Skip to content

Limit uploaded avatar image-size to 4096x3072 by default #4353

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 3, 2018
Merged

Limit uploaded avatar image-size to 4096x3072 by default #4353

merged 2 commits into from
Jul 3, 2018

Conversation

bkcsoft
Copy link
Member

@bkcsoft bkcsoft commented Jul 2, 2018

Uploading large files may cause Gitea to crash on OOM. This load the image-header first and checks the sizes before proceeding.

(e.g. a 64250x64250 image becomes 4.1 Gigapixels. Which would allocate 16GB of RAM in RGBA8888.)

Since this can be used for DoS-attacks we should backport it. Just don't know which version yet 🙂
@bkcsoft bkcsoft added type/enhancement An improvement of existing functionality topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! labels Jul 2, 2018
@bkcsoft bkcsoft force-pushed the fix-image-dos-attack branch from c90b589 to 296c153 Compare July 2, 2018 21:51
@bkcsoft bkcsoft added the lgtm/need 1 This PR needs approval from one additional maintainer to be merged. label Jul 2, 2018
@lafriks lafriks added this to the 1.5.0 milestone Jul 2, 2018
@bkcsoft bkcsoft added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Jul 2, 2018
@codecov-io
Copy link

codecov-io commented Jul 2, 2018
edited
Loading

Codecov Report

Merging #4353 into master will decrease coverage by <.01%.
The diff coverage is 0%.

Impacted file tree graph

@@ Coverage Diff @@ ## master #4353 +/- ## ========================================== - Coverage 20.09% 20.09% -0.01%  ========================================== Files 153 153 Lines 30705 30715 +10 ========================================== Hits 6171 6171 - Misses 23590 23600 +10  Partials 944 944
Impacted Files Coverage Δ
models/user.go 22.11% <0%> (-0.22%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 69796dd...cb69ac8. Read the comment docs.
@lafriks lafriks merged commit cbee921 into master Jul 3, 2018
@lafriks lafriks deleted the fix-image-dos-attack branch July 3, 2018 03:56
@lafriks lafriks added the type/changelog Adds the changelog for a new Gitea version label Jul 3, 2018
glitch003 pushed a commit to deconet/gitea that referenced this pull request Jul 4, 2018
@bkcsoft @glitch003
Limit uploaded avatar image-size to 4096x3072 by default (go-gitea#4353)
1aec387
aswild added a commit to aswild/gitea that referenced this pull request Jul 6, 2018
@aswild
Merge tag 'v1.5.0-rc1' into wild/v1.5
9b336e6 
* SECURITY * Limit uploaded avatar image-size to 4096x3072 by default (go-gitea#4353) * Do not allow to reuse TOTP passcode (go-gitea#3878) * FEATURE * Add cli commands to regen hooks & keys (go-gitea#3979) * Add support for FIDO U2F (go-gitea#3971) * Added user language setting (go-gitea#3875) * LDAP Public SSH Keys synchronization (go-gitea#1844) * Add topic support (go-gitea#3711) * Multiple assignees (go-gitea#3705) * Add protected branch whitelists for merging (go-gitea#3689) * Global code search support (go-gitea#3664) * Add label descriptions (go-gitea#3662) * Add issue search via API (go-gitea#3612) * Add repository setting to enable/disable health checks (go-gitea#3607) * Emoji Autocomplete (go-gitea#3433) * Implements generator cli for secrets (go-gitea#3531) * ENHANCEMENT * Add more webhooks support and refactor webhook templates directory (go-gitea#3929) * Add new option to allow only OAuth2/OpenID user registration (go-gitea#3910) * Add option to use paged LDAP search when synchronizing users (go-gitea#3895) * Symlink icons (go-gitea#1416) * Improve release page UI (go-gitea#3693) * Add admin dashboard option to run health checks (go-gitea#3606) * Add branch link in branch list (go-gitea#3576) * Reduce sql query times in retrieveFeeds (go-gitea#3547) * Option to enable or disable swagger endpoints (go-gitea#3502) * Add missing licenses (go-gitea#3497) * Reduce repo indexer disk usage (go-gitea#3452) * Enable caching on assets and avatars (go-gitea#3376) * Add repository search ordered by stars/forks. Forks column in admin repo list (go-gitea#3969) * Add Environment Variables to Docker template (go-gitea#4012) * LFS: make HTTP auth period configurable (go-gitea#4035) * Add config path as an optionial flag when changing pass via CLI (go-gitea#4184) * Refactor User Settings sections (go-gitea#3900) * Allow square brackets in external issue patterns (go-gitea#3408) * Add Attachment API (go-gitea#3478) * Add EnableTimetracking option to app settings (go-gitea#3719) * Add config option to enable or disable log executed SQL (go-gitea#3726) * Shows total tracked time in issue and milestone list (go-gitea#3341) * TRANSLATION * Improve English grammar and consistency (go-gitea#3614) * DEPLOYMENT * Allow Gitea to run as different USER in Docker (go-gitea#3961) * Provide compressed release binaries (go-gitea#3991) * Sign release binaries (go-gitea#4188)
@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
@delvh delvh removed the type/changelog Adds the changelog for a new Gitea version label Oct 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/enhancement An improvement of existing functionality

5 participants

@bkcsoft @codecov-io @techknowlogick @lafriks @delvh