aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorzotlabs <mike@macgirvin.com>2017-11-17 13:54:16 -0800
committerzotlabs <mike@macgirvin.com>2017-11-17 13:54:16 -0800
commiteb1e9edd333161ae600d91ef49ef09dc04fce473 (patch)
tree0feb65125342ea213bc0ba57b82c320308dfb3d9
parentab363e31322d699ee53f052d5198c3a7680f8cc8 (diff)
downloadvolse-hubzilla-eb1e9edd333161ae600d91ef49ef09dc04fce473.tar.gz
volse-hubzilla-eb1e9edd333161ae600d91ef49ef09dc04fce473.tar.bz2
volse-hubzilla-eb1e9edd333161ae600d91ef49ef09dc04fce473.zip
svg thumbnails have security concerns. Added thumbnail security setting and hook to generate other thumbnails - a plugin for text file thumbnails isn't too difficult (using imagemagick lib), however it's a tossup whether we do this at file submission time or at render time for performance reasons. Perhaps both options should be available.
-rw-r--r--Zotlabs/Storage/Browser.php13
-rw-r--r--doc/hooklist.bb3
2 files changed, 14 insertions, 2 deletions
diff --git a/Zotlabs/Storage/Browser.php b/Zotlabs/Storage/Browser.php
index ee5a9fef4..17b07ad82 100644
--- a/Zotlabs/Storage/Browser.php
+++ b/Zotlabs/Storage/Browser.php
@@ -200,9 +200,13 @@ class Browser extends DAV\Browser\Plugin {
// generate preview icons for tile view.
// Currently we only handle images, but this could potentially be extended with plugins
- // to provide document and video thumbnails
+ // to provide document and video thumbnails. SVG, PDF and office documents have some
+ // security concerns and should only be allowed on single-user sites with tightly controlled
+ // upload access. system.thumbnail_security should be set to 1 if you want to include these
+ // types
$photo_icon = '';
+ $preview_style = intval(get_config('system','thumbnail_security',0));
if(strpos($type,'image/') === 0 && $attachHash) {
$r = q("select resource_id, imgscale from photo where resource_id = '%s' and imgscale in ( %d, %d ) order by imgscale asc limit 1",
@@ -213,12 +217,17 @@ class Browser extends DAV\Browser\Plugin {
if($r) {
$photo_icon = 'photo/' . $r[0]['resource_id'] . '-' . $r[0]['imgscale'];
}
- if($type === 'image/svg+xml') {
+ if($type === 'image/svg+xml' && $preview_style > 0) {
$photo_icon = $fullPath;
}
}
+ $g = [ 'resource_id' => $attachHash, 'thumbnail' => $photo_icon, 'security' => $preview_style ];
+ call_hooks('file_thumbnail', $g);
+ $photo_icon = $g['photo_icon'];
+
+
$attachIcon = ""; // "<a href=\"attach/".$attachHash."\" title=\"".$displayName."\"><i class=\"fa fa-arrow-circle-o-down\"></i></a>";
// put the array for this file together
diff --git a/doc/hooklist.bb b/doc/hooklist.bb
index 1192a1506..5b34ef0ca 100644
--- a/doc/hooklist.bb
+++ b/doc/hooklist.bb
@@ -229,6 +229,9 @@ Hooks allow plugins/addons to "hook into" the code at many points and alter the
[zrl=[baseurl]/help/hook/feature_settings_post]feature_settings_post[/zrl]
called from settings page when posting from 'addon/feature settings'
+[zrl=[baseurl]/help/hook/file_thumbnail]file_thumbnail[/zrl]
+ called when generating thumbnail images for cloud page in 'view tiles' mode
+
[zrl=[baseurl]/help/hook/follow]follow[/zrl]
called when a follow operation takes place