Skip to content

Commit 1aec387

Browse files
bkcsoftglitch003
bkcsoft
authored and
glitch003
committed
Limit uploaded avatar image-size to 4096x3072 by default (go-gitea#4353)
1 parent c5a466c commit 1aec387

File tree

3 files changed

+19
-0
lines changed

3 files changed

+19
-0
lines changed

custom/conf/app.ini.sample

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -391,6 +391,10 @@ SESSION_LIFE_TIME = 86400
391391

392392
[picture]
393393
AVATAR_UPLOAD_PATH = data/avatars
394+
; Max Width and Height of uploaded avatars. This is to limit the amount of RAM
395+
; used when resizing the image.
396+
AVATAR_MAX_WIDTH = 4096
397+
AVATAR_MAX_HEIGHT = 3072
394398
; Chinese users can choose "duoshuo"
395399
; or a custom avatar source, like: http://cn.gravatar.com/avatar/
396400
GRAVATAR_SOURCE = gravatar

models/user.go

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -430,6 +430,17 @@ func (u *User) IsPasswordSet() bool {
430430
// UploadAvatar saves custom avatar for user.
431431
// FIXME: split uploads to different subdirs in case we have massive users.
432432
func (u *User) UploadAvatar(data []byte) error {
433+
imgCfg, _, err := image.DecodeConfig(bytes.NewReader(data))
434+
if err != nil {
435+
return fmt.Errorf("DecodeConfig: %v", err)
436+
}
437+
if imgCfg.Width > setting.AvatarMaxWidth {
438+
return fmt.Errorf("Image width is to large: %d > %d", imgCfg.Width, setting.AvatarMaxWidth)
439+
}
440+
if imgCfg.Height > setting.AvatarMaxHeight {
441+
return fmt.Errorf("Image height is to large: %d > %d", imgCfg.Height, setting.AvatarMaxHeight)
442+
}
443+
433444
img, _, err := image.Decode(bytes.NewReader(data))
434445
if err != nil {
435446
return fmt.Errorf("Decode: %v", err)

modules/setting/setting.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -345,6 +345,8 @@ var (
345345

346346
// Picture settings
347347
AvatarUploadPath string
348+
AvatarMaxWidth int
349+
AvatarMaxHeight int
348350
GravatarSource string
349351
GravatarSourceURL *url.URL
350352
DisableGravatar bool
@@ -1036,6 +1038,8 @@ func NewContext() {
10361038
if !filepath.IsAbs(AvatarUploadPath) {
10371039
AvatarUploadPath = path.Join(AppWorkPath, AvatarUploadPath)
10381040
}
1041+
AvatarMaxWidth = sec.Key("AVATAR_MAX_WIDTH").MustInt(4096)
1042+
AvatarMaxHeight = sec.Key("AVATAR_MAX_HEIGHT").MustInt(3072)
10391043
switch source := sec.Key("GRAVATAR_SOURCE").MustString("gravatar"); source {
10401044
case "duoshuo":
10411045
GravatarSource = "http://gravatar.duoshuo.com/avatar/"

0 commit comments

Comments
 (0)