harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

svg thumbnails have security concerns. Added thumbnail security setting and hook to generate other thumbnails - a plugin for text file thumbnails isn't too difficult (using imagemagick lib), however it's a tossup whether we do this at file submission time or at render time for performance reasons. Perhaps both options should be available.

Browse Source
This commit is contained in:
zotlabs 2017-11-17 13:54:16 -08:00
parent ab363e3132
commit eb1e9edd33
2 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Zotlabs/Storage/Browser.php
View File

@ -200,9 +200,13 @@ class Browser extends DAV\Browser\Plugin {
// generate preview icons for tile view.
// Currently we only handle images, but this could potentially be extended with plugins
// to provide document and video thumbnails
// to provide document and video thumbnails. SVG, PDF and office documents have some
// security concerns and should only be allowed on single-user sites with tightly controlled
// upload access. system.thumbnail_security should be set to 1 if you want to include these
// types
$photo_icon = '';
$preview_style = intval(get_config('system','thumbnail_security',0));
if(strpos($type,'image/') === 0 && $attachHash) {
$r = q("select resource_id, imgscale from photo where resource_id = '%s' and imgscale in ( %d, %d ) order by imgscale asc limit 1",
@ -213,12 +217,17 @@ class Browser extends DAV\Browser\Plugin {
if($r) {
$photo_icon = 'photo/' . $r[0]['resource_id'] . '-' . $r[0]['imgscale'];
}
if($type === 'image/svg+xml') {
if($type === 'image/svg+xml' && $preview_style > 0) {
$photo_icon = $fullPath;
}
}
$g = [ 'resource_id' => $attachHash, 'thumbnail' => $photo_icon, 'security' => $preview_style ];
call_hooks('file_thumbnail', $g);
$photo_icon = $g['photo_icon'];
$attachIcon = ""; // "<a href=\"attach/".$attachHash."\" title=\"".$displayName."\"><i class=\"fa fa-arrow-circle-o-down\"></i></a>";
// put the array for this file together

3
doc/hooklist.bb
View File

@ -229,6 +229,9 @@ Hooks allow plugins/addons to "hook into" the code at many points and alter the
[zrl=[baseurl]/help/hook/feature_settings_post]feature_settings_post[/zrl]
called from settings page when posting from 'addon/feature settings'
[zrl=[baseurl]/help/hook/file_thumbnail]file_thumbnail[/zrl]
called when generating thumbnail images for cloud page in 'view tiles' mode
[zrl=[baseurl]/help/hook/follow]follow[/zrl]
called when a follow operation takes place