Composer
首页 包列表 提交包 常见问题 关于

ctrbts/secure-timthumb 问题修复 & 功能扩展

解决BUG、新增功能、兼容多环境部署,快速响应你的开发需求

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

ctrbts/secure-timthumb

最新稳定版本:v3.0.0

Composer 安装命令:

composer require ctrbts/secure-timthumb

包简介

A secure, modern, drop-in replacement for the legacy TimThumb PHP script.

关键字:

# image # security # thumbnail # gd # TimThumb # legacy-support

README 文档

README

A secure, modern rewrite of the timthumb.php script. This project aims to provide a drop-in replacement for legacy systems that still rely on TimThumb, mitigating the critical RCE and file inclusion vulnerabilities present in the original version.

⚠️ WARNING: This library is intended for legacy maintenance. For new projects, maybe you prefer a modern solutions like Intervention Image or cloud-based services.

Key Security Improvements

  • Strict MIME Type Checking: Uses finfo to validate magic bytes. Malicious files renamed to .jpg will be rejected.
  • No Webshots: The vulnerable exec() based website screenshot feature has been removed entirely.
  • External Sites Disabled by Default: Must be explicitly enabled via config.
  • SSRF Protection: cURL is restricted to HTTP/HTTPS protocols only to prevent internal network scanning.
  • Cache Execution Prevention: Automatically generates an .htaccess in the cache directory to prevent PHP execution.

Installation

Option A:

Composer (Recommended)

composer require ctrbts/secure-timthumb

Option B:

Drop-in Replacement (Manual)

  1. Download TimThumb.php from this repository.
  2. Replace your existing timthumb.php file.
  3. Ensure the cache directory exists and is writable by the web server.

Configuration

You can configure the script by instantiating the class with an array of options (if using as a library) or by editing the default config array at the top of the TimThumb.php file (if using as a standalone script).

// Example Configuration
$config = [
    'allow_external' => true,
    'allowed_sites'  => ['flickr.com', 'staticflickr.com'],
    'max_file_size'  => 5242880, // 5MB
];

Attribution & Transparency

Maintainer: Fernando Merlo Original Authors: Ben Gillbanks & Mark Maunder

Refactor Note: This codebase was refactored with the assistance of AI tools to analyze historical security flaws and implement modern PHP security standards (PSR, Strict Types, Exception Handling).

Disclaimer: This software is provided "as is", without warranty of any kind. Use at your own risk.

统计信息

  • 总下载量: 2
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 0
  • 点击次数: 0
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 0
  • Watchers: 0
  • Forks: 0
  • 开发语言: PHP
访问仓库

其他信息

  • 授权协议: MIT
  • 更新时间: 2025-11-29