Coder Social home page Coder Social logo

Comments (4)

willnorris avatar willnorris commented on July 17, 2024 1

I got a report a few months ago about a similar issue, but I think it was more performance related. But in any event, there's certainly some optimization to be had by not immediately reading the fill remote image into memory here. We could pass an io.Reader to Transform, and probably read out the image dimensions before loading the full image, which would let us put some additional maximum dimension controls in place.

We can leave this open to track that work, but if anyone is actually concerned about the security aspects of this, they see the above comment about host allow lists and request signatures.

from imageproxy.

willnorris avatar willnorris commented on July 17, 2024

Yes, it's true that if you run an open proxy, an attacker could use it to load a malicious image. The proper protection for that is to use host allow lists and/or request signatures so that attackers can't proxy arbitrary URLs

from imageproxy.

a180285 avatar a180285 commented on July 17, 2024

After local testing above jpg image using master branch. I got following output, no crash yet.

imageproxy listening on localhost:8080
2023/01/02 15:44:58 error transforming image http://127.0.0.1/lottapixel.jpg#200x200: invalid JPEG format: bad Huffman code
2023/01/02 15:45:17 error transforming image http://127.0.0.1/lottapixel.jpg#200x200: invalid JPEG format: bad Huffman code
2023/01/02 15:45:59 error transforming image http://127.0.0.1/lottapixel.jpg#9.999999e+06x999999,fit: invalid JPEG format: bad Huffman code

I have download the lottapixel.jpg (5 KB) from https://hackerone.com/reports/390

Maybe it's already fixed ?

from imageproxy.

willnorris avatar willnorris commented on July 17, 2024

Maybe it's already fixed ?

It might have been fixed in the upstream image package? I haven't done anything specific in imageproxy for this.

from imageproxy.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.