[Erp5-report] r35739 nicolas - in /erp5/trunk/bt5/erp5_dms: SkinTemplateItem/portal_skins/e...
nobody at svn.erp5.org
nobody at svn.erp5.org
Fri May 28 16:46:08 CEST 2010
Author: nicolas
Date: Fri May 28 16:46:06 2010
New Revision: 35739
URL: http://svn.erp5.org?rev=35739&view=rev
Log:
Add typeBasedMethod for PDF to disallow conversion of PDF into image, if size exceed A3 iso format.
This rules prevent DOS vulnerability during reindexation.
Added:
erp5/trunk/bt5/erp5_dms/SkinTemplateItem/portal_skins/erp5_dms/PDF_checkConversionFormatPermission.xml
Modified:
erp5/trunk/bt5/erp5_dms/bt/revision
Added: erp5/trunk/bt5/erp5_dms/SkinTemplateItem/portal_skins/erp5_dms/PDF_checkConversionFormatPermission.xml
URL: http://svn.erp5.org/erp5/trunk/bt5/erp5_dms/SkinTemplateItem/portal_skins/erp5_dms/PDF_checkConversionFormatPermission.xml?rev=35739&view=auto
==============================================================================
--- erp5/trunk/bt5/erp5_dms/SkinTemplateItem/portal_skins/erp5_dms/PDF_checkConversionFormatPermission.xml (added)
+++ erp5/trunk/bt5/erp5_dms/SkinTemplateItem/portal_skins/erp5_dms/PDF_checkConversionFormatPermission.xml [utf8] Fri May 28 16:46:06 2010
@@ -1,0 +1,162 @@
+<?xml version="1.0"?>
+<ZopeData>
+ <record id="1" aka="AAAAAAAAAAE=">
+ <pickle>
+ <tuple>
+ <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
+ <tuple/>
+ </tuple>
+ </pickle>
+ <pickle>
+ <dictionary>
+ <item>
+ <key> <string>Script_magic</string> </key>
+ <value> <int>3</int> </value>
+ </item>
+ <item>
+ <key> <string>_bind_names</string> </key>
+ <value>
+ <object>
+ <klass>
+ <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
+ </klass>
+ <tuple/>
+ <state>
+ <dictionary>
+ <item>
+ <key> <string>_asgns</string> </key>
+ <value>
+ <dictionary>
+ <item>
+ <key> <string>name_container</string> </key>
+ <value> <string>container</string> </value>
+ </item>
+ <item>
+ <key> <string>name_context</string> </key>
+ <value> <string>context</string> </value>
+ </item>
+ <item>
+ <key> <string>name_m_self</string> </key>
+ <value> <string>script</string> </value>
+ </item>
+ <item>
+ <key> <string>name_subpath</string> </key>
+ <value> <string>traverse_subpath</string> </value>
+ </item>
+ </dictionary>
+ </value>
+ </item>
+ </dictionary>
+ </state>
+ </object>
+ </value>
+ </item>
+ <item>
+ <key> <string>_body</string> </key>
+ <value> <string encoding="cdata"><![CDATA[
+
+from Products.ERP5.Document.Document import VALID_IMAGE_FORMAT_LIST\n
+\n
+if format in VALID_IMAGE_FORMAT_LIST:\n
+ # Check if PDF size is not too large for conversion tool\n
+ content_information = context.getContentInformation()\n
+ size = content_information.get(\'Page size\')\n
+ if not size:\n
+ # If we can not extract the size,\n
+ # We do not take any risk and disallow conversion\n
+ return False\n
+\n
+ width = float(size.split(\' \')[0])\n
+ height = float(size.split(\' \')[2])\n
+ # The default resolution is 72 dots per inch,\n
+ # which is equivalent to one point per pixel (Macintosh and Postscript standard)\n
+\n
+ # Max surface allowed to convert an image,\n
+ # value is surface of A3 (11.7 inchs * 72 dpi * 16.5 inchs * 72 dpi)\n
+ maximum_surface = 1000772\n
+\n
+ if (width * height) > maximum_surface:\n
+ return False\n
+\n
+return True\n
+
+
+]]></string> </value>
+ </item>
+ <item>
+ <key> <string>_code</string> </key>
+ <value>
+ <none/>
+ </value>
+ </item>
+ <item>
+ <key> <string>_params</string> </key>
+ <value> <string>format, **kw</string> </value>
+ </item>
+ <item>
+ <key> <string>errors</string> </key>
+ <value>
+ <tuple/>
+ </value>
+ </item>
+ <item>
+ <key> <string>func_code</string> </key>
+ <value>
+ <object>
+ <klass>
+ <global name="FuncCode" module="Shared.DC.Scripts.Signature"/>
+ </klass>
+ <tuple/>
+ <state>
+ <dictionary>
+ <item>
+ <key> <string>co_argcount</string> </key>
+ <value> <int>1</int> </value>
+ </item>
+ <item>
+ <key> <string>co_varnames</string> </key>
+ <value>
+ <tuple>
+ <string>format</string>
+ <string>kw</string>
+ <string>Products.ERP5.Document.Document</string>
+ <string>VALID_IMAGE_FORMAT_LIST</string>
+ <string>_getattr_</string>
+ <string>context</string>
+ <string>content_information</string>
+ <string>size</string>
+ <string>False</string>
+ <string>float</string>
+ <string>_getitem_</string>
+ <string>width</string>
+ <string>height</string>
+ <string>maximum_surface</string>
+ <string>True</string>
+ </tuple>
+ </value>
+ </item>
+ </dictionary>
+ </state>
+ </object>
+ </value>
+ </item>
+ <item>
+ <key> <string>func_defaults</string> </key>
+ <value>
+ <none/>
+ </value>
+ </item>
+ <item>
+ <key> <string>id</string> </key>
+ <value> <string>PDF_checkConversionFormatPermission</string> </value>
+ </item>
+ <item>
+ <key> <string>warnings</string> </key>
+ <value>
+ <tuple/>
+ </value>
+ </item>
+ </dictionary>
+ </pickle>
+ </record>
+</ZopeData>
Modified: erp5/trunk/bt5/erp5_dms/bt/revision
URL: http://svn.erp5.org/erp5/trunk/bt5/erp5_dms/bt/revision?rev=35739&r1=35738&r2=35739&view=diff
==============================================================================
--- erp5/trunk/bt5/erp5_dms/bt/revision [utf8] (original)
+++ erp5/trunk/bt5/erp5_dms/bt/revision [utf8] Fri May 28 16:46:06 2010
@@ -1,1 +1,1 @@
-1144
+1145
More information about the Erp5-report
mailing list