def get(self, **kw):
url = self.request.uri
if not self.validate(kw["image"]):
self._error(404, "No original image was specified in the given URL")
return
self.context.request = RequestParameters(**kw)
self.context.request.unsafe = self.context.request.unsafe == "unsafe"
if self.request.query:
self.context.request.image_url += "?%s" % self.request.query
self.context.request.image_url = quote(self.context.request.image_url, "/:?%=&")
has_none = not self.context.request.unsafe and not self.context.request.hash
has_both = self.context.request.unsafe and self.context.request.hash
if has_none or has_both:
self._error(404, "URL does not have hash or unsafe, or has both: %s" % url)
return
if self.context.request.unsafe and not self.context.config.ALLOW_UNSAFE_URL:
self._error(404, "URL has unsafe but unsafe is not allowed by the config: %s" % url)
return
url_signature = self.context.request.hash
if url_signature:
signer = Signer(self.context.server.security_key)
url_to_validate = url.replace("/%s/" % self.context.request.hash, "")
valid = signer.validate(url_signature, url_to_validate)
if not valid and self.context.config.STORES_CRYPTO_KEY_FOR_EACH_IMAGE:
# Retrieves security key for this image if it has been seen before
security_key = self.context.modules.storage.get_crypto(self.context.request.image_url)
if security_key is not None:
signer = Signer(security_key)
valid = signer.validate(url_signature, url_to_validate)
if not valid:
is_valid = True
if self.context.config.ALLOW_OLD_URLS:
cr = Cryptor(self.context.server.security_key)
options = cr.get_options(self.context.request.hash, self.context.request.image_url)
if options is None:
is_valid = False
else:
self.context.request = RequestParameters(**options)
logger.warning(
"OLD FORMAT URL DETECTED!!! This format of URL will be discontinued in upcoming versions. Please start using the new format as soon as possible. More info at https://github.com/globocom/thumbor/wiki/3.0.0-release-changes"
)
else:
is_valid = False
if not is_valid:
self._error(404, "Malformed URL: %s" % url)
return
return self.execute_image_operations()
def test_thumbor_can_decrypt_lib_thumbor_generated_url_new_format():
key = "my-security-key"
image = "s.glbimg.com/et/bb/f/original/2011/03/24/VN0JiwzmOw0b0lg.jpg"
thumbor_signer = Signer(key)
crypto = CryptoURL(key=key)
url = crypto.generate(width=300, height=200, smart=True, image_url=image)
reg = "/([^/]+)/(.+)"
(signature, url) = re.match(reg, url).groups()
assert thumbor_signer.validate(signature, url)
def test_thumbor_can_decrypt_lib_thumbor_generated_url_new_format():
key = "my-security-key"
image = "s.glbimg.com/et/bb/f/original/2011/03/24/VN0JiwzmOw0b0lg.jpg"
thumbor_signer = Signer(key)
crypto = CryptoURL(key=key)
url = crypto.generate(
width=300,
height=200,
smart=True,
image_url=image
)
reg = "/([^/]+)/(.+)"
(signature, url) = re.match(reg, url).groups()
assert thumbor_signer.validate(signature, url)
def check_image(self, kw):
if self.context.config.MAX_ID_LENGTH > 0:
# Check if an image with an uuid exists in storage
exists = yield gen.maybe_future(self.context.modules.storage.exists(kw['image'][:self.context.config.MAX_ID_LENGTH]))
if exists:
kw['image'] = kw['image'][:self.context.config.MAX_ID_LENGTH]
url = self.request.uri
if not self.validate(kw['image']):
self._error(400, 'No original image was specified in the given URL')
return
kw['request'] = self.request
self.context.request = RequestParameters(**kw)
has_none = not self.context.request.unsafe and not self.context.request.hash
has_both = self.context.request.unsafe and self.context.request.hash
if has_none or has_both:
self._error(400, 'URL does not have hash or unsafe, or has both: %s' % url)
return
if self.context.request.unsafe and not self.context.config.ALLOW_UNSAFE_URL:
self._error(400, 'URL has unsafe but unsafe is not allowed by the config: %s' % url)
return
if self.context.config.USE_BLACKLIST:
blacklist = yield self.get_blacklist_contents()
if self.context.request.image_url in blacklist:
self._error(400, 'Source image url has been blacklisted: %s' % self.context.request.image_url )
return
url_signature = self.context.request.hash
if url_signature:
signer = Signer(self.context.server.security_key)
url_to_validate = Url.encode_url(url).replace('/%s/' % self.context.request.hash, '')
valid = signer.validate(url_signature, url_to_validate)
if not valid and self.context.config.STORES_CRYPTO_KEY_FOR_EACH_IMAGE:
# Retrieves security key for this image if it has been seen before
security_key = yield gen.maybe_future(self.context.modules.storage.get_crypto(self.context.request.image_url))
if security_key is not None:
signer = Signer(security_key)
valid = signer.validate(url_signature, url_to_validate)
if not valid:
is_valid = True
if self.context.config.ALLOW_OLD_URLS:
cr = Cryptor(self.context.server.security_key)
options = cr.get_options(self.context.request.hash, self.context.request.image_url)
if options is None:
is_valid = False
else:
options['request'] = self.request
self.context.request = RequestParameters(**options)
logger.warning(
'OLD FORMAT URL DETECTED!!! This format of URL will be discontinued in ' +
'upcoming versions. Please start using the new format as soon as possible. ' +
'More info at https://github.com/globocom/thumbor/wiki/3.0.0-release-changes'
)
else:
is_valid = False
if not is_valid:
self._error(400, 'Malformed URL: %s' % url)
return
self.execute_image_operations()
def get(self, **kw):
url = self.request.uri
if not self.validate(kw['image']):
self._error(404,
'No original image was specified in the given URL')
return
self.context.request = RequestParameters(**kw)
self.context.request.unsafe = self.context.request.unsafe == 'unsafe'
if (self.request.query):
self.context.request.image_url += '?%s' % self.request.query
self.context.request.image_url = self.encode_url(
self.context.request.image_url.encode('utf-8'))
has_none = not self.context.request.unsafe and not self.context.request.hash
has_both = self.context.request.unsafe and self.context.request.hash
if has_none or has_both:
self._error(
404, 'URL does not have hash or unsafe, or has both: %s' % url)
return
if self.context.request.unsafe and not self.context.config.ALLOW_UNSAFE_URL:
self._error(
404,
'URL has unsafe but unsafe is not allowed by the config: %s' %
url)
return
url_signature = self.context.request.hash
if url_signature:
signer = Signer(self.context.server.security_key)
url_to_validate = self.encode_url(url).replace(
'/%s/' % self.context.request.hash, '')
valid = signer.validate(url_signature, url_to_validate)
if not valid and self.context.config.STORES_CRYPTO_KEY_FOR_EACH_IMAGE:
# Retrieves security key for this image if it has been seen before
security_key = self.context.modules.storage.get_crypto(
self.context.request.image_url)
if security_key is not None:
signer = Signer(security_key)
valid = signer.validate(url_signature, url_to_validate)
if not valid:
is_valid = True
if self.context.config.ALLOW_OLD_URLS:
cr = Cryptor(self.context.server.security_key)
options = cr.get_options(self.context.request.hash,
self.context.request.image_url)
if options is None:
is_valid = False
else:
self.context.request = RequestParameters(**options)
logger.warning(
'OLD FORMAT URL DETECTED!!! This format of URL will be discontinued in upcoming versions. Please start using the new format as soon as possible. More info at https://github.com/globocom/thumbor/wiki/3.0.0-release-changes'
)
else:
is_valid = False
if not is_valid:
self._error(404, 'Malformed URL: %s' % url)
return
return self.execute_image_operations()
def get(self, **kw):
# Check if an image with an uuid exists in storage
if self.context.modules.storage.exists(kw['image'][:32]):
kw['image'] = kw['image'][:32]
url = self.request.uri
if not self.validate(kw['image']):
self._error(404, 'No original image was specified in the given URL')
return
self.context.request = RequestParameters(**kw)
self.context.request.unsafe = self.context.request.unsafe == 'unsafe'
if (self.request.query):
self.context.request.image_url += '?%s' % self.request.query
self.context.request.image_url = self.encode_url(self.context.request.image_url.encode('utf-8'))
has_none = not self.context.request.unsafe and not self.context.request.hash
has_both = self.context.request.unsafe and self.context.request.hash
if has_none or has_both:
self._error(404, 'URL does not have hash or unsafe, or has both: %s' % url)
return
if self.context.request.unsafe and not self.context.config.ALLOW_UNSAFE_URL:
self._error(404, 'URL has unsafe but unsafe is not allowed by the config: %s' % url)
return
url_signature = self.context.request.hash
if url_signature:
signer = Signer(self.context.server.security_key)
url_to_validate = self.encode_url(url).replace('/%s/' % self.context.request.hash, '')
valid = signer.validate(url_signature, url_to_validate)
if not valid and self.context.config.STORES_CRYPTO_KEY_FOR_EACH_IMAGE:
# Retrieves security key for this image if it has been seen before
security_key = self.context.modules.storage.get_crypto(self.context.request.image_url)
if security_key is not None:
signer = Signer(security_key)
valid = signer.validate(url_signature, url_to_validate)
if not valid:
is_valid = True
if self.context.config.ALLOW_OLD_URLS:
cr = Cryptor(self.context.server.security_key)
options = cr.get_options(self.context.request.hash, self.context.request.image_url)
if options is None:
is_valid = False
else:
self.context.request = RequestParameters(**options)
logger.warning('OLD FORMAT URL DETECTED!!! This format of URL will be discontinued in upcoming versions. Please start using the new format as soon as possible. More info at https://github.com/globocom/thumbor/wiki/3.0.0-release-changes')
else:
is_valid = False
if not is_valid:
self._error(404, 'Malformed URL: %s' % url)
return
return self.execute_image_operations()
def check_image(self, kw):
if self.context.config.MAX_ID_LENGTH > 0:
# Check if an image with an uuid exists in storage
exists = yield gen.maybe_future(
self.context.modules.storage.exists(
kw['image'][:self.context.config.MAX_ID_LENGTH]))
if exists:
kw['image'] = kw['image'][:self.context.config.MAX_ID_LENGTH]
url = self.request.uri
if not self.validate(kw['image']):
self._error(404,
'No original image was specified in the given URL')
return
kw['request'] = self.request
self.context.request = RequestParameters(**kw)
has_none = not self.context.request.unsafe and not self.context.request.hash
has_both = self.context.request.unsafe and self.context.request.hash
if has_none or has_both:
self._error(
404, 'URL does not have hash or unsafe, or has both: %s' % url)
return
if self.context.request.unsafe and not self.context.config.ALLOW_UNSAFE_URL:
self._error(
404,
'URL has unsafe but unsafe is not allowed by the config: %s' %
url)
return
if self.context.config.USE_BLACKLIST:
blacklist = yield self.get_blacklist_contents()
if self.context.request.image_url in blacklist:
self._error(
404, 'Source image url has been blacklisted: %s' %
self.context.request.image_url)
return
url_signature = self.context.request.hash
if url_signature:
signer = Signer(self.context.server.security_key)
url_to_validate = Url.encode_url(url).replace(
'/%s/' % self.context.request.hash, '')
valid = signer.validate(url_signature, url_to_validate)
if not valid and self.context.config.STORES_CRYPTO_KEY_FOR_EACH_IMAGE:
# Retrieves security key for this image if it has been seen before
security_key = yield gen.maybe_future(
self.context.modules.storage.get_crypto(
self.context.request.image_url))
if security_key is not None:
signer = Signer(security_key)
valid = signer.validate(url_signature, url_to_validate)
if not valid:
is_valid = True
if self.context.config.ALLOW_OLD_URLS:
cr = Cryptor(self.context.server.security_key)
options = cr.get_options(self.context.request.hash,
self.context.request.image_url)
if options is None:
is_valid = False
else:
options['request'] = self.request
self.context.request = RequestParameters(**options)
logger.warning(
'OLD FORMAT URL DETECTED!!! This format of URL will be discontinued in '
+
'upcoming versions. Please start using the new format as soon as possible. '
+
'More info at https://github.com/globocom/thumbor/wiki/3.0.0-release-changes'
)
else:
is_valid = False
if not is_valid:
self._error(404, 'Malformed URL: %s' % url)
return
self.execute_image_operations()
