Add typeBasedMethod for PDF to disallow conversion of PDF into image, if size exceed A3 iso format.

This rules prevent DOS vulnerability during reindexation. git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@35739 20353a03-c40f-0410-a6d1-a30d3c3de9de

Add typeBasedMethod for PDF to disallow conversion of PDF into image, if size exceed A3 iso format.
This rules prevent DOS vulnerability during reindexation. git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@35739 20353a03-c40f-0410-a6d1-a30d3c3de9de
12b9a7aa · Nicolas Delaby · cfde4379 · 12b9a7aa · 12b9a7aa
Commit 12b9a7aa authored May 28, 2010 by Nicolas Delaby
Showing with 163 additions and 1 deletion

bt5/erp5_dms/SkinTemplateItem/portal_skins/erp5_dms/PDF_checkConversionFormatPermission.xml ...al_skins/erp5_dms/PDF_checkConversionFormatPermission.xml +162 -0

bt5/erp5_dms/bt/revision bt5/erp5_dms/bt/revision +1 -1

No files found.
--- a/bt5/erp5_dms/SkinTemplateItem/portal_skins/erp5_dms/PDF_checkConversionFormatPermission.xml
+++ b/bt5/erp5_dms/SkinTemplateItem/portal_skins/erp5_dms/PDF_checkConversionFormatPermission.xml
+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <tuple>
+        <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
+        <tuple/>
+      </tuple>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>Script_magic</string> </key>
+            <value> <int>3</int> </value>
+        </item>
+        <item>
+            <key> <string>_bind_names</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
+                </klass>
+                <tuple/>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>_asgns</string> </key>
+                        <value>
+                          <dictionary>
+                            <item>
+                                <key> <string>name_container</string> </key>
+                                <value> <string>container</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_context</string> </key>
+                                <value> <string>context</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_m_self</string> </key>
+                                <value> <string>script</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_subpath</string> </key>
+                                <value> <string>traverse_subpath</string> </value>
+                            </item>
+                          </dictionary>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>_body</string> </key>
+            <value> <string encoding="cdata"><![CDATA[
+
+from Products.ERP5.Document.Document import VALID_IMAGE_FORMAT_LIST\n
+\n
+if format in VALID_IMAGE_FORMAT_LIST:\n
+  # Check if PDF size is not too large for conversion tool\n
+  content_information = context.getContentInformation()\n
+  size = content_information.get(\'Page size\')\n
+  if not size:\n
+    # If we can not extract the size,\n
+    # We do not take any risk and disallow conversion\n
+    return False\n
+\n
+  width = float(size.split(\' \')[0])\n
+  height = float(size.split(\' \')[2])\n
+  # The default resolution is 72 dots per inch,\n
+  # which is equivalent to one point per pixel (Macintosh and Postscript standard)\n
+\n
+  # Max surface allowed to convert an image,\n
+  # value is surface of A3 (11.7 inchs * 72 dpi * 16.5 inchs * 72 dpi)\n
+  maximum_surface = 1000772\n
+\n
+  if (width * height) > maximum_surface:\n
+    return False\n
+\n
+return True\n
+
+
+]]></string> </value>
+        </item>
+        <item>
+            <key> <string>_code</string> </key>
+            <value>
+              <none/>
+            </value>
+        </item>
+        <item>
+            <key> <string>_params</string> </key>
+            <value> <string>format, **kw</string> </value>
+        </item>
+        <item>
+            <key> <string>errors</string> </key>
+            <value>
+              <tuple/>
+            </value>
+        </item>
+        <item>
+            <key> <string>func_code</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="FuncCode" module="Shared.DC.Scripts.Signature"/>
+                </klass>
+                <tuple/>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>co_argcount</string> </key>
+                        <value> <int>1</int> </value>
+                    </item>
+                    <item>
+                        <key> <string>co_varnames</string> </key>
+                        <value>
+                          <tuple>
+                            <string>format</string>
+                            <string>kw</string>
+                            <string>Products.ERP5.Document.Document</string>
+                            <string>VALID_IMAGE_FORMAT_LIST</string>
+                            <string>_getattr_</string>
+                            <string>context</string>
+                            <string>content_information</string>
+                            <string>size</string>
+                            <string>False</string>
+                            <string>float</string>
+                            <string>_getitem_</string>
+                            <string>width</string>
+                            <string>height</string>
+                            <string>maximum_surface</string>
+                            <string>True</string>
+                          </tuple>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>func_defaults</string> </key>
+            <value>
+              <none/>
+            </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>PDF_checkConversionFormatPermission</string> </value>
+        </item>
+        <item>
+            <key> <string>warnings</string> </key>
+            <value>
+              <tuple/>
+            </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>
--- a/bt5/erp5_dms/bt/revision
+++ b/bt5/erp5_dms/bt/revision
-1144
\ No newline at end of file
+1145
\ No newline at end of file