use DBD::Pg;
use Image::Magick;
use POSIX;
-use Digest::SHA1;
+use Digest::MD5;
+use Digest::SHA;
+use Digest::HMAC_SHA1;
use MIME::Base64;
use MIME::Types;
use LWP::Simple;
use Image::ExifTool;
use HTML::Entities;
use URI::Escape;
+use File::Basename;
+use Crypt::Eksblowfish::Bcrypt;
BEGIN {
use Exporter ();
require Sesse::pr0n::Config_local;
};
- $VERSION = "v2.70";
+ $VERSION = "v2.81";
@ISA = qw(Exporter);
@EXPORT = qw(&error &dberror);
%EXPORT_TAGS = qw();
$quote = LWP::Simple::get("http://itk.samfundet.no/include/quotes.cli.php");
$quote = "Error: Could not fetch quotes." if (!defined($quote));
}
- Sesse::pr0n::Templates::print_template($r, "header", { title => $title, quotes => Encode::decode_utf8($quote) });
+ Sesse::pr0n::Templates::print_template($r, "header", { title => $title, quotes => $quote });
}
sub footer {
my $r = shift;
return $r->dir_config('ImageBase');
}
-
+
sub get_disk_location {
my ($r, $id) = @_;
my $dir = POSIX::floor($id / 256);
}
}
+sub ensure_disk_location_exists {
+ my ($r, $id) = @_;
+ my $dir = POSIX::floor($id / 256);
+
+ my $img_dir = get_base($r) . "/images/$dir/";
+ if (! -d $img_dir) {
+ $r->log->info("Need to create new image directory $img_dir");
+ mkdir($img_dir) or die "Couldn't create new image directory $img_dir";
+ }
+
+ my $cache_dir = get_base($r) . "/cache/$dir/";
+ if (! -d $cache_dir) {
+ $r->log->info("Need to create new cache directory $cache_dir");
+ mkdir($cache_dir) or die "Couldn't create new image directory $cache_dir";
+ }
+}
+
sub get_mipmap_location {
my ($r, $id, $width, $height) = @_;
my $dir = POSIX::floor($id / 256);
# Tags
my @tags = $exiftool->GetValue('Keywords', 'ValueConv');
+ if (scalar @tags == 0) {
+ # This is XMP-dc:Subject, an RDF bag of tags.
+ @tags = $exiftool->GetValue('Subject', 'ValueConv');
+ }
$dbh->do('DELETE FROM tags WHERE image=?',
undef, $id)
or die "Couldn't delete old tag information in SQL: $!";
# update the last_picture cache as well (this should of course be done
# via a trigger, but this is less complicated :-) )
- $dbh->do('UPDATE last_picture_cache SET last_picture=GREATEST(last_picture, ?) WHERE (vhost,event)=(SELECT vhost,event FROM images WHERE id=?)',
+ $dbh->do('UPDATE last_picture_cache SET last_picture=GREATEST(last_picture, ?),last_update=CURRENT_TIMESTAMP WHERE (vhost,event)=(SELECT vhost,event FROM images WHERE id=?)',
undef, $datetime, $id)
or die "Couldn't update last_picture in SQL: $!";
}
sub check_access {
my $r = shift;
+
+ #return qw(sesse Sesse);
my $auth = $r->headers_in->{'authorization'};
- if (!defined($auth) || $auth !~ m#^Basic ([a-zA-Z0-9+/]+=*)$#) {
+ if (!defined($auth)) {
+ output_401($r);
+ return undef;
+ }
+ if ($auth =~ /^Basic ([a-zA-Z0-9+\/]+=*)$/) {
+ return check_basic_auth($r, $1);
+ }
+ if ($auth =~ /^Digest (.*)$/) {
+ return check_digest_auth($r, $1);
+ }
+ output_401($r);
+ return undef;
+}
+
+sub output_401 {
+ my ($r, %options) = @_;
+ $r->content_type('text/plain; charset=utf-8');
+ $r->status(401);
+ $r->headers_out->{'www-authenticate'} = 'Basic realm="pr0n.sesse.net"';
+
+ # Digest auth is disabled for now, due to various client problems.
+ if (0 && ($options{'DigestAuth'} // 1)) {
+ # We make our nonce similar to the scheme of RFC2069 section 2.1.1,
+ # with some changes: We don't care about client IP (these have a nasty
+ # tendency to change from request to request when load-balancing
+ # proxies etc. are being used), and we use HMAC instead of simple
+ # hashing simply because that's a better signing method.
+ #
+ # NOTE: For some weird reason, Digest::HMAC_SHA doesn't like taking
+ # the output from time directly (it gives a different response), so we
+ # forcefully stringify the argument.
+ my $ts = time;
+ my $nonce = Digest::HMAC_SHA->hmac_sha1_hex($ts . "", $Sesse::pr0n::Config::db_password);
+ my $stale_nonce_text = "";
+ $stale_nonce_text = ", stale=\"true\"" if ($options{'StaleNonce'} // 0);
+
+ $r->headers_out->{'www-authenticate'} =
+ "Digest realm=\"pr0n.sesse.net\", " .
+ "nonce=\"$nonce\", " .
+ "opaque=\"$ts\", " .
+ "qop=\"auth\"" . $stale_nonce_text; # FIXME: support auth-int
+ }
+
+ $r->print("Need authorization\n");
+}
+
+sub check_basic_auth {
+ my ($r, $auth) = @_;
+
+ my ($raw_user, $pass) = split /:/, MIME::Base64::decode_base64($auth);
+ my ($user, $takenby) = extract_takenby($raw_user);
+
+ my $ref = $dbh->selectrow_hashref('SELECT sha1password,cryptpassword,digest_ha1_hex FROM users WHERE username=? AND vhost=?',
+ undef, $user, $r->get_server_name);
+ my ($sha1_matches, $bcrypt_matches) = (0, 0);
+ if (defined($ref) && defined($ref->{'sha1password'})) {
+ $sha1_matches = (Digest::SHA::sha1_base64($pass) eq $ref->{'sha1password'});
+ }
+ if (defined($ref) && defined($ref->{'cryptpassword'})) {
+ $bcrypt_matches = (Crypt::Eksblowfish::Bcrypt::bcrypt($pass, $ref->{'cryptpassword'}) eq $ref->{'cryptpassword'});
+ }
+
+ if (!defined($ref) || (!$sha1_matches && !$bcrypt_matches)) {
$r->content_type('text/plain; charset=utf-8');
- $r->status(401);
- $r->headers_out->{'www-authenticate'} = 'Basic realm="pr0n.sesse.net"';
- $r->print("Need authorization\n");
+ $r->log->warn("Authentication failed for $user/$takenby");
+ output_401($r);
+ return undef;
+ }
+ $r->log->info("Authentication succeeded for $user/$takenby");
+
+ # Make sure we can use Digest authentication in the future with this password.
+ my $ha1 = Digest::MD5::md5_hex($user . ':pr0n.sesse.net:' . $pass);
+ if (!defined($ref->{'digest_ha1_hex'}) || $ref->{'digest_ha1_hex'} ne $ha1) {
+ $dbh->do('UPDATE users SET digest_ha1_hex=? WHERE username=? AND vhost=?',
+ undef, $ha1, $user, $r->get_server_name)
+ or die "Couldn't update: " . $dbh->errstr;
+ $r->log->info("Updated Digest auth hash for for $user");
+ }
+
+ # Make sure we can use bcrypt authentication in the future with this password.
+ # Also remove old-style SHA1 password when we migrate.
+ if (!$bcrypt_matches) {
+ my $salt = get_pseudorandom_bytes(16); # Doesn't need to be cryptographically secur.
+ my $hash = "\$2a\$07\$" . Crypt::Eksblowfish::Bcrypt::en_base64($salt);
+ my $cryptpassword = Crypt::Eksblowfish::Bcrypt::bcrypt($pass, $hash);
+ $dbh->do('UPDATE users SET sha1password=NULL,cryptpassword=? WHERE username=? AND vhost=?',
+ undef, $cryptpassword, $user, $r->get_server_name)
+ or die "Couldn't update: " . $dbh->errstr;
+ $r->log->info("Updated bcrypt hash for $user");
+ }
+
+ return ($user, $takenby);
+}
+
+sub get_pseudorandom_bytes {
+ my $num_left = shift;
+ my $bytes = "";
+ open my $randfh, "<", "/dev/urandom"
+ or die "/dev/urandom: $!";
+ binmode $randfh;
+ while ($num_left > 0) {
+ my $tmp;
+ if (sysread($randfh, $tmp, $num_left) == -1) {
+ die "sysread(/dev/urandom): $!";
+ }
+ $bytes .= $tmp;
+ $num_left -= length($bytes);
+ }
+ close $randfh;
+ return $bytes;
+}
+
+sub check_digest_auth {
+ my ($r, $auth) = @_;
+
+ # We're a bit more liberal than RFC2069 in the parsing here, allowing
+ # quoted strings everywhere.
+ my %auth = ();
+ while ($auth =~ s/^ ([a-zA-Z]+) # key
+ =
+ (
+ [^",]* # either something that doesn't contain comma or quotes
+ |
+ " ( [^"\\] | \\ . ) * " # or a full quoted string
+ )
+ (?: (?: , \s* ) + | $ ) # delimiter(s), or end of string
+ //x) {
+ my ($key, $value) = ($1, $2);
+ if ($value =~ /^"(.*)"$/) {
+ $value = $1;
+ $value =~ s/\\(.)/$1/g;
+ }
+ $auth{$key} = $value;
+ }
+ unless (exists($auth{'username'}) &&
+ exists($auth{'uri'}) &&
+ exists($auth{'nonce'}) &&
+ exists($auth{'opaque'}) &&
+ exists($auth{'response'})) {
+ output_401($r);
+ return undef;
+ }
+ if ($r->uri ne $auth{'uri'}) {
+ output_401($r);
return undef;
}
- #return qw(sesse Sesse);
+ # Verify that the opaque data does indeed look like a timestamp, and that the nonce
+ # is indeed a signed version of it.
+ if ($auth{'opaque'} !~ /^\d+$/) {
+ output_401($r);
+ return undef;
+ }
+ my $compare_nonce = Digest::HMAC_SHA1->hmac_sha1_hex($auth{'opaque'}, $Sesse::pr0n::Config::db_password);
+ if ($auth{'nonce'} ne $compare_nonce) {
+ output_401($r);
+ return undef;
+ }
+
+ # Now look up the user's HA1 from the database, and calculate HA2.
+ my ($user, $takenby) = extract_takenby($auth{'username'});
+ my $ref = $dbh->selectrow_hashref('SELECT digest_ha1_hex FROM users WHERE username=? AND vhost=?',
+ undef, $user, $r->get_server_name);
+ if (!defined($ref)) {
+ output_401($r);
+ return undef;
+ }
+ if (!defined($ref->{'digest_ha1_hex'}) || $ref->{'digest_ha1_hex'} !~ /^[0-9a-f]{32}$/) {
+ # A user that exists but has empty HA1 is a user that's not
+ # ready for digest auth, so we hack it and resend 401,
+ # only this time without digest auth.
+ output_401($r, DigestAuth => 0);
+ return undef;
+ }
+ my $ha1 = $ref->{'digest_ha1_hex'};
+ my $ha2 = Digest::MD5::md5_hex($r->method . ':' . $auth{'uri'});
+ my $response;
+ if (exists($auth{'qop'}) && $auth{'qop'} eq 'auth') {
+ unless (exists($auth{'nc'}) && exists($auth{'cnonce'})) {
+ output_401($r);
+ return undef;
+ }
+
+ $response = $ha1;
+ $response .= ':' . $auth{'nonce'};
+ $response .= ':' . $auth{'nc'};
+ $response .= ':' . $auth{'cnonce'};
+ $response .= ':' . $auth{'qop'};
+ $response .= ':' . $ha2;
+ } else {
+ $response = $ha1;
+ $response .= ':' . $auth{'nonce'};
+ $response .= ':' . $ha2;
+ }
+ if ($auth{'response'} ne Digest::MD5::md5_hex($response)) {
+ output_401($r);
+ return undef;
+ }
+
+ # OK, everything is good, and there's only one thing we need to check: That the nonce
+ # isn't too old. If it is, but everything else is ok, we tell the browser that and it
+ # will re-encrypt with the new nonce.
+ my $timediff = time - $auth{'opaque'};
+ if ($timediff < 0 || $timediff > 300) {
+ output_401($r, StaleNonce => 1);
+ return undef;
+ }
+
+ return ($user, $takenby);
+}
+
+sub extract_takenby {
+ my ($user) = shift;
- my ($user, $pass) = split /:/, MIME::Base64::decode_base64($1);
# WinXP is stupid :-)
if ($user =~ /^.*\\(.*)$/) {
$user = $1;
} else {
($takenby = $user) =~ s/^([a-zA-Z])/uc($1)/e;
}
-
- my $oldpass = $pass;
- $pass = Digest::SHA1::sha1_base64($pass);
- my $ref = $dbh->selectrow_hashref('SELECT count(*) AS auth FROM users WHERE username=? AND sha1password=? AND vhost=?',
- undef, $user, $pass, $r->get_server_name);
- if ($ref->{'auth'} != 1) {
- $r->content_type('text/plain; charset=utf-8');
- warn "No user exists, only $auth";
- $r->status(401);
- $r->headers_out->{'www-authenticate'} = 'Basic realm="pr0n.sesse.net"';
- $r->print("Authorization failed");
- $r->log->warn("Authentication failed for $user/$takenby");
- return undef;
- }
-
- $r->log->info("Authentication succeeded for $user/$takenby");
return ($user, $takenby);
}
}
# Takes in an image ID and a set of resolutions, and returns (generates if needed)
-# the smallest mipmap larger than the largest of them.
+# the smallest mipmap larger than the largest of them, as well as the original image
+# dimensions.
sub make_mipmap {
my ($r, $filename, $id, $dbwidth, $dbheight, $can_use_qscale, @res) = @_;
my ($img, $mmimg, $width, $height);
if (!defined($img)) {
$img = read_original_image($r, $filename, $id, $dbwidth, $dbheight, $can_use_qscale);
+ $width = $img->Get('columns');
+ $height = $img->Get('rows');
}
- return $img;
+ return ($img, $width, $height);
}
sub read_original_image {
# ImageMagick can handle NEF files, but it does it by calling dcraw as a delegate.
# The delegate support is rather broken and causes very odd stuff to happen when
# more than one thread does this at the same time. Thus, we simply do it ourselves.
- if ($filename =~ /\.nef$/i) {
+ if ($filename =~ /\.(nef|cr2)$/i) {
# this would suffice if ImageMagick gets to fix their handling
# $physical_fname = "NEF:$physical_fname";
# If we use ->[0] unconditionally, text rendering (!) seems to crash
my $img;
- if (ref($magick)) {
+ if (ref($magick) !~ /Image::Magick/) {
$img = $magick;
} else {
$img = (scalar @$magick > 1) ? $magick->[0] : $magick;
}
- my $width = $img->Get('columns');
- my $height = $img->Get('rows');
-
- # Update the SQL database if it doesn't contain the required info
- if (!defined($dbwidth) || !defined($dbheight)) {
- $r->log->info("Updating width/height for $id: $width x $height");
- update_image_info($r, $id, $width, $height);
- }
-
return $img;
}
sub ensure_cached {
my ($r, $filename, $id, $dbwidth, $dbheight, $infobox, $xres, $yres, @otherres) = @_;
+ my ($new_dbwidth, $new_dbheight);
+
my $fname = get_disk_location($r, $id);
if ($infobox ne 'box') {
- unless (defined($xres) && (!defined($dbwidth) || !defined($dbheight) || $xres < $dbheight || $yres < $dbwidth || $xres == -1)) {
+ unless (defined($xres) && (!defined($dbwidth) || !defined($dbheight) || $xres < $dbwidth || $yres < $dbheight || $xres == -1)) {
return ($fname, undef);
}
}
# special-casing it.
if (!defined($dbwidth) || !defined($dbheight)) {
$img = read_original_image($r, $filename, $id, $dbwidth, $dbheight, 0);
- $width = $img->Get('columns');
- $height = $img->Get('rows');
+ $new_dbwidth = $width = $img->Get('columns');
+ $new_dbheight = $height = $img->Get('rows');
@$img = ();
} else {
$img = Image::Magick->new;
$can_use_qscale = 1;
}
- my $img = make_mipmap($r, $filename, $id, $dbwidth, $dbheight, $can_use_qscale, $xres, $yres, @otherres);
+ my $img;
+ ($img, $new_dbwidth, $new_dbheight) = make_mipmap($r, $filename, $id, $dbwidth, $dbheight, $can_use_qscale, $xres, $yres, @otherres);
while (defined($xres) && defined($yres)) {
my ($nxres, $nyres) = (shift @otherres, shift @otherres);
my $height = $img->Get('rows');
my ($nwidth, $nheight) = scale_aspect($width, $height, $xres, $yres);
- # Use lanczos (sharper) for heavy scaling, mitchell (faster) otherwise
- my $filter = 'Mitchell';
- my $quality = 90;
- my $sf = undef;
-
- if ($width / $nwidth > 8.0 || $height / $nheight > 8.0) {
- $filter = 'Lanczos';
- $quality = 85;
- $sf = "1x1";
- }
+ my $filter = 'Lanczos';
+ my $quality = 87;
+ my $sf = "1x1";
if ($xres != -1) {
$cimg->Resize(width=>$nwidth, height=>$nheight, filter=>$filter, 'sampling-factor'=>$sf);
}
}
}
+
+ # Update the SQL database if it doesn't contain the required info
+ if (!defined($dbwidth) && defined($new_dbwidth)) {
+ $r->log->info("Updating width/height for $id: $new_dbwidth x $new_dbheight");
+ update_image_info($r, $id, $new_dbwidth, $new_dbheight);
+ }
+
return ($cachename, 'image/jpeg');
}
# fields"; note the comma separation. Every field has an associated "bold flag"
# in the second part.
- my $shutter_priority = (defined($info->{'ExposureProgram'}) &&
+ my $manual_shutter = (defined($info->{'ExposureProgram'}) &&
$info->{'ExposureProgram'} =~ /shutter\b.*\bpriority/i);
- my $aperture_priority = (defined($info->{'ExposureProgram'}) &&
+ my $manual_aperture = (defined($info->{'ExposureProgram'}) &&
$info->{'ExposureProgram'} =~ /aperture\b.*\bpriority/i);
+ if ($info->{'ExposureProgram'} =~ /manual/i) {
+ $manual_shutter = 1;
+ $manual_aperture = 1;
+ }
my @classic_fields = ();
if (defined($info->{'FocalLength'}) && $info->{'FocalLength'} =~ /^(\d+)(?:\.\d+)?\s*(?:mm)?$/) {
if (defined($info->{'ExposureTime'}) && $info->{'ExposureTime'} =~ /^(\d+)\/(\d+)$/) {
my ($a, $b) = ($1, $2);
my $gcd = gcd($a, $b);
- push @classic_fields, [ $a/$gcd . "/" . $b/$gcd . "s", $shutter_priority ];
- } elsif (defined($info->{'ExposureTime'}) && $info->{'ExposureTime'} =~ /^(\d+(?:\.\d+))$/) {
- push @classic_fields, [ $1 . "s", $shutter_priority ];
+ push @classic_fields, [ $a/$gcd . "/" . $b/$gcd . "s", $manual_shutter ];
+ } elsif (defined($info->{'ExposureTime'}) && $info->{'ExposureTime'} =~ /^(\d+(?:\.\d+)?)$/) {
+ push @classic_fields, [ $1 . "s", $manual_shutter ];
}
if (defined($info->{'FNumber'}) && $info->{'FNumber'} =~ /^(\d+)\/(\d+)$/) {
my $f = $1/$2;
if ($f >= 10) {
- push @classic_fields, [ (sprintf "f/%.0f", $f), $aperture_priority ];
+ push @classic_fields, [ (sprintf "f/%.0f", $f), $manual_aperture ];
} else {
- push @classic_fields, [ (sprintf "f/%.1f", $f), $aperture_priority ];
+ push @classic_fields, [ (sprintf "f/%.1f", $f), $manual_aperture ];
}
} elsif (defined($info->{'FNumber'}) && $info->{'FNumber'} =~ /^(\d+)\.(\d+)$/) {
my $f = $info->{'FNumber'};
if ($f >= 10) {
- push @classic_fields, [ (sprintf "f/%.0f", $f), $aperture_priority ];
+ push @classic_fields, [ (sprintf "f/%.0f", $f), $manual_aperture ];
} else {
- push @classic_fields, [ (sprintf "f/%.1f", $f), $aperture_priority ];
+ push @classic_fields, [ (sprintf "f/%.1f", $f), $manual_aperture ];
}
}
if (defined($info->{'ExposureBiasValue'}) && $info->{'ExposureBiasValue'} ne "0") {
push @classic_fields, [ $info->{'ExposureBiasValue'} . " EV", 0 ];
- } elsif (defined($info->{'ExposureCompensation'}) && $info->{'ExposureCompensation'} != 0) {
+ } elsif (defined($info->{'ExposureCompensation'}) && $info->{'ExposureCompensation'} ne "0") {
push @classic_fields, [ $info->{'ExposureCompensation'} . " EV", 0 ];
}
}
sub add_new_event {
- my ($dbh, $id, $date, $desc, $vhost) = @_;
+ my ($r, $dbh, $id, $date, $desc) = @_;
my @errors = ();
if (!defined($id) || $id =~ /^\s*$/ || $id !~ /^([a-zA-Z0-9-]+)$/) {
return @errors;
}
+ my $vhost = $r->get_server_name;
$dbh->do("INSERT INTO events (event,date,name,vhost) VALUES (?,?,?,?)",
undef, $id, $date, $desc, $vhost)
or return ("Kunne ikke sette inn ny hendelse" . $dbh->errstr);
$dbh->do("INSERT INTO last_picture_cache (vhost,event,last_picture) VALUES (?,?,NULL)",
undef, $vhost, $id)
or return ("Kunne ikke sette inn ny cache-rad" . $dbh->errstr);
+ purge_cache($r, "/");
return ();
}
return $decoded;
}
+# Depending on your front-end cache, you might want to get creative somehow here.
+# This example assumes you have a front-end cache and it can translate an X-Pr0n-Purge
+# regex tacked onto a request into something useful. The elements given in
+# should not be regexes, though, as e.g. Squid will not be able to handle that.
+sub purge_cache {
+ my ($r, @elements) = @_;
+ return if (scalar @elements == 0);
+
+ my @pe = ();
+ for my $elem (@elements) {
+ $r->log->info("Purging $elem");
+ (my $e = $elem) =~ s/[.+*|()]/\\$&/g;
+ push @pe, $e;
+ }
+
+ my $regex = "^";
+ if (scalar @pe == 1) {
+ $regex .= $pe[0];
+ } else {
+ $regex .= "(" . join('|', @pe) . ")";
+ }
+ $regex .= "(\\?.*)?\$";
+ $r->headers_out->{'X-Pr0n-Purge'} = $regex;
+}
+
+# Find a list of all cache URLs for a given image, given what we have on disk.
+sub get_all_cache_urls {
+ my ($r, $dbh, $id) = @_;
+ my $dir = POSIX::floor($id / 256);
+ my @ret = ();
+
+ my $q = $dbh->prepare('SELECT event, filename FROM images WHERE id=?')
+ or die "Couldn't prepare: " . $dbh->errstr;
+ $q->execute($id)
+ or die "Couldn't find event and filename: " . $dbh->errstr;
+ my $ref = $q->fetchrow_hashref;
+ my $event = $ref->{'event'};
+ my $filename = $ref->{'filename'};
+ $q->finish;
+
+ my $base = get_base($r) . "cache/$dir";
+ for my $file (<$base/$id-*>) {
+ my $fname = File::Basename::basename($file);
+ if ($fname =~ /^$id-mipmap-.*\.jpg$/) {
+ # Mipmaps don't have an URL, ignore
+ } elsif ($fname =~ /^$id--1--1\.jpg$/) {
+ push @ret, "/$event/$filename";
+ } elsif ($fname =~ /^$id-(\d+)-(\d+)\.jpg$/) {
+ push @ret, "/$event/$1x$2/$filename";
+ } elsif ($fname =~ /^$id-(\d+)-(\d+)-nobox\.jpg$/) {
+ push @ret, "/$event/$1x$2/nobox/$filename";
+ } elsif ($fname =~ /^$id--1--1-box\.png$/) {
+ push @ret, "/$event/box/$filename";
+ } elsif ($fname =~ /^$id-(\d+)-(\d+)-box\.png$/) {
+ push @ret, "/$event/$1x$2/box/$filename";
+ } else {
+ $r->log->warn("Couldn't find a purging URL for $fname");
+ }
+ }
+
+ return @ret;
+}
+
1;
projects / pr0n / blobdiff