Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-8672

No file size limit in getimagesize() and remote upload

    Details

    • Type: Improvement
    • Status: Patch Awaiting Review
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.0.5
    • Fix Version/s: 3.2.0-a1
    • Component/s: Other
    • Labels:
      None
    • Environment:
      PHP Environment: 5.2.9
      Database:

      Description

      phpBB uses getimagesize() to get image dimensions when setting an off-site avatar or when using [img] if image size limits are enabled.

      If you set http://noc.gts.pl/100mb.gts?.gif as an avatar, the server will download a huge file.

      It is possible to limit the size:

      function getimagesize_limit($url, $limit)
      {
       global $phpbb_root_path;
       $tmpfilename = tempnam($phpbb_root_path . 'store/', unique_id() . '-');
        $fp = fopen($url, 'r');
       if (!$fp) return false; 
       $tmpfile = fopen($tmpfilename, 'w');
        $size = 0;
       while (!feof($fp) && $size<$limit)
       {
        $content = fread($fp, 8192);
        $size += 8192;  fwrite($tmpfile, $content);
       }
        fclose($fp);
       fclose($tmpfile);
        $is = getimagesize($tmpfilename);
       unlink($tmpfilename);
       return $is;
      }
       

      The size of remote upload should also be limited. The function uses fsockopen, so it's very easy to add a size limit.

        Issue Links

          Activity

          Hide
          bantu Andreas Fischer added a comment -

          It's not really a security issue since you can always send garbage traffic to servers.

          Show
          bantu Andreas Fischer added a comment - It's not really a security issue since you can always send garbage traffic to servers.
          Hide
          Kostenloses-Forum Kostenloses-Forum added a comment -

          You can submt a list of slow images and reload this page 1000 times, than the server goes down with e.g. mysql: too many connections
          Ok, you really need a curl fallback.

          Show
          Kostenloses-Forum Kostenloses-Forum added a comment - You can submt a list of slow images and reload this page 1000 times, than the server goes down with e.g. mysql: too many connections Ok, you really need a curl fallback.
          Hide
          nickvergessen Joas Schilling added a comment -

          YOu can also submit any page and do that 1000 times it will kill the server aswell

          Show
          nickvergessen Joas Schilling added a comment - YOu can also submit any page and do that 1000 times it will kill the server aswell
          Hide
          Kostenloses-Forum Kostenloses-Forum added a comment -

          Hm, but it is easier when the reloading page takes 1-x minutes.
          Here really missing timeouts and limits or a list of allowed img sites.
          Or even a note in the ACP image height/width description.

          Show
          Kostenloses-Forum Kostenloses-Forum added a comment - Hm, but it is easier when the reloading page takes 1-x minutes. Here really missing timeouts and limits or a list of allowed img sites. Or even a note in the ACP image height/width description.
          Hide
          Kostenloses-Forum Kostenloses-Forum added a comment -

          Here is me new functions with curl + fopen support
          https://gist.github.com/gooof/f02271d07462ea91a816
          it failes only sometimes with fopen

          Show
          Kostenloses-Forum Kostenloses-Forum added a comment - Here is me new functions with curl + fopen support https://gist.github.com/gooof/f02271d07462ea91a816 it failes only sometimes with fopen

            People

            • Assignee:
              Marc Marc
              Reporter:
              michkol michkol [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:

                Development