only if processing is OK : already processing -> go to next picture + continue; + } + + if (download_pictures($absolute_path, $fullpath) === true) { + $content = str_replace($matches[$i][2], $fullpath, $content); + } + + $processing_pictures[] = $absolute_path; } } @@ -64,6 +74,8 @@ function get_absolute_link($relative_link, $url) { /** * Téléchargement des images + * + * @return bool true if the download and processing is OK, false else */ function download_pictures($absolute_path, $fullpath) { @@ -79,33 +91,38 @@ function download_pictures($absolute_path, $fullpath) $whitelist = array(".jpg",".jpeg",".gif",".png"); if (!(in_array($file_ext, $whitelist))) { Tools::logm('processed image with not allowed extension. Skipping ' . $fullpath); - } else { - // check headers - $imageinfo = getimagesize($absolute_path); - if ($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg'&& $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') { - Tools::logm('processed image with bad header. Skipping ' . $fullpath); - } else { - // regenerate image - $im = imagecreatefromstring($rawdata); - if ($im) { - switch ($imageinfo['mime']) { - case 'image/gif': - imagegif($im, $fullpath); - break; - case 'image/jpeg': - case 'image/jpg': - imagejpeg($im, $fullpath, REGENERATE_PICTURES_QUALITY); - break; - case 'image/png': - imagepng($im, $fullpath, ceil(REGENERATE_PICTURES_QUALITY / 100 * 9)); - break; - } - imagedestroy($im); - } else { - Tools::logm('error while regenerating image ' . $fullpath); - } - } + return false; + } + + // check headers + $imageinfo = getimagesize($absolute_path); + if ($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg'&& $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') { + Tools::logm('processed image with bad header. Skipping ' . $fullpath); + return false; } + + // regenerate image + $im = imagecreatefromstring($rawdata); + if ($im === false) { + Tools::logm('error while regenerating image ' . $fullpath); + return false; + } + + switch ($imageinfo['mime']) { + case 'image/gif': + $result = imagegif($im, $fullpath); + break; + case 'image/jpeg': + case 'image/jpg': + $result = imagejpeg($im, $fullpath, REGENERATE_PICTURES_QUALITY); + break; + case 'image/png': + $result = imagepng($im, $fullpath, ceil(REGENERATE_PICTURES_QUALITY / 100 * 9)); + break; + } + imagedestroy($im); + + return $result; } /** -- cgit v1.2.3