summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authortill <till@php.net>2008-10-22 14:18:47 +0000
committertill <till@php.net>2008-10-22 14:18:47 +0000
commitfe7618f1baf08fe8f579b2efdbb7e5200b60e6d4 (patch)
treee41e8a0d61da11ea0fe6facb1b3f87da6f7d91d4
parenteffc35fdbeb7dd721e34ae94c7470576fd7a6a4f (diff)
* checking if a user session is active in quotaimg.php
* this is an expensive operation * but it fixes a possible DoS * implement max-width and -height for the image (subject to change)
-rw-r--r--bin/quotaimg.php21
1 files changed, 20 insertions, 1 deletions
diff --git a/bin/quotaimg.php b/bin/quotaimg.php
index ddd9b728a..74a3d994a 100644
--- a/bin/quotaimg.php
+++ b/bin/quotaimg.php
@@ -18,11 +18,30 @@
*/
+// define INSTALL_PATH since it's sort of custom from /bin/quotaimg.php
+define('INSTALL_PATH', str_replace('bin', '', dirname(__FILE__)));
+
+// include environment
+require_once INSTALL_PATH . 'program/include/iniset.php';
+
+// init application and start session with requested task
+$RCMAIL = rcmail::get_instance();
+if (empty($RCMAIL->user->ID)) {
+ die('You are not logged in, there is no need you are allowed to render the quota image.');
+}
+
$used = ((isset($_GET['u']) && !empty($_GET['u'])) || $_GET['u']=='0')?(int)$_GET['u']:'??';
$quota = ((isset($_GET['q']) && !empty($_GET['q'])) || $_GET['q']=='0')?(int)$_GET['q']:'??';
$width = empty($_GET['w']) ? 100 : (int)$_GET['w'];
$height = empty($_GET['h']) ? 14 : (int)$_GET['h'];
+// let's apply some sanity
+// @todo Maybe a config option?
+if ($width > 200 || $height > 50) {
+ $width = 100;
+ $height = 14;
+}
+
/**
* Quota display
*
@@ -180,4 +199,4 @@ function genQuota($used, $total, $width, $height)
genQuota($used, $quota, $width, $height);
exit;
-?> \ No newline at end of file
+?>