I am checking out the FlexImage plugin and I like what I see. I do have one question though. One of the main things I like is the ability to resize dynamically by passing in the size parameter. My concern at this point is whether or not this opens up a security vulnerability - for if a user setup a script to call every size variation between 1x1 and 500x500 for a given image (or worse a list of images) I''m guessing all the RMagick work would probably but a serious load on the server, possibly even creating a DOS type situation. What are your thoughts on this? Is there any reasonable way to prevent this scenario? Am I misunderstanding the situation? Or is it just an accepted risk? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
> I am checking out the FlexImage plugin and I like what I see. I do > have one question though. > > One of the main things I like is the ability to resize dynamically by > passing in the size parameter. > > My concern at this point is whether or not this opens up a security > vulnerability - for if a user setup a script to call every size > variation between 1x1 and 500x500 for a given image (or worse a list > of images) I''m guessing all the RMagick work would probably but a > serious load on the server, possibly even creating a DOS type > situation. What are your thoughts on this? Is there any reasonable > way to prevent this scenario? Am I misunderstanding the situation? > Or is it just an accepted risk?Certainly that''s possible... you could work around it a couple of ways... - Don''t pass the size in the url, but have keywords or some such that relate to a set size. Odds are you dont'' really need all the sizes from 1x1 to 500x500 :) - Pass along an md5 hash that''s the combination of the size and some secret keyword. Have the fleximage action check it to make sure they match. This seems like overkill to me though (just in terms of headache). I''m sure there are other ways.. -philip --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
The best way (in my opinion) to do it is resize one time and save. Hard drive space is cheaper than a DOS. I personally don''t like storing images in a database because you can''t serve it from the web server; no matter what it has to have an interface. I would come up with a naming convention that saves the files to the disk when different requests are made. Then you can essentially cache the requests for the images sizes. For instance: filename-250x250.filetype Good day, Chris Philip Hallstrom wrote:>> serious load on the server, possibly even creating a DOS type >> situation. What are your thoughts on this? Is there any reasonable >> way to prevent this scenario? Am I misunderstanding the situation? >> Or is it just an accepted risk? > > Certainly that''s possible... you could work around it a couple of > ways... > > - Don''t pass the size in the url, but have keywords or some such that > relate to a set size. Odds are you dont'' really need all the sizes from > 1x1 to 500x500 :) > > - Pass along an md5 hash that''s the combination of the size and some > secret keyword. Have the fleximage action check it to make sure they > match. This seems like overkill to me though (just in terms of > headache). > > I''m sure there are other ways.. > > -philip-- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
> The best way (in my opinion) to do it is resize one time and save. Hard > drive space is cheaper than a DOS.If I had one known size, I would agree. But the situation is that I''m allowing various users to create custom layouts (via the Liquid template system). I wish to allow all such users to take advantage of image assets in the system and allow them to request a size that fits their layout. Storage of images will be in the filesystem, and I believe once a given size has been requested the naming format FlexImage uses supports caching of that image for future re-use.> > - Don''t pass the size in the url, but have keywords or some such that > > relate to a set size. Odds are you dont'' really need all the sizes from > > 1x1 to 500x500 :)Perhaps a workable solution. Instead of allowing users pixel level control over image size, I could give them increments of 50px to work with. This way all resizing could be done up front.> > - Pass along an md5 hash that''s the combination of the size and some > > secret keyword. Have the fleximage action check it to make sure they > > match. This seems like overkill to me though (just in terms of > > headache).Does seem like overkill, but also seems like the one solution offered so far to allow dynamic resizing from the template which provides some measure of protection against malicious exploitation. Thanks! Thanks to everyone so far. If anyone else has two cents to throw in - please feel free! --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
> Posted by jpease: >> > - Don''t pass the size in the url, but have keywords or some such that >> > relate to a set size. Odds are you dont'' really need all the sizes from >> > 1x1 to 500x500 :)This would be my suggestion as well. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
jpease wrote:>> The best way (in my opinion) to do it is resize one time and save. Hard >> drive space is cheaper than a DOS. > > If I had one known size, I would agree. But the situation is that I''m > allowing various users to create custom layouts (via the Liquid > template system). I wish to allow all such users to take advantage of > image assets in the system and allow them to request a size that fits > their layout. > > Storage of images will be in the filesystem, and I believe once a given > size has been requested the naming format FlexImage uses supports > caching of that image for future re-use.Not really. You have to use page_caching provided by rails. FlexImage doesn''t provide it''s own caching at all. page_caching does a fine job.>> > - Don''t pass the size in the url, but have keywords or some such that >> > relate to a set size. Odds are you don''t really need all the sizes from >> > 1x1 to 500x500 :) > > Perhaps a workable solution. Instead of allowing users pixel level > control over image size, I could give them increments of 50px to work > with. This way all resizing could be done up front.With page_caching of your image action in place, it shouldn''t hit you too hard. The first time those urls are loaded would be a strain, however, after that they will be served from the file system very quick without invoking rails. It would still load lots of image, but makes you system no more vulnerable than any other website that serves images. You can also do things like check the referer to make sure that the image request is is coming from the proper domain. Or abort the flex image action unless the width param is a multiple of 10, 25 or 50 if you want to go that route. But really, with rails page caching, I doubt this is a large issue. Worse comes to worse, your server is slow for a few minutes and then immune to that attack in the future. If this is wrong, or there are any features that FlexImage should have to make it more secure, please let me know. I certainly don''t want my production servers bitten by a DOS. -Alex (Author of FlexImage) -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Fri, 2006-12-15 at 06:17 +0100, Alex Wayne wrote:> You can also do things like check the referer to make sure that the > image request is is coming from the proper domain.Is this something that could be configured in Apache? or would it have to be done in rails? I''m not that familiar with apache, but it seems that it would be much faster at this task if it can be setup that way. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Brian C Broom wrote:> On Fri, 2006-12-15 at 06:17 +0100, Alex Wayne wrote: >> You can also do things like check the referer to make sure that the >> image request is is coming from the proper domain. > > Is this something that could be configured in Apache? or would it have > to be done in rails? I''m not that familiar with apache, but it seems > that it would be much faster at this task if it can be setup that way.I am sure it can be configured in either place. Don''t know how to do it in Apache though. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
> With page_caching of your image action in place, it shouldn''t hit you > too hard. The first time those urls are loaded would be a strain, > however, after that they will be served from the file system very quick > without invoking rails. It would still load lots of image, but makes > you system no more vulnerable than any other website that serves images.Depends on how much disk space you have as well though... if you allow them to pass the size in via the url someone could do this: 1.upto(10000) do |x| 1.upto(10000) do |y| ... generate image at width=x height=y end end so even if your server could handle it, it''s going to eat up a lot of disk space... just something to keep in mind. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
> On Fri, 2006-12-15 at 06:17 +0100, Alex Wayne wrote: >> You can also do things like check the referer to make sure that the >> image request is is coming from the proper domain. > > Is this something that could be configured in Apache? or would it have > to be done in rails? I''m not that familiar with apache, but it seems > that it would be much faster at this task if it can be setup that way.Also this can be gotten around as the only way your server knows the referer is based on a header the browser supplies. So if I wanted to I could just fake it... (someone please correct me if I''m wrong) -philip --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---