- print {$temp_fh} $r->content() or
- die "Unable to print to temp file";
- close ($temp_fh);
- ### resize all images to 80x80 and strip comments out of them.
- ### If convert has a bug, it would be possible for this to be
- ### an attack vector, but hopefully minimizing the size above,
- ### and requiring proper mime types will minimize that
- ### slightly. Doing this will at least make it harder for
- ### malicious web images to harm our users
- system('convert','-resize','80x80',
- '-strip',
- $temp_fn,
- $cache_location.'.'.$dest_type) == 0 or
- die "convert file failed";
- unlink($temp_fh);
+ my $uri = libravatar_url(email => $param{email},
+ default => 404,
+ size => 80);
+ my $ua = LWP::UserAgent->new(agent => 'Debbugs libravatar service (not Mozilla)',
+ );
+ $ua->from($config{maintainer});
+ # if we don't get an avatar within 10 seconds, return so we
+ # don't block forever
+ $ua->timeout(10);
+ # if the avatar is bigger than 30K, we don't want it either
+ $ua->max_size(30*1024);
+ my $r = $ua->get($uri);
+ if (not $r->is_success()) {
+ die "Not successful in request";
+ }
+ my $aborted = $r->header('Client-Aborted');
+ # if we exceeded max size, I'm not sure if we'll be
+ # successfull or not, but regardless, there will be a
+ # Client-Aborted header. Stop here if that header is defined.
+ die "Client aborted header" if defined $aborted;
+ my $type = $r->header('Content-Type');
+ # if there's no content type, or it's not one we like, we won't
+ # bother going further
+ die "No content type" if not defined $type;
+ die "Wrong content type" if not $type =~ m{^image/([^/]+)$};
+ $dest_type = $type_mapping{$1};
+ die "No dest type" if not defined $dest_type;
+ # undo any content encoding
+ $r->decode() or die "Unable to decode content encoding";
+ # ok, now we need to convert it from whatever it is into a
+ # format that we actually like
+ my ($temp_fh,$temp_fn) = tempfile() or
+ die "Unable to create temporary file";
+ eval {
+ print {$temp_fh} $r->content() or
+ die "Unable to print to temp file";
+ close ($temp_fh);
+ ### resize all images to 80x80 and strip comments out of
+ ### them. If convert has a bug, it would be possible for
+ ### this to be an attack vector, but hopefully minimizing
+ ### the size above, and requiring proper mime types will
+ ### minimize that slightly. Doing this will at least make
+ ### it harder for malicious web images to harm our users
+ system('convert','-resize','80x80',
+ '-strip',
+ $temp_fn,
+ $cache_location.'.'.$dest_type) == 0 or
+ die "convert file failed";
+ unlink($temp_fn);
+ };
+ if ($@) {
+ unlink($cache_location.'.'.$dest_type) if -e $cache_location.'.'.$dest_type;
+ unlink($temp_fn) if -e $temp_fn;
+ die "Unable to convert image";
+ }