From efe2cbec9eb26a8b8c2398e0f115b693cb932024 Mon Sep 17 00:00:00 2001 From: Adam Gschwender Date: Sun, 4 Dec 2016 12:36:21 -0500 Subject: [PATCH] Restrict maximumn resize width and height --- CHANGES.txt | 1 + README.rst | 9 +++------ pilbox/__init__.py | 5 +++-- pilbox/app.py | 12 ++++++++++-- pilbox/test/app_test.py | 10 ++++++++++ setup.py | 2 +- 6 files changed, 28 insertions(+), 11 deletions(-) diff --git a/CHANGES.txt b/CHANGES.txt index cd9e9ce..d969653 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -52,3 +52,4 @@ * 1.2.0: Support setting background when saving a transparent image - *Backwards incompatible*: default background property changed to `0fff`. To restore previous behavior, set background in config to `ffff`. * 1.2.1: Added max operations config property + * 1.2.2: Added max resize width and height config properties diff --git a/README.rst b/README.rst index 7e2adfd..69f566f 100644 --- a/README.rst +++ b/README.rst @@ -139,6 +139,8 @@ To see a list of all available options, run --implicit_base_url prepend protocol/host to url paths --max_operations maximum operations to perform (default 10) --max_requests max concurrent requests (default 40) + --max_resize_height maximum resize height (default 15000) + --max_resize_width maximum resize width (default 15000) --operation default operation to perform --optimize default to optimize when saving --port run on the given port (default 8888) @@ -626,9 +628,4 @@ Changelog to ``ffff``. - 1.2.1: Added max operations config property - -TODO -==== - -- How to reconcile unavailable color profiles? -- Add backends (S3, file system, etc...) if necessary +- 1.2.2: Added max resize width and height config properties diff --git a/pilbox/__init__.py b/pilbox/__init__.py index a2a70e0..e4e4c2f 100644 --- a/pilbox/__init__.py +++ b/pilbox/__init__.py @@ -75,13 +75,14 @@ `0fff`. To restore previous behavior, set background in config to `ffff`. * 1.2.1: Added max operations config property + * 1.2.2: Added max resize width and height config properties """ # human-readable version number -version = "1.2.1" +version = "1.2.2" # The first three numbers are the components of the version number. # The fourth is zero for an official release, positive for a development # branch, or negative for a release candidate or beta (after the base version # number has been incremented) -version_info = (1, 2, 1, 0) +version_info = (1, 2, 2, 0) diff --git a/pilbox/app.py b/pilbox/app.py index 949801d..992ecc7 100755 --- a/pilbox/app.py +++ b/pilbox/app.py @@ -55,6 +55,8 @@ define("allowed_hosts", help="valid hosts", default=[], multiple=True) define("allowed_operations", help="valid ops", default=[], multiple=True) define("max_operations", help="maximum operations to perform", default=10) +define("max_resize_height", help="maximum resize height", default=15000) +define("max_resize_width", help="maximum resize width", default=15000) # request related settings define("max_requests", help="max concurrent requests", type=int, default=40) @@ -100,6 +102,8 @@ def __init__(self, **kwargs): allowed_operations=set( options.allowed_operations or ImageHandler.OPERATIONS), max_operations=options.max_operations, + max_resize_height=options.max_resize_height, + max_resize_width=options.max_resize_width, background=options.background, expand=options.expand, filter=options.filter, @@ -167,8 +171,12 @@ def validate_request(self): opts = self._get_save_options() ops = self._get_operations() if "resize" in ops: - Image.validate_dimensions( - self.get_argument("w"), self.get_argument("h")) + w, h = self.get_argument("w"), self.get_argument("h") + Image.validate_dimensions(w, h) + if w and int(w) > self.settings.get("max_resize_width"): + raise errors.DimensionsError("Exceeds maximum allowed width") + elif h and int(h) > self.settings.get("max_resize_height"): + raise errors.DimensionsError("Exceeds maximum allowed height") opts.update(self._get_resize_options()) if "rotate" in ops: Image.validate_degree(self.get_argument("deg")) diff --git a/pilbox/test/app_test.py b/pilbox/test/app_test.py index 60a0ebf..e57503e 100644 --- a/pilbox/test/app_test.py +++ b/pilbox/test/app_test.py @@ -196,12 +196,22 @@ def test_invalid_width(self): self.assertEqual(resp.get("error_code"), errors.DimensionsError.get_code()) + qs = urlencode(dict(url="http://foo.co/x.jpg", w=15001, h=1)) + resp = self.fetch_error(400, "/?%s" % qs) + self.assertEqual(resp.get("error_code"), + errors.DimensionsError.get_code()) + def test_invalid_height(self): qs = urlencode(dict(url="http://foo.co/x.jpg", w=1, h="a")) resp = self.fetch_error(400, "/?%s" % qs) self.assertEqual(resp.get("error_code"), errors.DimensionsError.get_code()) + qs = urlencode(dict(url="http://foo.co/x.jpg", w=1, h=15001)) + resp = self.fetch_error(400, "/?%s" % qs) + self.assertEqual(resp.get("error_code"), + errors.DimensionsError.get_code()) + def test_invalid_degree(self): qs = urlencode(dict(url="http://foo.co/x.jpg", op="rotate", deg="a")) resp = self.fetch_error(400, "/?%s" % qs) diff --git a/setup.py b/setup.py index c897c6a..e3c1679 100644 --- a/setup.py +++ b/setup.py @@ -21,7 +21,7 @@ def run(self): setup(name='pilbox', - version='1.2.1', + version='1.2.2', description='Pilbox is an image processing application server built on the Tornado web framework using the Pillow Imaging Library', long_description=readme, classifiers=[