thumbor’s team is very concerned about security and vulnerabilities of the service. Even though the team strives to cover most scenarios, if you find any flaws or vulnerabilities, please contact the team or create an issue.
Consider the following URL for an image:
Now let’s say that some malicious user wants to overload your service. He can easily ask for other sizes in loops or worse, like:
http://some.server.com/unsafe/300x301/smart/path/to/image.jpg http://some.server.com/unsafe/300x302/smart/path/to/image.jpg http://some.server.com/unsafe/300x303/smart/path/to/image.jpg ... http://some.server.com/unsafe/300x9999/smart/path/to/image.jpg ... http://some.server.com/unsafe/9999x9999/smart/path/to/image.jpg
And that’s not even counting varying the available options.
Other than that, the user can ask for images that do not exist, thus forcing us to perform useless http GET operations or filesystem operations.
We classified both scenarios above as URL Tampering.
In order to prevent users from tampering with the URL, thumbor provides
a configuration called
SECURITY_KEY. This is the key used to
generate a hash-based message authentication
The process is very straightforward. The web server that has the page using thumbor’s image generates an authentication code for the options and image url, using the SECURITY_KEY.
When end-users access the page and thus load the image, thumbor generates an authentication code for the same options and image url, using the same SECURITY_KEY. If both authentication codes match, thumbor processes it.
The secure endpoint looks like this:
/<authentication code with 28 characters>/300x200/smart/path/to/image.jpg.
We intend to supply toolkits in many languages that automate the signing process, but we might need help from the community in this direction.
thumbor uses standard HMAC with SHA1 signing.
Let’s use as an example the url
In order to convert that to a “safe” url, we must sign the part
- Generate a
signatureof that part using HMAC-SHA1 with the SECURITY_KEY.
- Encode the
signatureas base64. thumbor uses
urlsafe_b64encodemethod of the native python’s base64 module. This method replaces some characters in the base64 string so it becomes more url friendly.
- Append the
encoded_signatureto the beginning of the URL, like:
That last part gives you the new url:
Notice that the url includes the options part
required for thumbor to generate an authentication code to match the one
that signs the image (
The code included in this documentation is illustrational and should not be used for any purposes.
The description of the base64 method is: reference
base64.urlsafe_b64encode(s) Encode string s using a URL-safe alphabet, which substitutes - instead of + and _ instead of / in the standard Base64 alphabet. The result can still contain =.
Loading Images over HTTPS¶
The default http_loader loads images by default over http. To change the default to https, use the https_loader instead. To enforce https, use the strict_https_loader. Check the Image loader page for more details.
There are implementations of url generators in various languages, take a look at the [Libraries] page to find information about them.