Hi,<br><br>I created a POC implementation of specifying the allowed scaling paramaters based on Claus' suggestion.<br><br>Restrictions are enabled by putting<br><param name="image.scaling.restricted">true</param><br>
to opencms-vfs.xml<br><br>If restrictions are disabled the system should work as before.<br><br>If enabled, when CmsImageLoader loads the resource and user has requested it to be scaled, it first checks if the requested scaling parameter sequence is allowed. Allowing some parameter sequence is made in resource's or its parent's properties (you can make the allowance for a whole folder at once). The parameter sequence can also be given some name.<br>
<br>Resource property that needs to be defined to allow some scaling is named: image.scaling.restriction. It's format is like following:<br><br>w:600,h:600;thumbnail=w:50,h:50<br><br>This property value defines that scale parameter "w:600,h:600" is allowed and also that scale parameter "thumbnail" is allowed and it actually returns scaled image with parameters "w:50,h:50". So the individual rules are separated by ";" and parameter sequence names and their values with "=".<br>
<br>Diff agains 7.0.5 is included so you can patch and try it. Probably there are bugs and missing things but I think that at least the implementation is quite simple. I haven't tested it a lot, just tried it with a few test cases manually.<br>
<br>Few things to know about the implementation: <br>-I haven't put the new member parameter m_restricted of CmsImageLoader to every place it possibly belogns.<br>-Order of scale parameters is significant (w:600,h:600 is different than h:600,w:600)<br>
-I haven't done anything on JSP side for example to allow cms:img to use named parameter sequences<br><br>Comments/Problems?<br><br>-Mika<br><br><div class="gmail_quote">2009/6/10 Claus Priisholm <span dir="ltr"><<a href="mailto:cpr@codedroids.com">cpr@codedroids.com</a>></span><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">It would probably be easier to do it this way, i.e. "manually" tell<br>
OpenCms what parameters are acceptable rather than somehow detect<br>
whether a certain parameter is actually used somewhere in a JSP or it is<br>
just something a hacker has requested.<br>
<br>
For backward compatibility one could just treat the parameter string as<br>
the key, then one would of course have to define the actual "class"<br>
parameters under a name like the original parameter string rather than<br>
something like "thumbnail-profile" (over time that would of course be a<br>
better practice to use meaningful names but hey, who I am to say that<br>
"w:800,h:600,t:0,c:c0c0c0" is not meaningful :-)<br>
<br>
And if it was controllable through the configuration whether or not to<br>
use the "indirection" of scaling parameters then all options are open<br>
for existing sites that are willing to do a bit of gambling.<br>
<div><div></div><div class="h5"><br>
</div></div></blockquote></div><br>