thumbnail: Do not Camo old thumbor URLs; serve images directly.

Providing a signed Camo URL for arbitrary URLs opened the server up to being an open redirector. Return 403 if the URL is not a user upload, and the backend image if it is. Since we do not have ImageAttachment rows for uploads at a time we wrote `/thumbnail?` URLs, return the full-size content.
2025-10-29 19:13:53 +00:00 · 2024-07-24 20:35:18 +00:00
parent a7b304d61d
commit c726d2ec01
4 changed files with 40 additions and 60 deletions
--- a/zerver/lib/thumbnail.py
+++ b/zerver/lib/thumbnail.py
@@ -5,15 +5,12 @@ from collections.abc import Iterator
 from contextlib import contextmanager
 from dataclasses import dataclass
 from typing import TypeVar
-from urllib.parse import urljoin

 import pyvips
 from bs4 import BeautifulSoup
-from django.utils.http import url_has_allowed_host_and_scheme
 from django.utils.translation import gettext as _
 from typing_extensions import override

-from zerver.lib.camo import get_camo_url
 from zerver.lib.exceptions import ErrorCode, JsonableError
 from zerver.lib.queue import queue_event_on_commit
 from zerver.models import AbstractAttachment, ImageAttachment
@@ -139,14 +136,6 @@ class BadImageError(JsonableError):
    code = ErrorCode.BAD_IMAGE


-def generate_thumbnail_url(path: str, size: str = "0x0") -> str:
-    path = urljoin("/", path)
-
-    if url_has_allowed_host_and_scheme(path, allowed_hosts=None):
-        return path
-    return get_camo_url(path)
-
-
@contextmanager
 def libvips_check_image(image_data: bytes) -> Iterator[pyvips.Image]:
    # The primary goal of this is to verify that the image is valid,