Max src resolution config; Larger default max src dimension

README.md

@@ -143,9 +143,10 @@ $ xxd -g 2 -l 64 -p /dev/random | tr -d '\n'
 
 #### Security
 
-imgproxy protects you from so-called image bombs. Here is how you can specify maximum image dimensions which you consider reasonable:
+imgproxy protects you from so-called image bombs. Here is how you can specify maximum image dimensions and resolution which you consider reasonable:
 
-* `IMGPROXY_MAX_SRC_DIMENSION` — the maximum dimensions of the source image, in pixels, for both width and height. Images with larger real size will be rejected. Default: `4096`;
+* `IMGPROXY_MAX_SRC_DIMENSION` — the maximum dimensions of the source image, in pixels, for both width and height. Images with larger real size will be rejected. Default: `8192`;
+* `IMGPROXY_MAX_SRC_RESOLUTION` — the maximum resolution of the source image, in megapixels. Images with larger real size will be rejected. Default: `16.8`;
 
 You can also specify a secret to enable authorization with the HTTP `Authorization` header:
 

config.go

@@ -18,6 +18,12 @@ func intEnvConfig(i *int, name string) {
 	}
 }
 
+func megaIntEnvConfig(f *int, name string) {
+	if env, err := strconv.ParseFloat(os.Getenv(name), 64); err == nil {
+		*f = int(env * 1000000)
+	}
+}
+
 func strEnvConfig(s *string, name string) {
 	if env := os.Getenv(name); len(env) > 0 {
 		*s = env
@@ -69,7 +75,8 @@ type config struct {
 	MaxClients      int
 	TTL             int
 
-	MaxSrcDimension int
+	MaxSrcDimension  int
+	MaxSrcResolution int
 
 	Quality         int
 	GZipCompression int
@@ -81,15 +88,16 @@ type config struct {
 }
 
 var conf = config{
-	Bind:            ":8080",
-	ReadTimeout:     10,
-	WriteTimeout:    10,
-	DownloadTimeout: 5,
-	Concurrency:     runtime.NumCPU() * 2,
-	TTL:             3600,
-	MaxSrcDimension: 4096,
-	Quality:         80,
-	GZipCompression: 5,
+	Bind:             ":8080",
+	ReadTimeout:      10,
+	WriteTimeout:     10,
+	DownloadTimeout:  5,
+	Concurrency:      runtime.NumCPU() * 2,
+	TTL:              3600,
+	MaxSrcDimension:  8192,
+	MaxSrcResolution: 16800000,
+	Quality:          80,
+	GZipCompression:  5,
 }
 
 func init() {
@@ -111,6 +119,7 @@ func init() {
 	intEnvConfig(&conf.TTL, "IMGPROXY_TTL")
 
 	intEnvConfig(&conf.MaxSrcDimension, "IMGPROXY_MAX_SRC_DIMENSION")
+	megaIntEnvConfig(&conf.MaxSrcResolution, "IMGPROXY_MAX_SRC_RESOLUTION")
 
 	intEnvConfig(&conf.Quality, "IMGPROXY_QUALITY")
 	intEnvConfig(&conf.GZipCompression, "IMGPROXY_GZIP_COMPRESSION")
@@ -162,6 +171,10 @@ func init() {
 		log.Fatalf("Max src dimension should be greater than 0, now - %d\n", conf.MaxSrcDimension)
 	}
 
+	if conf.MaxSrcResolution <= 0 {
+		log.Fatalf("Max src resolution should be greater than 0, now - %d\n", conf.MaxSrcResolution)
+	}
+
 	if conf.Quality <= 0 {
 		log.Fatalf("Quality should be greater than 0, now - %d\n", conf.Quality)
 	} else if conf.Quality > 100 {

download.go

@@ -65,7 +65,10 @@ func checkTypeAndDimensions(r io.Reader) (imageType, error) {
 		return UNKNOWN, err
 	}
 	if imgconf.Width > conf.MaxSrcDimension || imgconf.Height > conf.MaxSrcDimension {
-		return UNKNOWN, errors.New("File is too big")
+		return UNKNOWN, errors.New("Source image is too big")
+	}
+	if imgconf.Width*imgconf.Height > conf.MaxSrcResolution {
+		return UNKNOWN, errors.New("Source image is too big")
 	}
 	if !imgtypeOk || !vipsTypeSupportLoad[imgtype] {
 		return UNKNOWN, errors.New("Source image type not supported")