diff options
author | zotlabs <mike@macgirvin.com> | 2017-11-17 13:54:16 -0800 |
---|---|---|
committer | zotlabs <mike@macgirvin.com> | 2017-11-17 13:54:16 -0800 |
commit | eb1e9edd333161ae600d91ef49ef09dc04fce473 (patch) | |
tree | 0feb65125342ea213bc0ba57b82c320308dfb3d9 | |
parent | ab363e31322d699ee53f052d5198c3a7680f8cc8 (diff) | |
download | volse-hubzilla-eb1e9edd333161ae600d91ef49ef09dc04fce473.tar.gz volse-hubzilla-eb1e9edd333161ae600d91ef49ef09dc04fce473.tar.bz2 volse-hubzilla-eb1e9edd333161ae600d91ef49ef09dc04fce473.zip |
svg thumbnails have security concerns. Added thumbnail security setting and hook to generate other thumbnails - a plugin for text file thumbnails isn't too difficult (using imagemagick lib), however it's a tossup whether we do this at file submission time or at render time for performance reasons. Perhaps both options should be available.
-rw-r--r-- | Zotlabs/Storage/Browser.php | 13 | ||||
-rw-r--r-- | doc/hooklist.bb | 3 |
2 files changed, 14 insertions, 2 deletions
diff --git a/Zotlabs/Storage/Browser.php b/Zotlabs/Storage/Browser.php index ee5a9fef4..17b07ad82 100644 --- a/Zotlabs/Storage/Browser.php +++ b/Zotlabs/Storage/Browser.php @@ -200,9 +200,13 @@ class Browser extends DAV\Browser\Plugin { // generate preview icons for tile view. // Currently we only handle images, but this could potentially be extended with plugins - // to provide document and video thumbnails + // to provide document and video thumbnails. SVG, PDF and office documents have some + // security concerns and should only be allowed on single-user sites with tightly controlled + // upload access. system.thumbnail_security should be set to 1 if you want to include these + // types $photo_icon = ''; + $preview_style = intval(get_config('system','thumbnail_security',0)); if(strpos($type,'image/') === 0 && $attachHash) { $r = q("select resource_id, imgscale from photo where resource_id = '%s' and imgscale in ( %d, %d ) order by imgscale asc limit 1", @@ -213,12 +217,17 @@ class Browser extends DAV\Browser\Plugin { if($r) { $photo_icon = 'photo/' . $r[0]['resource_id'] . '-' . $r[0]['imgscale']; } - if($type === 'image/svg+xml') { + if($type === 'image/svg+xml' && $preview_style > 0) { $photo_icon = $fullPath; } } + $g = [ 'resource_id' => $attachHash, 'thumbnail' => $photo_icon, 'security' => $preview_style ]; + call_hooks('file_thumbnail', $g); + $photo_icon = $g['photo_icon']; + + $attachIcon = ""; // "<a href=\"attach/".$attachHash."\" title=\"".$displayName."\"><i class=\"fa fa-arrow-circle-o-down\"></i></a>"; // put the array for this file together diff --git a/doc/hooklist.bb b/doc/hooklist.bb index 1192a1506..5b34ef0ca 100644 --- a/doc/hooklist.bb +++ b/doc/hooklist.bb @@ -229,6 +229,9 @@ Hooks allow plugins/addons to "hook into" the code at many points and alter the [zrl=[baseurl]/help/hook/feature_settings_post]feature_settings_post[/zrl] called from settings page when posting from 'addon/feature settings' +[zrl=[baseurl]/help/hook/file_thumbnail]file_thumbnail[/zrl] + called when generating thumbnail images for cloud page in 'view tiles' mode + [zrl=[baseurl]/help/hook/follow]follow[/zrl] called when a follow operation takes place |