Please notice you should check for maximum width and height and path traversal in the ImgeGen.ashx handler. Otherwise it will ne quite easy for a hacker to get your website down:
[code]
// Max w+h protection
if ((int.TryParse(context.Request["height"], out height) && height > 600) || (int.TryParse(context.Request["width"], out width) && width > 800)) {
Hey Doug. I don't want to be a pain in the ***. But, are you sure? In a recent website of our company path traversal was possible thourgh ImageGen. You were able to use this to download all files from the umbraco media folder. The width and height story, is there a default max setting for these? Visitors were able to request very large images which made our sever..well..slow. Thanks!
Further checking that a request cannot traverse outside the specified ImageBaseDir has been added to 2.5.4 Beta but I've found a few bugs in its behavior so need to refactor that a bit before releasing it more widely.
Thank you. We have a couple of ImageGen Pro licenses (tamtam), I read about those features in the documentation. So I will be sure to use those features in the future.
ImageGen.ashx safety
Please notice you should check for maximum width and height and path traversal in the ImgeGen.ashx handler. Otherwise it will ne quite easy for a hacker to get your website down:
[code]
// Max w+h protection
if ((int.TryParse(context.Request["height"], out height) && height > 600) || (int.TryParse(context.Request["width"], out width) && width > 800)) {
return;
}
// Path traversal check
var regex = new Regex(@"\.\.+");
if(regex.IsMatch(context.Request.Url.Query)) {
return;
}
[/code]
This (and much more) is handled inside the ImageGen.dll code.
cheers,
doug.
Hey Doug. I don't want to be a pain in the ***. But, are you sure? In a recent website of our company path traversal was possible thourgh ImageGen. You were able to use this to download all files from the umbraco media folder. The width and height story, is there a default max setting for these? Visitors were able to request very large images which made our sever..well..slow. Thanks!
No worries, thanks for double-checking.
Both of these enhanced features require ImageGen Pro in order to set any of the following options in the /config/imagegen.config file:
Further checking that a request cannot traverse outside the specified ImageBaseDir has been added to 2.5.4 Beta but I've found a few bugs in its behavior so need to refactor that a bit before releasing it more widely.
cheers,
doug.
Thank you. We have a couple of ImageGen Pro licenses (tamtam), I read about those features in the documentation. So I will be sure to use those features in the future.
is working on a reply...