From 747a1435ec35ebac24e9e321e6b3b4afcc2bea7b Mon Sep 17 00:00:00 2001 From: Don Armstrong Date: Sat, 29 Apr 2017 08:42:56 -0700 Subject: [PATCH] Fix breakage caused by cdn.libravatar.org not setting Content-Type - Actually test using libmagic and adjust type on that basis --- Debbugs/Libravatar.pm | 28 +++++++++++++++++++--------- debian/changelog | 3 +++ 2 files changed, 22 insertions(+), 9 deletions(-) diff --git a/Debbugs/Libravatar.pm b/Debbugs/Libravatar.pm index 883305f..373a9f5 100644 --- a/Debbugs/Libravatar.pm +++ b/Debbugs/Libravatar.pm @@ -58,6 +58,8 @@ BEGIN{ } +our $magic; + =over =item retrieve_libravatar @@ -103,7 +105,7 @@ sub retrieve_libravatar{ } require LWP::UserAgent; - my $dest_type; + my $dest_type = 'png'; eval { my $uri = libravatar_url(email => $param{email}, default => 404, @@ -116,6 +118,7 @@ sub retrieve_libravatar{ $ua->timeout(10); # if the avatar is bigger than 30K, we don't want it either $ua->max_size(30*1024); + $ua->default_header('Accept' => 'image/*'); my $r = $ua->get($uri); if (not $r->is_success()) { if ($r->code != 404) { @@ -139,10 +142,11 @@ sub retrieve_libravatar{ my $type = $r->header('Content-Type'); # if there's no content type, or it's not one we like, we won't # bother going further - die "No content type" if not defined $type; - die "Wrong content type" if not $type =~ m{^image/([^/]+)$}; - $dest_type = $type_mapping{$1}; - die "No dest type" if not defined $dest_type; + if (defined $type) { + die "Wrong content type" if not $type =~ m{^image/([^/]+)$}; + $dest_type = $type_mapping{$1}; + die "No dest type" if not defined $dest_type; + } # undo any content encoding $r->decode() or die "Unable to decode content encoding"; # ok, now we need to convert it from whatever it is into a @@ -152,7 +156,14 @@ sub retrieve_libravatar{ eval { print {$temp_fh} $r->content() or die "Unable to print to temp file"; - close ($temp_fh); + close ($temp_fh) or + die "Unable to close temp file"; + ### Figure out the actual type from the file + $magic = File::LibMagic->new() if not defined $magic; + $type = $magic->checktype_filename(abs_path($temp_fn)); + die "Wrong content type ($type)" if not $type =~ m{^image/([^/;]+)(?:;|$)}; + $dest_type = $type_mapping{$1}; + die "No dest type for ($1)" if not defined $dest_type; ### resize all images to 80x80 and strip comments out of ### them. If convert has a bug, it would be possible for ### this to be an attack vector, but hopefully minimizing @@ -214,7 +225,8 @@ sub cache_location { croak("cache_location must be called with one of md5sum or email"); } return (undef, 0) if blocked_libravatar($param{email},$md5sum); - $stem = $config{libravatar_cache_dir}.'/'.$md5sum; + my $cache_dir = $param{cache_dir} // $config{libravatar_cache_dir}; + $stem = $cache_dir.'/'.$md5sum; for my $ext ('.png', '.jpg', '') { my $path = $stem.$ext; if (-e $path) { @@ -294,8 +306,6 @@ sub handler { -our $magic; - sub serve_cache_mod_perl { my ($cache_location,$r,$timestamp) = @_; if (not defined $cache_location or not length $cache_location) { diff --git a/debian/changelog b/debian/changelog index e196974..726ea26 100644 --- a/debian/changelog +++ b/debian/changelog @@ -45,6 +45,9 @@ debbugs (2.6.0~exp1) UNRELEASED; urgency=low * debbugs-web now Breaks/Replaces debbugs (<< 2.4.2) (Closes: #717967) * Split source file properly (Closes: #858671). Thanks to James McCoy. * Prefix 'src:' to all source package names. + * cdn.libravatar.org no longer sends Content-Type. Switch to verifying + the content-type using libmagic instead (which we probably should have + been doing from the beginning anyway). (Closes: #856991) [ Niels Thykier ] * quitcgi() now returns 400/500 status codes instead of 200 (Closes: #584922) -- 2.39.2