RMagick, resizing and security

I am checking out the FlexImage plugin and I like what I see. I do have one question though.

One of the main things I like is the ability to resize dynamically by passing in the size parameter.

My concern at this point is whether or not this opens up a security vulnerability - for if a user setup a script to call every size variation between 1x1 and 500x500 for a given image (or worse a list of images) I'm guessing all the RMagick work would probably but a serious load on the server, possibly even creating a DOS type situation. What are your thoughts on this? Is there any reasonable way to prevent this scenario? Am I misunderstanding the situation? Or is it just an accepted risk?

I am checking out the FlexImage plugin and I like what I see. I do
have one question though.

One of the main things I like is the ability to resize dynamically by
passing in the size parameter.

My concern at this point is whether or not this opens up a security
vulnerability - for if a user setup a script to call every size
variation between 1x1 and 500x500 for a given image (or worse a list
of images) I'm guessing all the RMagick work would probably but a
serious load on the server, possibly even creating a DOS type
situation. What are your thoughts on this? Is there any reasonable
way to prevent this scenario? Am I misunderstanding the situation?
Or is it just an accepted risk?

Certainly that's possible... you could work around it a couple of ways...

- Don't pass the size in the url, but have keywords or some such that relate to a set size. Odds are you dont' really need all the sizes from 1x1 to 500x500 :slight_smile:

- Pass along an md5 hash that's the combination of the size and some secret keyword. Have the fleximage action check it to make sure they match. This seems like overkill to me though (just in terms of headache).

I'm sure there are other ways..

-philip

The best way (in my opinion) to do it is resize one time and save. Hard
drive space is cheaper than a DOS.

If I had one known size, I would agree. But the situation is that I'm
allowing various users to create custom layouts (via the Liquid
template system). I wish to allow all such users to take advantage of
image assets in the system and allow them to request a size that fits
their layout.

Storage of images will be in the filesystem, and I believe once a given
size has been requested the naming format FlexImage uses supports
caching of that image for future re-use.

> - Don't pass the size in the url, but have keywords or some such that
> relate to a set size. Odds are you dont' really need all the sizes from
> 1x1 to 500x500 :slight_smile:

Perhaps a workable solution. Instead of allowing users pixel level
control over image size, I could give them increments of 50px to work
with. This way all resizing could be done up front.

> - Pass along an md5 hash that's the combination of the size and some
> secret keyword. Have the fleximage action check it to make sure they
> match. This seems like overkill to me though (just in terms of
> headache).

Does seem like overkill, but also seems like the one solution offered
so far to allow dynamic resizing from the template which provides some
measure of protection against malicious exploitation. Thanks!

Thanks to everyone so far. If anyone else has two cents to throw in -
please feel free!

Is this something that could be configured in Apache? or would it have
to be done in rails? I'm not that familiar with apache, but it seems
that it would be much faster at this task if it can be setup that way.

With page_caching of your image action in place, it shouldn't hit you
too hard. The first time those urls are loaded would be a strain,
however, after that they will be served from the file system very quick
without invoking rails. It would still load lots of image, but makes
you system no more vulnerable than any other website that serves images.

Depends on how much disk space you have as well though... if you allow them to pass the size in via the url someone could do this:

1.upto(10000) do |x|
   1.upto(10000) do |y|
     ... generate image at width=x height=y
   end
end

so even if your server could handle it, it's going to eat up a lot of disk space...

just something to keep in mind.

Also this can be gotten around as the only way your server knows the referer is based on a header the browser supplies. So if I wanted to I could just fake it...

(someone please correct me if I'm wrong)

-philip