-
-
Notifications
You must be signed in to change notification settings - Fork 452
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Decompression exploit check #404
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This patch breaks the test suite. |
Indeed, the zero value for the flag I added was being used as a default. All good now, thanks. |
@h2non Sorry for the ping, but I feel like this is important enough that it deserves a bit more attention. |
wslaghekke
added a commit
to recognizegroup/imaginary
that referenced
this pull request
Feb 1, 2023
* Fixed Timeout in readme, 30 ~> 60 (h2non#340) * Fix invalid parameters "-path-prefix" (h2non#344) * fix: small errors in docs (h2non#346) * fix: use proper formatter for usage template (h2non#347) Co-authored-by: Mads Moeller <madsmm@gmail.com> * Add Cloud Run Button (h2non#362) * Delete app.json * Update README.md * Update README.md * updated docker builder OS to go version 1.17 (h2non#371) * fix(readme): remove gocard obsolete badge * feat(readme): update placeholder description * fix(readme): update fly deploy tutorial * fix(docs): allowed-origins examples h2non#333 * memory leak issue fixed with jemalloc (h2non#381) * exposed palette from GET endpoints (h2non#380) * Updated Dockerfile (h2non#384) 1. Changed base image to bullseye 2. The updated base image contains an updated version of libjemalloc too, so building from source is no longer necessary 3. Updated libvips version too * Added dev container (h2non#385) * Added dev container * Removed irrelevant lines * allow speed from get (h2non#383) * allow speed from get * updating the version to use effor param in libvips * Return with and heigh of the generated images (h2non#382) * Return with and heigh of the generated images Use case: When using the fit image transformation, it is helpful to know the size of the resulting image without having to either read the image locally or do another request to the info endpoint. Used in: nextcloud/server#24166 Signed-off-by: Carl Schwan <carl@carlschwan.eu> * Make mimetype support always return true * Add command line option to enable this feature Signed-off-by: Carl Schwan <carl@carlschwan.eu> * refactor: remove deprecated X- prefix in response headers Co-authored-by: Tom <tomas@aparicio.me> * Decompression exploit check (h2non#404) * Bump bimg version to 1.1.7 * Add decompression bomb exploit check * Update README with new flag * Fix tests * Fix typos (h2non#405) Found via `codespell -S .git`. --------- Co-authored-by: Julian <2564520+judomu@users.noreply.github.com> Co-authored-by: liuxu <i@liuxu.me> Co-authored-by: 0xflotus <0xflotus@gmail.com> Co-authored-by: Mads Moeller <mmoeller@users.noreply.github.com> Co-authored-by: Mads Moeller <madsmm@gmail.com> Co-authored-by: James Ward <james@jamesward.com> Co-authored-by: Angelo Girardi <angelo.girardi@goat.com> Co-authored-by: Tom <tomas@aparicio.me> Co-authored-by: Vaibhav Sharma <vaib.sharma44@gmail.com> Co-authored-by: Alessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com> Co-authored-by: Vaibhav Sharma <vaibhavsharma.v@udaan.com> Co-authored-by: Carl Schwan <carl@carlschwan.eu> Co-authored-by: SeaaaaaSharp <98841125+SeaaaaaSharp@users.noreply.github.com> Co-authored-by: Kian-Meng Ang <kianmeng.ang@gmail.com>
suntong
pushed a commit
to suntong/imaginary
that referenced
this pull request
Nov 28, 2023
* Bump bimg version to 1.1.7 * Add decompression bomb exploit check * Update README with new flag * Fix tests
gkmw
pushed a commit
to gkmw/imaginary
that referenced
this pull request
Jun 19, 2024
* Bump bimg version to 1.1.7 * Add decompression bomb exploit check * Update README with new flag * Fix tests
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds the
-max-allowed-resolution
flag option to the application, useful for preventing the aforementioned exploit.I've also ran gofmt and bumped bimg version as the build was failing.