Skip to content

Limit uploaded avatar image-size to 4096x3072 by default #4353

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 3, 2018
Merged

Limit uploaded avatar image-size to 4096x3072 by default #4353

merged 2 commits into from
Jul 3, 2018

Conversation

bkcsoft
Copy link
Member

@bkcsoft bkcsoft commented Jul 2, 2018

Uploading large files may cause Gitea to crash on OOM. This load the image-header first and checks the sizes before proceeding.

(e.g. a 64250x64250 image becomes 4.1 Gigapixels. Which would allocate 16GB of RAM in RGBA8888.)

Since this can be used for DoS-attacks we should backport it. Just don't know which version yet 🙂

@bkcsoft bkcsoft added type/enhancement An improvement of existing functionality topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! labels Jul 2, 2018
@bkcsoft bkcsoft force-pushed the fix-image-dos-attack branch from c90b589 to 296c153 Compare July 2, 2018 21:51
@bkcsoft bkcsoft added the lgtm/need 1 This PR needs approval from one additional maintainer to be merged. label Jul 2, 2018
@lafriks lafriks added this to the 1.5.0 milestone Jul 2, 2018
@bkcsoft bkcsoft added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Jul 2, 2018
@codecov-io
Copy link

codecov-io commented Jul 2, 2018
edited
Loading

Codecov Report

Merging #4353 into master will decrease coverage by <.01%.
The diff coverage is 0%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #4353      +/-   ##
==========================================
- Coverage   20.09%   20.09%   -0.01%     
==========================================
  Files         153      153              
  Lines       30705    30715      +10     
==========================================
  Hits         6171     6171              
- Misses      23590    23600      +10     
  Partials      944      944
Impacted Files Coverage Δ
models/user.go 22.11% <0%> (-0.22%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 69796dd...cb69ac8. Read the comment docs.

@lafriks lafriks merged commit cbee921 into master Jul 3, 2018
@lafriks lafriks deleted the fix-image-dos-attack branch July 3, 2018 03:56
@lafriks lafriks added the type/changelog Adds the changelog for a new Gitea version label Jul 3, 2018
glitch003 pushed a commit to deconet/gitea that referenced this pull request Jul 4, 2018
@bkcsoft @glitch003
Limit uploaded avatar image-size to 4096x3072 by default (go-gitea#4353)
1aec387
aswild added a commit to aswild/gitea that referenced this pull request Jul 6, 2018
@aswild
Merge tag 'v1.5.0-rc1' into wild/v1.5
9b336e6 
* SECURITY
  * Limit uploaded avatar image-size to 4096x3072 by default (go-gitea#4353)
  * Do not allow to reuse TOTP passcode (go-gitea#3878)
* FEATURE
  * Add cli commands to regen hooks & keys (go-gitea#3979)
  * Add support for FIDO U2F (go-gitea#3971)
  * Added user language setting (go-gitea#3875)
  * LDAP Public SSH Keys synchronization (go-gitea#1844)
  * Add topic support (go-gitea#3711)
  * Multiple assignees (go-gitea#3705)
  * Add protected branch whitelists for merging (go-gitea#3689)
  * Global code search support (go-gitea#3664)
  * Add label descriptions (go-gitea#3662)
  * Add issue search via API (go-gitea#3612)
  * Add repository setting to enable/disable health checks (go-gitea#3607)
  * Emoji Autocomplete (go-gitea#3433)
  * Implements generator cli for secrets (go-gitea#3531)
* ENHANCEMENT
  * Add more webhooks support and refactor webhook templates directory (go-gitea#3929)
  * Add new option to allow only OAuth2/OpenID user registration (go-gitea#3910)
  * Add option to use paged LDAP search when synchronizing users (go-gitea#3895)
  * Symlink icons (go-gitea#1416)
  * Improve release page UI (go-gitea#3693)
  * Add admin dashboard option to run health checks (go-gitea#3606)
  * Add branch link in branch list (go-gitea#3576)
  * Reduce sql query times in retrieveFeeds (go-gitea#3547)
  * Option to enable or disable swagger endpoints (go-gitea#3502)
  * Add missing licenses (go-gitea#3497)
  * Reduce repo indexer disk usage (go-gitea#3452)
  * Enable caching on assets and avatars (go-gitea#3376)
  * Add repository search ordered by stars/forks. Forks column in admin repo list (go-gitea#3969)
  * Add Environment Variables to Docker template (go-gitea#4012)
  * LFS: make HTTP auth period configurable (go-gitea#4035)
  * Add config path as an optionial flag when changing pass via CLI (go-gitea#4184)
  * Refactor User Settings sections (go-gitea#3900)
  * Allow square brackets in external issue patterns (go-gitea#3408)
  * Add Attachment API (go-gitea#3478)
  * Add EnableTimetracking option to app settings (go-gitea#3719)
  * Add config option to enable or disable log executed SQL (go-gitea#3726)
  * Shows total tracked time in issue and milestone list (go-gitea#3341)
* TRANSLATION
  * Improve English grammar and consistency (go-gitea#3614)
* DEPLOYMENT
  * Allow Gitea to run as different USER in Docker (go-gitea#3961)
  * Provide compressed release binaries (go-gitea#3991)
  * Sign release binaries (go-gitea#4188)
@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
@delvh delvh removed the type/changelog Adds the changelog for a new Gitea version label Oct 7, 2023
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Reviewers

@techknowlogick techknowlogick techknowlogick approved these changes

@lafriks lafriks lafriks approved these changes

Assignees
No one assigned
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/enhancement An improvement of existing functionality
Projects
None yet
Milestone
1.5.0
Development

Successfully merging this pull request may close these issues.
5 participants
@bkcsoft @codecov-io @techknowlogick @lafriks @delvh