def get(self, **kw): url = self.request.uri if not self.validate(kw["image"]): self._error(404, "No original image was specified in the given URL") return self.context.request = RequestParameters(**kw) self.context.request.unsafe = self.context.request.unsafe == "unsafe" if self.request.query: self.context.request.image_url += "?%s" % self.request.query self.context.request.image_url = quote(self.context.request.image_url, "/:?%=&") has_none = not self.context.request.unsafe and not self.context.request.hash has_both = self.context.request.unsafe and self.context.request.hash if has_none or has_both: self._error(404, "URL does not have hash or unsafe, or has both: %s" % url) return if self.context.request.unsafe and not self.context.config.ALLOW_UNSAFE_URL: self._error(404, "URL has unsafe but unsafe is not allowed by the config: %s" % url) return url_signature = self.context.request.hash if url_signature: signer = Signer(self.context.server.security_key) url_to_validate = url.replace("/%s/" % self.context.request.hash, "") valid = signer.validate(url_signature, url_to_validate) if not valid and self.context.config.STORES_CRYPTO_KEY_FOR_EACH_IMAGE: # Retrieves security key for this image if it has been seen before security_key = self.context.modules.storage.get_crypto(self.context.request.image_url) if security_key is not None: signer = Signer(security_key) valid = signer.validate(url_signature, url_to_validate) if not valid: is_valid = True if self.context.config.ALLOW_OLD_URLS: cr = Cryptor(self.context.server.security_key) options = cr.get_options(self.context.request.hash, self.context.request.image_url) if options is None: is_valid = False else: self.context.request = RequestParameters(**options) logger.warning( "OLD FORMAT URL DETECTED!!! This format of URL will be discontinued in upcoming versions. Please start using the new format as soon as possible. More info at https://github.com/globocom/thumbor/wiki/3.0.0-release-changes" ) else: is_valid = False if not is_valid: self._error(404, "Malformed URL: %s" % url) return return self.execute_image_operations()
def test_thumbor_can_decrypt_lib_thumbor_generated_url_new_format(): key = "my-security-key" image = "s.glbimg.com/et/bb/f/original/2011/03/24/VN0JiwzmOw0b0lg.jpg" thumbor_signer = Signer(key) crypto = CryptoURL(key=key) url = crypto.generate(width=300, height=200, smart=True, image_url=image) reg = "/([^/]+)/(.+)" (signature, url) = re.match(reg, url).groups() assert thumbor_signer.validate(signature, url)
def test_thumbor_can_decrypt_lib_thumbor_generated_url_new_format(): key = "my-security-key" image = "s.glbimg.com/et/bb/f/original/2011/03/24/VN0JiwzmOw0b0lg.jpg" thumbor_signer = Signer(key) crypto = CryptoURL(key=key) url = crypto.generate( width=300, height=200, smart=True, image_url=image ) reg = "/([^/]+)/(.+)" (signature, url) = re.match(reg, url).groups() assert thumbor_signer.validate(signature, url)
def check_image(self, kw): if self.context.config.MAX_ID_LENGTH > 0: # Check if an image with an uuid exists in storage exists = yield gen.maybe_future(self.context.modules.storage.exists(kw['image'][:self.context.config.MAX_ID_LENGTH])) if exists: kw['image'] = kw['image'][:self.context.config.MAX_ID_LENGTH] url = self.request.uri if not self.validate(kw['image']): self._error(400, 'No original image was specified in the given URL') return kw['request'] = self.request self.context.request = RequestParameters(**kw) has_none = not self.context.request.unsafe and not self.context.request.hash has_both = self.context.request.unsafe and self.context.request.hash if has_none or has_both: self._error(400, 'URL does not have hash or unsafe, or has both: %s' % url) return if self.context.request.unsafe and not self.context.config.ALLOW_UNSAFE_URL: self._error(400, 'URL has unsafe but unsafe is not allowed by the config: %s' % url) return if self.context.config.USE_BLACKLIST: blacklist = yield self.get_blacklist_contents() if self.context.request.image_url in blacklist: self._error(400, 'Source image url has been blacklisted: %s' % self.context.request.image_url ) return url_signature = self.context.request.hash if url_signature: signer = Signer(self.context.server.security_key) url_to_validate = Url.encode_url(url).replace('/%s/' % self.context.request.hash, '') valid = signer.validate(url_signature, url_to_validate) if not valid and self.context.config.STORES_CRYPTO_KEY_FOR_EACH_IMAGE: # Retrieves security key for this image if it has been seen before security_key = yield gen.maybe_future(self.context.modules.storage.get_crypto(self.context.request.image_url)) if security_key is not None: signer = Signer(security_key) valid = signer.validate(url_signature, url_to_validate) if not valid: is_valid = True if self.context.config.ALLOW_OLD_URLS: cr = Cryptor(self.context.server.security_key) options = cr.get_options(self.context.request.hash, self.context.request.image_url) if options is None: is_valid = False else: options['request'] = self.request self.context.request = RequestParameters(**options) logger.warning( 'OLD FORMAT URL DETECTED!!! This format of URL will be discontinued in ' + 'upcoming versions. Please start using the new format as soon as possible. ' + 'More info at https://github.com/globocom/thumbor/wiki/3.0.0-release-changes' ) else: is_valid = False if not is_valid: self._error(400, 'Malformed URL: %s' % url) return self.execute_image_operations()
def get(self, **kw): url = self.request.uri if not self.validate(kw['image']): self._error(404, 'No original image was specified in the given URL') return self.context.request = RequestParameters(**kw) self.context.request.unsafe = self.context.request.unsafe == 'unsafe' if (self.request.query): self.context.request.image_url += '?%s' % self.request.query self.context.request.image_url = self.encode_url( self.context.request.image_url.encode('utf-8')) has_none = not self.context.request.unsafe and not self.context.request.hash has_both = self.context.request.unsafe and self.context.request.hash if has_none or has_both: self._error( 404, 'URL does not have hash or unsafe, or has both: %s' % url) return if self.context.request.unsafe and not self.context.config.ALLOW_UNSAFE_URL: self._error( 404, 'URL has unsafe but unsafe is not allowed by the config: %s' % url) return url_signature = self.context.request.hash if url_signature: signer = Signer(self.context.server.security_key) url_to_validate = self.encode_url(url).replace( '/%s/' % self.context.request.hash, '') valid = signer.validate(url_signature, url_to_validate) if not valid and self.context.config.STORES_CRYPTO_KEY_FOR_EACH_IMAGE: # Retrieves security key for this image if it has been seen before security_key = self.context.modules.storage.get_crypto( self.context.request.image_url) if security_key is not None: signer = Signer(security_key) valid = signer.validate(url_signature, url_to_validate) if not valid: is_valid = True if self.context.config.ALLOW_OLD_URLS: cr = Cryptor(self.context.server.security_key) options = cr.get_options(self.context.request.hash, self.context.request.image_url) if options is None: is_valid = False else: self.context.request = RequestParameters(**options) logger.warning( 'OLD FORMAT URL DETECTED!!! This format of URL will be discontinued in upcoming versions. Please start using the new format as soon as possible. More info at https://github.com/globocom/thumbor/wiki/3.0.0-release-changes' ) else: is_valid = False if not is_valid: self._error(404, 'Malformed URL: %s' % url) return return self.execute_image_operations()
def get(self, **kw): # Check if an image with an uuid exists in storage if self.context.modules.storage.exists(kw['image'][:32]): kw['image'] = kw['image'][:32] url = self.request.uri if not self.validate(kw['image']): self._error(404, 'No original image was specified in the given URL') return self.context.request = RequestParameters(**kw) self.context.request.unsafe = self.context.request.unsafe == 'unsafe' if (self.request.query): self.context.request.image_url += '?%s' % self.request.query self.context.request.image_url = self.encode_url(self.context.request.image_url.encode('utf-8')) has_none = not self.context.request.unsafe and not self.context.request.hash has_both = self.context.request.unsafe and self.context.request.hash if has_none or has_both: self._error(404, 'URL does not have hash or unsafe, or has both: %s' % url) return if self.context.request.unsafe and not self.context.config.ALLOW_UNSAFE_URL: self._error(404, 'URL has unsafe but unsafe is not allowed by the config: %s' % url) return url_signature = self.context.request.hash if url_signature: signer = Signer(self.context.server.security_key) url_to_validate = self.encode_url(url).replace('/%s/' % self.context.request.hash, '') valid = signer.validate(url_signature, url_to_validate) if not valid and self.context.config.STORES_CRYPTO_KEY_FOR_EACH_IMAGE: # Retrieves security key for this image if it has been seen before security_key = self.context.modules.storage.get_crypto(self.context.request.image_url) if security_key is not None: signer = Signer(security_key) valid = signer.validate(url_signature, url_to_validate) if not valid: is_valid = True if self.context.config.ALLOW_OLD_URLS: cr = Cryptor(self.context.server.security_key) options = cr.get_options(self.context.request.hash, self.context.request.image_url) if options is None: is_valid = False else: self.context.request = RequestParameters(**options) logger.warning('OLD FORMAT URL DETECTED!!! This format of URL will be discontinued in upcoming versions. Please start using the new format as soon as possible. More info at https://github.com/globocom/thumbor/wiki/3.0.0-release-changes') else: is_valid = False if not is_valid: self._error(404, 'Malformed URL: %s' % url) return return self.execute_image_operations()
def check_image(self, kw): if self.context.config.MAX_ID_LENGTH > 0: # Check if an image with an uuid exists in storage exists = yield gen.maybe_future( self.context.modules.storage.exists( kw['image'][:self.context.config.MAX_ID_LENGTH])) if exists: kw['image'] = kw['image'][:self.context.config.MAX_ID_LENGTH] url = self.request.uri if not self.validate(kw['image']): self._error(404, 'No original image was specified in the given URL') return kw['request'] = self.request self.context.request = RequestParameters(**kw) has_none = not self.context.request.unsafe and not self.context.request.hash has_both = self.context.request.unsafe and self.context.request.hash if has_none or has_both: self._error( 404, 'URL does not have hash or unsafe, or has both: %s' % url) return if self.context.request.unsafe and not self.context.config.ALLOW_UNSAFE_URL: self._error( 404, 'URL has unsafe but unsafe is not allowed by the config: %s' % url) return if self.context.config.USE_BLACKLIST: blacklist = yield self.get_blacklist_contents() if self.context.request.image_url in blacklist: self._error( 404, 'Source image url has been blacklisted: %s' % self.context.request.image_url) return url_signature = self.context.request.hash if url_signature: signer = Signer(self.context.server.security_key) url_to_validate = Url.encode_url(url).replace( '/%s/' % self.context.request.hash, '') valid = signer.validate(url_signature, url_to_validate) if not valid and self.context.config.STORES_CRYPTO_KEY_FOR_EACH_IMAGE: # Retrieves security key for this image if it has been seen before security_key = yield gen.maybe_future( self.context.modules.storage.get_crypto( self.context.request.image_url)) if security_key is not None: signer = Signer(security_key) valid = signer.validate(url_signature, url_to_validate) if not valid: is_valid = True if self.context.config.ALLOW_OLD_URLS: cr = Cryptor(self.context.server.security_key) options = cr.get_options(self.context.request.hash, self.context.request.image_url) if options is None: is_valid = False else: options['request'] = self.request self.context.request = RequestParameters(**options) logger.warning( 'OLD FORMAT URL DETECTED!!! This format of URL will be discontinued in ' + 'upcoming versions. Please start using the new format as soon as possible. ' + 'More info at https://github.com/globocom/thumbor/wiki/3.0.0-release-changes' ) else: is_valid = False if not is_valid: self._error(404, 'Malformed URL: %s' % url) return self.execute_image_operations()