jadedspiral / timthumb

Automatically exported from code.google.com/p/timthumb
0 stars 0 forks source link

Patch for /trunk/timthumb.php #481

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
Hi. I added some things that I needed. Hope it's useful and can get to the 
official release (as I find this lib to be extremely useful).

Changelog:

+ Added DEFAULT_A as an option
+ Added OPTIPNG_LEVEL option
+ Added jpegoptim handling. This is controlled with JPEGOPTIM_ENABLED and 
JPEGOPTIM_PATH options
+ Added 'o' parameter, to hadle obfuscation. This has three possible values: 1. 
sets brightnes to +30%; 2. flips image horizontally; 3. sets brightness and 
flips. (all this was an attempt to fool image recognition engines)

And these are the most important changes:

+ Added option SAVE_PLAIN_FILE. This saves a plain image file (instead of a 
data file).
+ Added option USE_ALLOWED_SIZES and array $ALLOWED_SIZES, to limit the 
directories that can be created.

I use this so the server can serve the image directly from the filesystem, 
without loading timthumb.php. I use nginx as reverse proxy and static content 
server, in front of apache, working as dynamic content server. The image 
fetching flow is like this:

- 1st time: nginx searches the image in the filesystem, gets 404 and proxy 
passes to apache. Apache catches the pass with a RewriteRule (mod_rewrite):
RewriteRule ^thumbs/(.*)$ thumb_wrapper.php?uri=$1&${QUERY_STRING} [L,NC]

This catches the url and passes it to thumb_wrapper.php, that simply sets the 
$_GET variable for timthumb.php to work:
<?
  /* thumb_wrapper.php
   * this takes $_GET['uri'] in the following format:
   * pictures/200x300-zc_1-a_t-q_90/mygreatimage.jpg
   * being:
   *   200: width
   *   300: height
   *   zc_1: zc parameter with value '1' (zc=1)
   *   a_t: a parameter with value 't' (a=t)
   *   q_90: q parameter with value '90' (q=90)
   * you can set here any value that timthumb accepts.
   */

  $uri_parts = explode('/',$_GET['uri']);

  $fname = $uri_parts[0].'/'.$uri_parts[2];

  if(strpos($uri_parts[1],'-')!==false){
  $params = @explode('-',$uri_parts[1]);
  list($size_x,$size_y) = @explode('x', @array_shift($params));

  $_GET = array(
    'src' => $fname,
    'w' => $size_x,
    'h' => $size_y,
  );
  if(is_array($params)) foreach($params as $p){
    list($par,$val) = @explode('_',$p);
    $_GET[$par] = $val;
  }
  require 'timthumb.php';
?>

- 2nd time, nginx find the image in the filesystem and serves it. Fast.

Hope this is helpful for anyone. You can ask me anything you need.

Best Regards!

PS: If you can, check the code out, modify it at will and help me discover 
security issues (I can help you patch those).

Original issue reported on code.google.com by mati...@gmail.com on 11 Apr 2014 at 5:17

Attachments: