33from urllib .parse import urlparse
44
55from django .conf import settings
6+ from django .core .exceptions import PermissionDenied
67from django .core .files .storage import default_storage
78from django .http import FileResponse , HttpResponseNotFound , HttpResponseRedirect
89from django .shortcuts import render
@@ -57,6 +58,9 @@ def get_context_data(self, **kwargs: Any) -> Dict[str, Any]:
5758 return context
5859
5960
61+ ALLOWED_DIMENSIONS = (64 , 128 , 256 , 360 , 480 )
62+
63+
6064class ThumbnailServeView (View ):
6165 def get (self , request , * args , ** kwargs ):
6266 asset_path = self .kwargs .get ("path" )
@@ -67,6 +71,11 @@ def get(self, request, *args, **kwargs):
6771 except (ValueError , TypeError ):
6872 width , height = 0 , 0
6973
74+ # This is a check to prevent potential malicious enumeration of
75+ # thumbnail sizes to flood the storage / server.
76+ if width not in ALLOWED_DIMENSIONS or height not in ALLOWED_DIMENSIONS :
77+ raise PermissionDenied ()
78+
7079 max_age = 300 # 5 minutes
7180
7281 if not asset_path or width <= 0 or height <= 0 :
0 commit comments