diff options
author | till <till@php.net> | 2008-10-22 14:18:47 +0000 |
---|---|---|
committer | till <till@php.net> | 2008-10-22 14:18:47 +0000 |
commit | fe7618f1baf08fe8f579b2efdbb7e5200b60e6d4 (patch) | |
tree | e41e8a0d61da11ea0fe6facb1b3f87da6f7d91d4 | |
parent | effc35fdbeb7dd721e34ae94c7470576fd7a6a4f (diff) |
* checking if a user session is active in quotaimg.php
* this is an expensive operation
* but it fixes a possible DoS
* implement max-width and -height for the image (subject to change)
-rw-r--r-- | bin/quotaimg.php | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/bin/quotaimg.php b/bin/quotaimg.php index ddd9b728a..74a3d994a 100644 --- a/bin/quotaimg.php +++ b/bin/quotaimg.php @@ -18,11 +18,30 @@ */ +// define INSTALL_PATH since it's sort of custom from /bin/quotaimg.php +define('INSTALL_PATH', str_replace('bin', '', dirname(__FILE__))); + +// include environment +require_once INSTALL_PATH . 'program/include/iniset.php'; + +// init application and start session with requested task +$RCMAIL = rcmail::get_instance(); +if (empty($RCMAIL->user->ID)) { + die('You are not logged in, there is no need you are allowed to render the quota image.'); +} + $used = ((isset($_GET['u']) && !empty($_GET['u'])) || $_GET['u']=='0')?(int)$_GET['u']:'??'; $quota = ((isset($_GET['q']) && !empty($_GET['q'])) || $_GET['q']=='0')?(int)$_GET['q']:'??'; $width = empty($_GET['w']) ? 100 : (int)$_GET['w']; $height = empty($_GET['h']) ? 14 : (int)$_GET['h']; +// let's apply some sanity +// @todo Maybe a config option? +if ($width > 200 || $height > 50) { + $width = 100; + $height = 14; +} + /** * Quota display * @@ -180,4 +199,4 @@ function genQuota($used, $total, $width, $height) genQuota($used, $quota, $width, $height); exit; -?>
\ No newline at end of file +?> |