Restrict maximumn resize width and height

CHANGES.txt

@@ -52,3 +52,4 @@
   * 1.2.0: Support setting background when saving a transparent image
     - *Backwards incompatible*: default background property changed to `0fff`. To restore previous behavior, set background in config to `ffff`.
   * 1.2.1: Added max operations config property
+  * 1.2.2: Added max resize width and height config properties

README.rst

@@ -139,6 +139,8 @@ To see a list of all available options, run
       --implicit_base_url        prepend protocol/host to url paths
       --max_operations           maximum operations to perform (default 10)
       --max_requests             max concurrent requests (default 40)
+      --max_resize_height        maximum resize height (default 15000)
+      --max_resize_width         maximum resize width (default 15000)
       --operation                default operation to perform
       --optimize                 default to optimize when saving
       --port                     run on the given port (default 8888)
@@ -626,9 +628,4 @@ Changelog
      to ``ffff``.
 
 -   1.2.1: Added max operations config property
-
-TODO
-====
-
--  How to reconcile unavailable color profiles?
--  Add backends (S3, file system, etc...) if necessary
+-   1.2.2: Added max resize width and height config properties

pilbox/__init__.py

@@ -75,13 +75,14 @@
       `0fff`. To restore previous behavior, set background in config
        to `ffff`.
   * 1.2.1: Added max operations config property
+  * 1.2.2: Added max resize width and height config properties
 """
 
 # human-readable version number
-version = "1.2.1"
+version = "1.2.2"
 
 # The first three numbers are the components of the version number.
 # The fourth is zero for an official release, positive for a development
 # branch, or negative for a release candidate or beta (after the base version
 # number has been incremented)
-version_info = (1, 2, 1, 0)
+version_info = (1, 2, 2, 0)

pilbox/app.py

@@ -55,6 +55,8 @@
 define("allowed_hosts", help="valid hosts", default=[], multiple=True)
 define("allowed_operations", help="valid ops", default=[], multiple=True)
 define("max_operations", help="maximum operations to perform", default=10)
+define("max_resize_height", help="maximum resize height", default=15000)
+define("max_resize_width", help="maximum resize width", default=15000)
 
 # request related settings
 define("max_requests", help="max concurrent requests", type=int, default=40)
@@ -100,6 +102,8 @@ def __init__(self, **kwargs):
             allowed_operations=set(
                 options.allowed_operations or ImageHandler.OPERATIONS),
             max_operations=options.max_operations,
+            max_resize_height=options.max_resize_height,
+            max_resize_width=options.max_resize_width,
             background=options.background,
             expand=options.expand,
             filter=options.filter,
@@ -167,8 +171,12 @@ def validate_request(self):
         opts = self._get_save_options()
         ops = self._get_operations()
         if "resize" in ops:
-            Image.validate_dimensions(
-                self.get_argument("w"), self.get_argument("h"))
+            w, h = self.get_argument("w"), self.get_argument("h")
+            Image.validate_dimensions(w, h)
+            if w and int(w) > self.settings.get("max_resize_width"):
+                raise errors.DimensionsError("Exceeds maximum allowed width")
+            elif h and int(h) > self.settings.get("max_resize_height"):
+                raise errors.DimensionsError("Exceeds maximum allowed height")
             opts.update(self._get_resize_options())
         if "rotate" in ops:
             Image.validate_degree(self.get_argument("deg"))

pilbox/test/app_test.py

@@ -196,12 +196,22 @@ def test_invalid_width(self):
         self.assertEqual(resp.get("error_code"),
                          errors.DimensionsError.get_code())
 
+        qs = urlencode(dict(url="http://foo.co/x.jpg", w=15001, h=1))
+        resp = self.fetch_error(400, "/?%s" % qs)
+        self.assertEqual(resp.get("error_code"),
+                         errors.DimensionsError.get_code())
+
     def test_invalid_height(self):
         qs = urlencode(dict(url="http://foo.co/x.jpg", w=1, h="a"))
         resp = self.fetch_error(400, "/?%s" % qs)
         self.assertEqual(resp.get("error_code"),
                          errors.DimensionsError.get_code())
 
+        qs = urlencode(dict(url="http://foo.co/x.jpg", w=1, h=15001))
+        resp = self.fetch_error(400, "/?%s" % qs)
+        self.assertEqual(resp.get("error_code"),
+                         errors.DimensionsError.get_code())
+
     def test_invalid_degree(self):
         qs = urlencode(dict(url="http://foo.co/x.jpg", op="rotate", deg="a"))
         resp = self.fetch_error(400, "/?%s" % qs)

setup.py

@@ -21,7 +21,7 @@ def run(self):
 
 
 setup(name='pilbox',
-      version='1.2.1',
+      version='1.2.2',
       description='Pilbox is an image processing application server built on the Tornado web framework using the Pillow Imaging Library',
       long_description=readme,
       classifiers=[