From 7f6f7e0e9ff608618e5b144bcf18d279610aa3ed Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Mon, 15 Jan 2024 16:34:47 +0100 Subject: [PATCH] [Web] limit logo file upload --- data/web/inc/functions.customize.inc.php | 18 ++++++++++++++++++ data/web/inc/vars.inc.php | 9 +++++++++ data/web/lang/lang.de-de.json | 2 ++ data/web/lang/lang.en-gb.json | 2 ++ 4 files changed, 31 insertions(+) diff --git a/data/web/inc/functions.customize.inc.php b/data/web/inc/functions.customize.inc.php index 0da8c3563b..b729235733 100644 --- a/data/web/inc/functions.customize.inc.php +++ b/data/web/inc/functions.customize.inc.php @@ -2,6 +2,7 @@ function customize($_action, $_item, $_data = null) { global $redis; global $lang; + global $LOGO_LIMITS; switch ($_action) { case 'add': @@ -35,6 +36,23 @@ function customize($_action, $_item, $_data = null) { ); return false; } + if ($_data[$_item]['size'] > $LOGO_LIMITS['max_size']) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_action, $_item, $_data), + 'msg' => 'img_size_exceeded' + ); + return false; + } + list($width, $height) = getimagesize($_data[$_item]['tmp_name']); + if ($width > $LOGO_LIMITS['max_width'] || $height > $LOGO_LIMITS['max_height']) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_action, $_item, $_data), + 'msg' => 'img_dimensions_exceeded' + ); + return false; + } $image = new Imagick($_data[$_item]['tmp_name']); if ($image->valid() !== true) { $_SESSION['return'][] = array( diff --git a/data/web/inc/vars.inc.php b/data/web/inc/vars.inc.php index 5578dfd3c5..afc801e44d 100644 --- a/data/web/inc/vars.inc.php +++ b/data/web/inc/vars.inc.php @@ -126,6 +126,15 @@ ) ); +// Logo max file size in bytes +$LOGO_LIMITS['max_size'] = 15 * 1024 * 1024; // 15MB + +// Logo max width in pixels +$LOGO_LIMITS['max_width'] = 1920; + +// Logo max height in pixels +$LOGO_LIMITS['max_height'] = 1920; + // Rows until pagination begins $PAGINATION_SIZE = 25; diff --git a/data/web/lang/lang.de-de.json b/data/web/lang/lang.de-de.json index 3efd5afa01..ddadfac630 100644 --- a/data/web/lang/lang.de-de.json +++ b/data/web/lang/lang.de-de.json @@ -394,7 +394,9 @@ "goto_invalid": "Ziel-Adresse %s ist ungültig", "ham_learn_error": "Ham Lernfehler: %s", "imagick_exception": "Fataler Bildverarbeitungsfehler", + "img_dimensions_exceeded": "Grafik überschreitet die maximale Bildgröße", "img_invalid": "Grafik konnte nicht validiert werden", + "img_size_exceeded": "Grafik überschreitet die maximale Dateigröße", "img_tmp_missing": "Grafik konnte nicht validiert werden: Erstellung temporärer Datei fehlgeschlagen.", "invalid_bcc_map_type": "Ungültiger BCC-Map-Typ", "invalid_destination": "Ziel-Format \"%s\" ist ungültig", diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json index 58ad666552..ec97d0aef4 100644 --- a/data/web/lang/lang.en-gb.json +++ b/data/web/lang/lang.en-gb.json @@ -394,7 +394,9 @@ "goto_invalid": "Goto address %s is invalid", "ham_learn_error": "Ham learn error: %s", "imagick_exception": "Error: Imagick exception while reading image", + "img_dimensions_exceeded": "Image exceeds the maximum image size", "img_invalid": "Cannot validate image file", + "img_size_exceeded": "Image exceeds the maximum file size", "img_tmp_missing": "Cannot validate image file: Temporary file not found", "invalid_bcc_map_type": "Invalid BCC map type", "invalid_destination": "Destination format \"%s\" is invalid",