[opencms-dev] DOS attacks made possible by image scaling?

Claus Priisholm cpr at codedroids.com
Thu Jun 11 20:39:31 CEST 2009 

Great - I've just looked at code (haven't tested it), seems to be doing 
pretty much what is needed! Nice touch with the name-less parameters, 
makes backward compatibility even easier.
Maybe I would add a log-statement in case a scaling request gets 
rejected because of the an "unknown" scale parameter - this way I can be 
lazy and just watch the log file to see if I have forgot to allow some 
parameters for a given site...

Mika Salminen wrote:
> Hi,
> 
> I created a POC implementation of specifying the allowed scaling 
> paramaters based on Claus' suggestion.
> 
> Restrictions are enabled by putting
> <param name="image.scaling.restricted">true</param>
> to opencms-vfs.xml
> 
> If restrictions are disabled the system should work as before.
> 
> If enabled, when CmsImageLoader loads the resource and user has 
> requested it to be scaled, it first checks if the requested scaling 
> parameter sequence is allowed. Allowing some parameter sequence is made 
> in resource's or its parent's properties (you can make the allowance for 
> a whole folder at once). The parameter sequence can also be given some name.
> 
> Resource property that needs to be defined to allow some scaling is 
> named: image.scaling.restriction. It's format is like following:
> 
> w:600,h:600;thumbnail=w:50,h:50
> 
> This property value defines that scale parameter "w:600,h:600" is 
> allowed and also that scale parameter "thumbnail" is allowed and it 
> actually returns scaled image with parameters "w:50,h:50". So the 
> individual rules are separated by ";" and parameter sequence names and 
> their values with "=".
> 
> Diff agains 7.0.5 is included so you can patch and try it. Probably 
> there are bugs and missing things but I think that at least the 
> implementation is quite simple. I haven't tested it a lot, just tried it 
> with a few test cases manually.
> 
> Few things to know about the implementation:
> -I haven't put the new member parameter m_restricted  of CmsImageLoader 
> to every place it possibly belogns.
> -Order of scale parameters is significant (w:600,h:600 is different than 
> h:600,w:600)
> -I haven't done anything on JSP side for example to allow cms:img to use 
> named parameter sequences
> 
> Comments/Problems?
> 
> -Mika
> 
> 2009/6/10 Claus Priisholm <cpr at codedroids.com <mailto:cpr at codedroids.com>>
> 
>     It would probably be easier to do it this way, i.e. "manually" tell
>     OpenCms what parameters are acceptable rather than somehow detect
>     whether a certain parameter is actually used somewhere in a JSP or it is
>     just something a hacker has requested.
> 
>     For backward compatibility one could just treat the parameter string as
>     the key, then one would of course have to define the actual "class"
>     parameters under a name like the original parameter string rather than
>     something like "thumbnail-profile" (over time that would of course be a
>     better practice to use meaningful names but hey, who I am to say that
>     "w:800,h:600,t:0,c:c0c0c0" is not meaningful :-)
> 
>     And if it was controllable through the configuration whether or not to
>     use the "indirection" of scaling parameters then all options are open
>     for existing sites that are willing to do a bit of gambling.
> 
> 
> 
> ------------------------------------------------------------------------
> 
> 
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please visit
> http://lists.opencms.org/mailman/listinfo/opencms-dev

-- 
Claus Priisholm, CodeDroids ApS
Phone: +45 48 22 46 46
cpr (you know what) codedroids.com - http://www.codedroids.com
cpr (you know what) interlet.dk - http://www.interlet.dk
-- 
Javadocs and other OpenCms stuff: 
http://www.codedroids.com/community/opencms

More information about the opencms-dev mailing list