meghlal / timthumb

Automatically exported from code.google.com/p/timthumb
0 stars 0 forks source link

Hardened allowed host checks and removed default allowed hosts #213

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Switched check for allowed sites to regex and hardened up hostname check.
Previous host check would have been fooled by: hackerwordpress.com for example. 

Removed allowedSites by default. These are all public hosting systems 
(wordpress.com, blogspot, etc) and an attacker might be able to create a blog 
entry or upload a file that will then be downloaded into the cache directory 
and accessed via the web server and executed as per the previous hack. Lets 
force users to explicitly say what they want to allow. Many theme makers are 
using the default timthumb straight out the box, so lets make sure that's 
hardened up. 

Original issue reported on code.google.com by mmaun...@gmail.com on 2 Aug 2011 at 9:19

Attachments:

GoogleCodeExporter commented 9 years ago
Thanks for that. Have implemented the regex

I understand the concern but I am not entirely keen about removing the default 
allowed sites as that makes things harder for non technical users (the whole 
reason timthumb exists).

As such I have removed the possibly insecure domains (domains where you can 
upload any type of content) and kept the ones that are restricted to images. 
Hopefully that's a decent compromise?

Original comment by BinaryMoon on 2 Aug 2011 at 9:59