From: Tim Düsterhus Date: Fri, 7 Aug 2015 23:16:38 +0000 (+0200) Subject: Guard against possible DoS attack in image proxy X-Git-Tag: 3.0.0_Beta_1~2140 X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=e7566924dc54c05d989c5239b418ab27ea02825e;p=GitHub%2FWoltLab%2FWCF.git Guard against possible DoS attack in image proxy --- diff --git a/wcfsetup/install/files/lib/action/ImageProxyAction.class.php b/wcfsetup/install/files/lib/action/ImageProxyAction.class.php index f8a2d089ef..7c31ac2355 100644 --- a/wcfsetup/install/files/lib/action/ImageProxyAction.class.php +++ b/wcfsetup/install/files/lib/action/ImageProxyAction.class.php @@ -46,29 +46,32 @@ class ImageProxyAction extends AbstractAction { $fileName = sha1($this->key); - $request = new HTTPRequest($url); - $request->execute(); - $image = $request->getReply()['body']; - - // check if image is linked - // TODO: handle SVGs - $imageData = getimagesizefromstring($image); - if (!$imageData) { - throw new IllegalLinkException(); - } - - // save image + // prepare path $fileExtension = pathinfo($url, PATHINFO_EXTENSION); $fileLocation = WCF_DIR.'images/proxy/'.substr($fileName, 0, 2).'/'.$fileName.($fileExtension ? '.'.$fileExtension : ''); $dir = dirname($fileLocation); if (!@file_exists($dir)) { FileUtil::makePath($dir, 0777); } - file_put_contents($fileLocation, $image); - - // update mtime for correct expiration calculation - @touch($fileLocation); + // download image + if (!file_exists($fileLocation)) { + $request = new HTTPRequest($url); + $request->execute(); + $image = $request->getReply()['body']; + + // check if image is linked + // TODO: handle SVGs + $imageData = getimagesizefromstring($image); + if (!$imageData) { + throw new IllegalLinkException(); + } + + file_put_contents($fileLocation, $image); + + // update mtime for correct expiration calculation + @touch($fileLocation); + } $this->executed(); @header('Content-Type: '.$imageData['mime']);