Fix potential DoS vulnerability in ImageProxy

author Tim Düsterhus <duesterhus@woltlab.com>

Thu, 29 Sep 2016 12:29:50 +0000 (14:29 +0200)

committer Tim Düsterhus <duesterhus@woltlab.com>

Thu, 29 Sep 2016 12:30:47 +0000 (14:30 +0200)
author Tim Düsterhus <duesterhus@woltlab.com>
Thu, 29 Sep 2016 12:29:50 +0000 (14:29 +0200)
committer Tim Düsterhus <duesterhus@woltlab.com>
Thu, 29 Sep 2016 12:30:47 +0000 (14:30 +0200)
diff --git a/wcfsetup/install/files/lib/action/ImageProxyAction.class.php b/wcfsetup/install/files/lib/action/ImageProxyAction.class.php

index 7fbc7f3f61b595b8f5a56803ee74b30ce95f1f27..b1c7250a549e773e8277bdb6c96775b3b1f971e6 100644 (file)
--- a/wcfsetup/install/files/lib/action/ImageProxyAction.class.php
+++ b/wcfsetup/install/files/lib/action/ImageProxyAction.class.php
@@ -61,7 +61,9 @@ class ImageProxyAction extends AbstractAction {
                                 try {
                                         // download image
                                         try {
-                                               $request = new HTTPRequest($url);
+                                               $request = new HTTPRequest($url, [
+                                                       'maxLength' => 10 * (1 << 20) // download at most 10 MiB
+                                               ]);
                                                 $request->execute();
                                         }
                                         catch (SystemException $e) {
author	Tim Düsterhus <duesterhus@woltlab.com>
	Thu, 29 Sep 2016 12:29:50 +0000 (14:29 +0200)
committer	Tim Düsterhus <duesterhus@woltlab.com>
	Thu, 29 Sep 2016 12:30:47 +0000 (14:30 +0200)