[opencms-dev] Thumbnail images

Roman Uhlig Maxity.de roman.uhlig at maxity.de
Fri Oct 2 12:13:49 CEST 2009 

 
Regarding DoS attacks: How do you actually prevent OpenCms from thumbnailing images at all? I always thought it's possible to call any OpenCms based image resource with scaling parameters.

Roman

-----Ursprüngliche Nachricht-----
Von: opencms-dev-bounces at opencms.org [mailto:opencms-dev-bounces at opencms.org] Im Auftrag von Paul-Inge Flakstad
Gesendet: Freitag, 2. Oktober 2009 11:59
An: The OpenCms mailing list
Betreff: Re: [opencms-dev] Thumbnail images

Hi Claus

That advantage is one reason why I've been clinging on to the custom routine. I tried employing an Offline-user for generating thumbnails, pending a request from the Online project. It worked, but I thought it wasn't a fantastic idea to keep the username and password stored in the code.

Now, the publish list is worse. I tried to hack it at one time, but somehow I got the impression that I was doing something illegal... :) So instead I turned to custom relations, which appeared to be a better approach; I define a strong relation between an original image and it's generated thumbnail. This works - publishing the original "with related resources" gets its thumbnail published, and from an event listener I could implement deletion, since I can get hold of a thumbnail via the original, using the relation. (There's of course many other things one could also implement here, and possibly every event that occurs on the original should also be applied to the thumbnail.)

Actually, I believe I could probably get things working OK with some vital fixes. But I'm wondering; is the solution good enough to justify the extra efforts? Would it f.ex. be better to modify OpenCms so that only pre-defined image dimensions are allowed, like suggested earlier when discussing DoS attacks? What do you think? And how are you (and others) handling thumbnails?

Many thanks for your comments, I really appreciate it! :)

All the best,
Paul

> -----Original Message-----
> From: opencms-dev-bounces at opencms.org 
> [mailto:opencms-dev-bounces at opencms.org] On Behalf Of Claus Priisholm
> Sent: 2. oktober 2009 09:37
> To: The OpenCms mailing list
> Subject: Re: [opencms-dev] Thumbnail images
> 
> The advantage of your current approach is that there is no issue with 
> DoS attacks, since it all is controlled from within you template. You 
> could probably make your template approach work with "Online" 
> users as 
> well if you keep a handle to a Offline-user somewhere, you would of 
> course have to publish on the fly as well.
> 
> I agree that it is better to do it during the publish phase, as it 
> allows you a better life time management, i.e. delete a 
> thumbnail when 
> the original image is removed and so forth.
> Only thing is that in order to manipulate the list of resources being 
> published, you need to hack your way around the fact that the 
> CmsPublishList.add() is defined as  protected. I am not sure 
> why, I have 
> yet to see any ill effects of adding resources during the pre-publish 
> event phase, but maybe I've just been lucky so be careful - you are 
> going against the intention of the API.
> 
> Best regards
> Claus
> 
> Paul-Inge Flakstad wrote:
> > Hi Roman
> > 
> > Thanks for replying. :) It's reassuring to hear that 
> OpenCms' native scaling does the trick for you. I suspect 
> you've got a little more memory than we do, though - we had 
> trouble with images smaller than 1 MB... (Many of our servers 
> are running on VMWare, where memory is limited.)
> > 
> > Re-visiting this topic, I remembered a very interesting 
> post from a while back: 
> http://mail.opencms.org/pipermail/opencms-dev/2009q2/032196.ht
ml - it's about OpenCms' native image scaling enabling DOS > attacks. 
> > 
> > Does anyone know if Alkacon ever did anything to remedy 
> this? (I really liked the ideas of Sebastian & Claus, and 
> Mika's implementation.)
> > 
> > Imagemagick I haven't heard of, but I might look into it if 
> OpenCms' own API proves insufficient. Thanks for mentioning it.
> > 
> > About improving our routines for image generation: what I 
> had in mind was actually exactly what you're suggesting - 
> moving stuff out of the templates and into an event listener. 
> That's the way it should've been from the start. I even tried 
> it once, but eventually had to give up (it was my first 
> action class for OpenCms, I ran into some problems). But it's 
> only relevant if we decide to keep generating our image 
> versions this way...and right now I'm leaning towards 
> ditching the whole thing and just use OpenCms' native capabilities.
> > 
> > Again, thanks for sharing your experiences and ideas! :)
> > 
> > Cheers,
> > Paul
> > 
> >> -----Original Message-----
> >> From: opencms-dev-bounces at opencms.org 
> >> [mailto:opencms-dev-bounces at opencms.org] On Behalf Of Roman 
> >> Uhlig Maxity.de
> >> Sent: 1. oktober 2009 17:01
> >> To: The OpenCms mailing list
> >> Subject: Re: [opencms-dev] Thumbnail images
> >>
> >>
> >> Hi Paul,
> >>
> >> beside other minor use cases we are running a press service 
> >> module, which uses native OpenCms image scaling for 
> >> generating thumbnails of images up to 15 MB (pre-press). Up 
> >> to now we never had any issues with it. Unless you need very 
> >> special image scaling features, the native approach should be fine.
> >>
> >> On the other hand, you could use Imagemagick's Java API. We 
> >> have some non-OpenCms Java web applications where we use it. 
> >> It's quite easy and fun to use and offers a lot of features.
> >>
> >> Regarding the integration into the OpenCms workflow: I think 
> >> there are several approaches. The one that comes to my mind 
> >> first is hooking a suitable OpenCms event and do the 
> >> generation there instead of praying that editors behave 
> >> correctly (which will never happen I can tell). ;)
> >>
> >> Best regards,
> >> Roman
> >>
> >>
> >> -----Ursprüngliche Nachricht-----
> >> Von: opencms-dev-bounces at opencms.org 
> >> [mailto:opencms-dev-bounces at opencms.org] Im Auftrag von 
> >> Paul-Inge Flakstad
> >> Gesendet: Donnerstag, 1. Oktober 2009 16:40
> >> An: The OpenCms mailing list
> >> Betreff: [opencms-dev] Thumbnail images
> >>
> >> Hi list
> >>
> >> Just wanted to talk some basics! :) -I'm wondering how you 
> >> handle your images, and in particular: your thumbnails.
> >>
> >> I am of course aware of the native image scaling feature 
> >> provided by OpenCms, but somewhere along the line we decided 
> >> upon "more control" (which we later discovered can be 
> >> translated to "more messy"). We implemented a routine that 
> >> keeps thumbnail files in the VFS, in sub-folders of 
> >> "imagegallery" folders. 
> >>
> >> This is working OK..ish... -Editors sometimes forget to view 
> >> the page they attached an image to before publishing. 
> >> Whenever that happens, attemting to access the published page 
> >> online will produce an error. (The thumbnail is created via 
> >> the template, so no thumbnails of images for that page exists 
> >> prior to the very first pageview.) Not to mention that there 
> >> are a lot more files to handle.
> >>
> >> So, although the idea sounded good at the time, I'm not 
> >> satisfied with our current solution.
> >>
> >> I have a couple of (obvious) choices:
> >> 1.) Greatly improve routines for thumbnail generation / publishing
> >> 2.) Fallback to using OpenCms' native image handling capabilities
> >>
> >> Do any of you guys handle thumbnail / images in ways I 
> >> haven't thought of? 
> >>
> >> To those of you who are using OpenCms' parameter-based 
> >> scaling for thumbnails: how is that working? -We had a lot of 
> >> OOM exceptions when we used it, which is one reason we 
> >> created the custom routines for thumbnail handling (we wanted 
> >> more control over garbage collection).
> >>
> >> Hope some of you are willing to share! :)
> >>
> >> Cheers,
> >> Paul
> >>
> >>
> >> _______________________________________________
> >> This mail is sent to you from the opencms-dev mailing list
> >> To change your list options, or to unsubscribe from the list, 
> >> please visit
> >> http://lists.opencms.org/mailman/listinfo/opencms-dev
> >>
> >> _______________________________________________
> >> This mail is sent to you from the opencms-dev mailing list
> >> To change your list options, or to unsubscribe from the list, 
> >> please visit
> >> http://lists.opencms.org/mailman/listinfo/opencms-dev
> >>
> > 
> > _______________________________________________
> > This mail is sent to you from the opencms-dev mailing list
> > To change your list options, or to unsubscribe from the 
> list, please visit
> > http://lists.opencms.org/mailman/listinfo/opencms-dev
> > 
> 
> -- 
> Claus Priisholm, CodeDroids ApS
> Phone: +45 48 22 46 46
> cpr (you know what) codedroids.com - http://www.codedroids.com
> cpr (you know what) interlet.dk - http://www.interlet.dk
> -- 
> Javadocs and other OpenCms stuff: 
> http://www.codedroids.com/community/opencms
> 
> 
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, 
> please visit
> http://lists.opencms.org/mailman/listinfo/opencms-dev
> 

_______________________________________________
This mail is sent to you from the opencms-dev mailing list
To change your list options, or to unsubscribe from the list, please visit
http://lists.opencms.org/mailman/listinfo/opencms-dev

More information about the opencms-dev mailing list