From ea3419e8b453f847bf6ca8f841ad4fad701214db Mon Sep 17 00:00:00 2001
From: Adhityaa Chandrasekar <adtac@adtac.in>
Date: Thu, 13 Feb 2020 19:58:52 -0500
Subject: [PATCH] commenter_photo.go: resize images to 38px

---
 api/commenter_photo.go | 35 +++++++++++++++++++++++++++++++----
 api/go.mod             |  1 +
 api/go.sum             |  5 +++++
 frontend/profile.html  |  2 +-
 4 files changed, 38 insertions(+), 5 deletions(-)

diff --git a/api/commenter_photo.go b/api/commenter_photo.go
index 16bfe5c..c0950d7 100644
--- a/api/commenter_photo.go
+++ b/api/commenter_photo.go
@@ -1,8 +1,13 @@
 package main
 
 import (
+	"fmt"
+	"strings"
 	"io"
 	"net/http"
+	"image/jpeg"
+
+	"github.com/disintegration/imaging"
 )
 
 func commenterPhotoHandler(w http.ResponseWriter, r *http.Request) {
@@ -14,13 +19,17 @@ func commenterPhotoHandler(w http.ResponseWriter, r *http.Request) {
 
 	url := c.Photo
 	if c.Provider == "google" {
-		url += "?sz=50"
+		if strings.HasSuffix(url, "photo.jpg") {
+			url += "?sz=38"
+		} else {
+			url += "=s38"
+		}
 	} else if c.Provider == "github" {
-		url += "&s=50"
+		url += "&s=38"
 	} else if c.Provider == "twitter" {
 		url += "?size=normal"
 	} else if c.Provider == "gitlab" {
-		url += "?width=50"
+		url += "?width=38"
 	}
 
 	resp, err := http.Get(url)
@@ -30,5 +39,23 @@ func commenterPhotoHandler(w http.ResponseWriter, r *http.Request) {
 	}
 	defer resp.Body.Close()
 
-	io.Copy(w, resp.Body)
+	if c.Provider != "commento" { // Custom URL avatars need to be resized.
+		io.Copy(w, resp.Body)
+		return
+	}
+
+	// Limit the size of the response to 128 KiB to prevent DoS attacks
+	// that exhaust memory.
+	limitedResp := &io.LimitedReader{R: resp.Body, N: 128 * 1024}
+
+	img, err := jpeg.Decode(limitedResp)
+	if err != nil {
+		fmt.Fprintf(w, "JPEG decode failed: %v\n", err)
+		return
+	}
+
+	if err = imaging.Encode(w, imaging.Resize(img, 38, 0, imaging.Lanczos), imaging.JPEG); err != nil {
+		fmt.Fprintf(w, "image encoding failed: %v\n", err)
+		return
+	}
 }
diff --git a/api/go.mod b/api/go.mod
index ca8fca6..31f1a33 100644
--- a/api/go.mod
+++ b/api/go.mod
@@ -5,6 +5,7 @@ go 1.12
 require (
 	cloud.google.com/go v0.26.0 // indirect
 	github.com/adtac/go-akismet v0.0.0-20181220032308-0ca9e1023047
+	github.com/disintegration/imaging v1.6.2
 	github.com/golang/protobuf v1.1.0 // indirect
 	github.com/gomodule/oauth1 v0.0.0-20181215000758-9a59ed3b0a84
 	github.com/gorilla/context v1.1.1 // indirect
diff --git a/api/go.sum b/api/go.sum
index b090ba4..ad91b99 100644
--- a/api/go.sum
+++ b/api/go.sum
@@ -2,6 +2,8 @@ cloud.google.com/go v0.26.0 h1:e0WKqKTd5BnrG8aKH3J3h+QvEIQtSUcf2n5UZ5ZgLtQ=
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 github.com/adtac/go-akismet v0.0.0-20181220032308-0ca9e1023047 h1:ZC99vhH6LlWY7bstM3JhEZl1c0a0DWZPFe7+hvRwTlc=
 github.com/adtac/go-akismet v0.0.0-20181220032308-0ca9e1023047/go.mod h1:DU/mtPMgEDGGfgxGATXm2Br5+F7JOClQj9nHVKZMlns=
+github.com/disintegration/imaging v1.6.2 h1:w1LecBlG2Lnp8B3jk5zSuNqd7b4DXhcjwek1ei82L+c=
+github.com/disintegration/imaging v1.6.2/go.mod h1:44/5580QXChDfwIclfc/PCwrr44amcmDAg8hxG0Ewe4=
 github.com/golang/protobuf v1.1.0 h1:0iH4Ffd/meGoXqF2lSAhZHt8X+cPgkfn/cb6Cce5Vpc=
 github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/gomodule/oauth1 v0.0.0-20181215000758-9a59ed3b0a84 h1:NlNEdePx7QY9Z4rds4EIe1dvUT8Ao1PZgLS80S5YTbU=
@@ -24,9 +26,12 @@ github.com/russross/blackfriday v1.5.1 h1:B8ZN6pD4PVofmlDCDUdELeYrbsVIDM/bpjW3v3
 github.com/russross/blackfriday v1.5.1/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
 golang.org/x/crypto v0.0.0-20180808211826-de0752318171 h1:vYogbvSFj2YXcjQxFHu/rASSOt9sLytpCaSkiwQ135I=
 golang.org/x/crypto v0.0.0-20180808211826-de0752318171/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/image v0.0.0-20191009234506-e7c1f5e7dbb8 h1:hVwzHzIUGRjiF7EcUjqNxk3NCfkPxbDKRdnNE1Rpg0U=
+golang.org/x/image v0.0.0-20191009234506-e7c1f5e7dbb8/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/net v0.0.0-20180811021610-c39426892332 h1:efGso+ep0DjyCBJPjvoz0HI6UldX4Md2F1rZFe1ir0E=
 golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/oauth2 v0.0.0-20180724155351-3d292e4d0cdc h1:3ElrZeO6IBP+M8kgu5YFwRo92Gqr+zBg3aooYQ6ziqU=
 golang.org/x/oauth2 v0.0.0-20180724155351-3d292e4d0cdc/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 google.golang.org/appengine v1.1.0 h1:igQkv0AAhEIvTEpD5LIpAfav2eeVO9HBTjvKHVJPRSs=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
diff --git a/frontend/profile.html b/frontend/profile.html
index 672211f..9da0923 100644
--- a/frontend/profile.html
+++ b/frontend/profile.html
@@ -51,7 +51,7 @@
           <input class="input" type="text" name="photo" id="photo" placeholder="https://i.imgur.com/BCKlYFQ.jpg">
         </div>
         <div class="small-subtitle" style="display: none" id="photo-subtitle">
-          Use an external image hosting service such as <a href="https://imgur.com" rel="nofollow">Imgur</a> and enter the direct link to the image here. Changes to your profile photo may take a few hours to reflect.
+          Use an external image hosting service such as <a href="https://imgur.com" rel="nofollow">Imgur</a> and enter the direct link to the image here. Changes to your profile photo may take a few hours to reflect. Maximum file size allowed is 128 KiB.
         </div>
 
         <div class="err" id="err"></div>