Comments (4)
I got a report a few months ago about a similar issue, but I think it was more performance related. But in any event, there's certainly some optimization to be had by not immediately reading the fill remote image into memory here. We could pass an io.Reader to Transform, and probably read out the image dimensions before loading the full image, which would let us put some additional maximum dimension controls in place.
We can leave this open to track that work, but if anyone is actually concerned about the security aspects of this, they see the above comment about host allow lists and request signatures.
from imageproxy.
Yes, it's true that if you run an open proxy, an attacker could use it to load a malicious image. The proper protection for that is to use host allow lists and/or request signatures so that attackers can't proxy arbitrary URLs
from imageproxy.
After local testing above jpg image using master branch. I got following output, no crash yet.
imageproxy listening on localhost:8080
2023/01/02 15:44:58 error transforming image http://127.0.0.1/lottapixel.jpg#200x200: invalid JPEG format: bad Huffman code
2023/01/02 15:45:17 error transforming image http://127.0.0.1/lottapixel.jpg#200x200: invalid JPEG format: bad Huffman code
2023/01/02 15:45:59 error transforming image http://127.0.0.1/lottapixel.jpg#9.999999e+06x999999,fit: invalid JPEG format: bad Huffman code
I have download the lottapixel.jpg (5 KB) from https://hackerone.com/reports/390
Maybe it's already fixed ?
from imageproxy.
Maybe it's already fixed ?
It might have been fixed in the upstream image package? I haven't done anything specific in imageproxy for this.
from imageproxy.
Related Issues (20)
- Failed at step EXEC spawning /root/go/bin/imageproxy: Permission denied
- avif HOT 1
- error out of nowhere x509: certificate has expired or is not yet valid HOT 2
- Memory Leak with invalid status code HOT 4
- There is no support of headers. I already fixed it. HOT 1
- Serving files from Azure HOT 2
- support for svg HOT 3
- migrate off of github.com/Azure/azure-sdk-for-go/storage
- can not cache using minio HOT 2
- ARMv7 (Raspberry PI) docker image support?
- How to upgrade existing installation of ImageProxy? HOT 2
- Persistent caching and no request on ressource after caching HOT 3
- Link to alternative and/or enhanced forks
- Create binary in releases
- Ruby Client HOT 2
- Is there any way to remove metadata from images HOT 1
- Encoding remote url HOT 1
- Passing response headers HOT 2
- Possible native WebP encoder? HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from imageproxy.