[ticket/security-259] Stop checking image size of images in img bbcode

SECURITY-259
2025-06-08 04:18:52 +00:00 · 2020-06-25 22:20:58 +02:00 · 2020-06-25 22:20:58 +02:00 · d0e2023a63
commit d0e2023a63
parent 2afa989500
4 changed files with 2 additions and 84 deletions
--- a/phpBB/includes/message_parser.php
+++ b/phpBB/includes/message_parser.php
@ -401,32 +401,6 @@ class bbcode_firstpass extends bbcode
 			$in = 'http://' . $in;
 		}
 		if ($config['max_' . $this->mode . '_img_height'] || $config['max_' . $this->mode . '_img_width'])
 		{
 			$imagesize = new \FastImageSize\FastImageSize();
 			$size_info = $imagesize->getImageSize(htmlspecialchars_decode($in));
 			if ($size_info === false)
 			{
 				$error = true;
 				$this->warn_msg[] = $user->lang['UNABLE_GET_IMAGE_SIZE'];
 			}
 			else
 			{
 				if ($config['max_' . $this->mode . '_img_height'] && $config['max_' . $this->mode . '_img_height'] < $size_info['height'])
 				{
 					$error = true;
 					$this->warn_msg[] = $user->lang('MAX_IMG_HEIGHT_EXCEEDED', (int) $config['max_' . $this->mode . '_img_height']);
 				}
 				if ($config['max_' . $this->mode . '_img_width'] && $config['max_' . $this->mode . '_img_width'] < $size_info['width'])
 				{
 					$error = true;
 					$this->warn_msg[] = $user->lang('MAX_IMG_WIDTH_EXCEEDED', (int) $config['max_' . $this->mode . '_img_width']);
 				}
 			}
 		}
 		if ($error || $this->path_in_domain($in))
 		{
 			return '[img]' . $in . '[/img]';
--- a/phpBB/phpbb/textformatter/s9e/factory.php
+++ b/phpBB/phpbb/textformatter/s9e/factory.php
@ -273,8 +273,6 @@ class factory implements \phpbb\textformatter\cache_interface
 			->add('#imageurl', __NAMESPACE__ . '\\parser::filter_img_url')
 			->addParameterByName('urlConfig')
 			->addParameterByName('logger')
 			->addParameterByName('max_img_height')
 			->addParameterByName('max_img_width')
 			->markAsSafeAsURL()
 			->setJS('UrlFilter.filter');
--- a/phpBB/phpbb/textformatter/s9e/parser.php
+++ b/phpBB/phpbb/textformatter/s9e/parser.php
@ -380,11 +380,10 @@ class parser implements \phpbb\textformatter\parser_interface
 	* @param  string  $url        Original URL
 	* @param  array   $url_config Config used by the URL filter
 	* @param  Logger  $logger
-	* @param  integer $max_height Maximum height allowed
+	*
 	* @param  integer $max_width  Maximum width allowed
 	* @return string|bool         Original value if valid, FALSE otherwise
 	*/
-	static public function filter_img_url($url, array $url_config, Logger $logger, $max_height, $max_width)
+	static public function filter_img_url($url, array $url_config, Logger $logger)
 	{
 		// Validate the URL
 		$url = UrlFilter::filter($url, $url_config, $logger);
@ -393,29 +392,6 @@ class parser implements \phpbb\textformatter\parser_interface
 			return false;
 		}
 		if ($max_height || $max_width)
 		{
 			$imagesize = new \FastImageSize\FastImageSize();
 			$size_info = $imagesize->getImageSize($url);
 			if ($size_info === false)
 			{
 				$logger->err('UNABLE_GET_IMAGE_SIZE');
 				return false;
 			}
 			if ($max_height && $max_height < $size_info['height'])
 			{
 				$logger->err('MAX_IMG_HEIGHT_EXCEEDED', array('max_height' => $max_height));
 				return false;
 			}
 			if ($max_width && $max_width < $size_info['width'])
 			{
 				$logger->err('MAX_IMG_WIDTH_EXCEEDED', array('max_width' => $max_width));
 				return false;
 			}
 		}
 		return $url;
 	}
--- a/tests/text_processing/message_parser_test.php
+++ b/tests/text_processing/message_parser_test.php
@ -342,26 +342,6 @@ class phpbb_text_processing_message_parser_test extends phpbb_test_case
 				},
 				array('You may only use fonts up to size 120.')
 			),
 			array(
 				'[img]http://example.org/100x100.png[/img]',
 				'<r>[img]<URL url="http://example.org/100x100.png">http://example.org/100x100.png</URL>[/img]</r>',
 				array(true, true, true, true, true, true, true),
 				function ($phpbb_container)
 				{
 					$phpbb_container->get('config')->set('max_post_img_height', 12);
 				},
 				array('Your images may only be up to 12 pixels high.')
 			),
 			array(
 				'[img]http://example.org/100x100.png[/img]',
 				'<r>[img]<URL url="http://example.org/100x100.png">http://example.org/100x100.png</URL>[/img]</r>',
 				array(true, true, true, true, true, true, true),
 				function ($phpbb_container)
 				{
 					$phpbb_container->get('config')->set('max_post_img_width', 34);
 				},
 				array('Your images may only be up to 34 pixels wide.')
 			),
 			array(
 				'[img]http://example.org/100x100.png[/img]',
 				'<r><IMG src="http://example.org/100x100.png"><s>[img]</s><URL url="http://example.org/100x100.png">http://example.org/100x100.png</URL><e>[/img]</e></IMG></r>',
@ -392,16 +372,6 @@ class phpbb_text_processing_message_parser_test extends phpbb_test_case
 					$phpbb_container->get('config')->set('max_sig_img_width', 34);
 				}
 			),
 			array(
 				'[img]http://example.org/404.png[/img]',
 				'<r>[img]<URL url="http://example.org/404.png">http://example.org/404.png</URL>[/img]</r>',
 				array(true, true, true, true, true, true, true),
 				function ($phpbb_container)
 				{
 					$phpbb_container->get('config')->set('max_post_img_height', 12);
 				},
 				array('It was not possible to determine the dimensions of the image.')
 			),
 			array(
 				'[flash=999,999]http://example.org/foo.swf[/flash]',
 				'<r>[flash=999,999]<URL url="http://example.org/foo.swf">http://example.org/foo.swf</URL>[/flash]</r>',